The 2027 Martyn's Law Deadline: A roadmap to compliance

Martyn’s Law: From the 2017 Manchester Arena attack to the 2025 Act

The catastrophic events of May 22, 2017, remain a profound case study for the vulnerabilities this Act aims to solve. The 22:30 BST detonation at Manchester Arena exposed a decade-long gap in how the U.K. secured its gray and crowded public spaces. Vulnerable material assets, these soft targets are difficult to protect using conventional means without adversely affecting public access, mobility and civil and individual rights.

Confirmed as a terrorist attack and suicide bombing, the incident precipitated 240 emergency calls, with 60 ambulances and 400 police officers attending. All told, 22 victims lost their lives, and another 116 people were admitted to the hospital. Badly damaged by the blast, Manchester Victoria station was closed for eight days. Manchester Arena, however, was out of use for another four months.

By that time, the country had been rocked by another incident of terrorism. A month after the Manchester Arena bombing, a terrorist drove a van into a crowd of pedestrians near Finsbury Park Mosque in north London, killing one man. Then came the Parsons Green tube bombing on September 15, where a bomb partially exploded on a London Underground train, injuring 50 people. Together, these incidents highlighted a profound lack of preparedness in crowded public spaces, a void that Martyn’s Law was specifically drafted to fill.

The shift to shared responsibility: From state-led to mandatory venue security

Indeed, the 2017 attacks accelerated a necessary evolution in U.K. counterterrorism policy, which has seen it come in line with international best practices. For example, the United Arab Emirates (UAE) passed the Security of Sports Facilities and Events Resolution in 2015. This legislation holds event rights holders, host facilities or venues, event organizers, broadcasters, sponsors and third-party contractors legally responsible for ensuring event security, with the Ministry of Interior acting as the supervisory body.

The alignment of U.K. security policy with this international model represents a fundamental shift. Historically, the government’s counter-terrorism advice was only able to reach a tiny fraction of the U.K.'s 650,000 crowded locations nationwide. The Terrorism (Protection of Premises) Act 2025 officially codifies a shift from state-led protection to a shared responsibility model. The Act mandates that 99% of previously unsupported spaces meet a baseline of “reasonably practicable” security. This statutory standard becomes fully enforceable in May 2027.

The road to the 2025 Act: From advocacy to enforcement

While the U.K. historically lacked a central mandate for venue security, the legislative vacuum officially closed on April 3, 2025. This milestone was the result of years of tireless advocacy by Figen Murray, mother of Manchester Arena bombing victim, Martyn Hett. After attending an event a year after the Manchester Arena bombing and noticing a continued lack of basic security, Murray began a crusade to establish the protect duty.

That journey culminated in a complex regulatory framework for anti-terrorism policy. No longer is preparedness a voluntary best practice. Instead, we are currently in the critical implementation window where compliance is the only legal option for venues in scope.

The Act officially deputizes the Security Industry Authority (SIA) as the regulator, granting the agency significant enforcement powers. Beyond standard inspections, the SIA can issue civil sanction notices and fixed penalty notices. For the most severe or persistent breaches, the Act even allows for criminal prosecution and the permanent closure of premises.

Martyn’s Law statutory scope: Who is covered?

With the 2025 Act, the protect duty becomes an operational requirement. The law now dictates that responsibility for public safety is shared by those who profit from or manage high-occupancy spaces. As a result, owners and operators must address the risk of terrorism and take proportionate mitigation measures to protect the public.

To ensure proportionality, the Act applies a tiered approach based on maximum occupancy:

• Standard tier: Premises with a capacity of 200 to 799 individuals.
• Enhanced tier: Premises with a capacity of 800 or more.
• Qualifying public events: Temporary events with a capacity of 800 or more, where access is controlled (through ticketing, barriers, etc.) and the event is held at premises that are not already qualifying premises.

Standard tier requirements: Public protection procedures

For smaller venues (200-799 capacity), the 2025 Act mandates a light-touch approach, designed to be low cost but high impact. The goal of these requirements is to ensure that those working at the premises are prepared to act quickly to save lives.

To meet the 2027 deadline, the responsible person for a standard tier venue must fulfill two core statutory duties:

• Notification: Notify the SIA of their premises.

• Readiness: Establish public protection procedures, measures which may be expected to reduce the risk of physical harm being caused to individuals. These measures must include:

• Evacuation: Clear, practiced routes to get people away from danger.
• Invacuation: Procedures to move people to a safe, internal protected location within a building.
• Lockdown: Simple, effective methods to secure the premises against an external intruder.
• Communication: A reliable way to alert everyone on the premises to an immediate threat.

Enhanced tier requirements: Comprehensive risk assessment

For larger venues (800-plus capacity) and qualifying public events, the Act applies a far more stringent, enhanced duty. To shift from awareness to accountability, owners and operators must ensure that a terrorism risk assessment is completed, reviewed and updated (at least) annually and each time a material change is made.

For qualifying public events, this assessment must be completed at least three months before the event begins or as soon as details are made public if the lead time is shorter.

The three pillars of enhanced risk assessment:

• Tactical threat analysis: Identifying the types of acts of terrorism most likely to occur at, or in the immediate vicinity of, the premises or event.

• Mitigation strategy: Outlining reasonably practicable measures to reduce the risk of acts of terrorism.

• Physical harm reduction: Implementing measures to reduce the risk of physical harm during an incident.

Mandatory terrorism protection training

That is not all. In the enhanced tier, owners and operators must also provide annual terrorism protection training to all workers with relevant responsibilities, commencing before, or as soon as practicable after, the worker first assumes their role.

To comply with the 2027 enforcement mandate, your training must move beyond general awareness to role-specific competency. The Act requires that training is tailored to the specific size, use and nature of the venue. For 2027 readiness, ensure your records show that the training has occurred and that workers understand:

• Localized threat vectors: Specific risks to your unique geography.
• Pre-incident indicators: Recognizing hostile reconnaissance or suspicious behavior.
• Dynamic response protocols: Real-time procedures for “Run, Hide, Tell” or lockdown scenarios.

Enhanced duty to take security measures: Roles, responsibility and the security plan

To comply ahead of the 2027 deadline, enhanced tier premises and qualifying public events must ensure that they’ve taken all reasonably practicable measures to reduce the risk of terrorism. This duty covers both the prevention of an attack and the mitigation of physical harm should an incident occur.

Mandated security measures include:

• Proactive monitoring: Surveillance of the premises and its immediate vicinity to identify suspicious activity.
• Movement control: Managing how individuals enter, exit and move within the space.
• Emergency response: Documented procedures for alerting emergency services, public notification, evacuation, invacuation and securing the premises.
• Information security: Protecting sensitive data, such as floor plans or security schedules, that could assist in the planning of an attack.

In a sea change from previous voluntary standards, the Act mandates that where the responsible person is not an individual (e.g., a corporation or trust), they must designate a senior individual to oversee compliance.

This role carries legal accountability, serving as the primary point of contact for the SIA to ensure the entity meets its statutory obligations.

Beyond compliance: Best practices for the 2027 security plan

The senior individual is responsible for the live status of the security plan. This document is the most tangible evidence of compliance that the SIA will review during an audit.

To be submitted via the ProtectUK portal, the security plan must include:

• Information about the premises and the designated senior individual
• The current terrorism risk assessment
• Details of security measures currently in place (or proposed)
• Evidence of completed terrorism protection training

The triple-zone strategy (layered defense)

A security plan that simply checks boxes will likely fail an SIA audit. To meet the bolstered standard, senior individuals should implement a layered approach

1. The outer zone (perimeter control): Your first opportunity to reduce risk. Coordination with transit agencies is critical here.
• Vehicle screening: All docking vehicles and those parked within 100 feet of the venue should undergo a pre-determined screening process.
• Queue management: Actively estimate queue lengths to assess the vulnerability of patrons waiting to enter.
2. The middle zone (access & monitoring): Focused on detection and deterrence.
• Monitoring: Ensure CCTV coverage extends to all major and minor areas, supporting both real-time monitoring and incident response.
• Deliveries: Implement a pre-cleared only policy. Examine delivery manifests against physical contents and verify all personnel credentials.
3. The inner zone (operational integrity): Protecting the core of the venue.
• Credentialing: Use color-coded access levels to ensure employees and patrons remain only in authorized areas.
• Intrusion paths: Address non-traditional risks identified in your vulnerability analysis, such as mail delivery, service repairs and food vendor products.

Scenario-specific response planning

Going into 2027, the SIA expects specific protocols for high-probability threat scenarios. Therefore, your plan should include playbooks for:

• Active shooter and civil unrest
• VBIED (Vehicle-Borne Improvised Explosive Devices)
• Hazardous materials and food contamination
• Mass fatality planning and medical emergencies

Martyn’s Law 2027 readiness checklist

Operationalizing DORA: A phased roadmap for 2027 compliance

In 2026, a static, annual paper risk assessment is no longer enough to satisfy the SIA. Because threat levels and crowd dynamics are fluid, compliance must be, as well. This is where the dynamic ongoing risk assessment (DORA) becomes a critical operational requirement.

To meet the 2027 enforcement deadline, DSOs should adopt a phased risk assessment model that captures the full emergency lifecycle:

Step 1: Baseline venue profiling and asset identification

Before assessing threats, you must define the base layer of your data. This includes:

• Core data: Facility name, coordinates, size and maximum capacity.
• Operational context: Typical event frequency and how the venue is used during peak versus off-peak hours.
• External factors: Coordination with roadway management to understand traffic and crowd flows as potential risk vectors.

Step 2: Quantifying risk

Your risk assessment team must determine plausible threats and their probability. By developing a complete profile of critical assets, you can conduct a mandatory vulnerability assessment that accounts for cascading consequences if key infrastructure is compromised.

Step 3: Multi-agency and stakeholder mitigation strategy

The audit must involve stakeholders with responsibilities across the four stages of emergency management:

• Planning: Preventive measures.
• Mitigation: Reducing the impact of an unavoidable event.
• Response: Real-time action during an incident.
• Recovery: Business continuity and post-incident care.

Conclusion: The road to 2027 readiness

Thanks to tireless advocacy, the legacy of the Manchester Arena bombing has become the foundation for a new era of public safety. By exposing the vulnerability of the nation’s gray spaces, that tragedy forced a realization that the state’s security apparatus cannot stand alone.

As a result, the Terrorism (Protection of Premises) Act 2025 codifies shared responsibility as the law of the land. Now, with the 2027 enforcement deadline fast approaching, the burden of protection has officially become a statutory duty for owners and operators.

To successfully meet the SIA’s rigorous standards, venues must adopt a full-lifecycle approach to threat management, from dynamic risk assessments to audited training logs.

Accelerating your path to compliance

Waiting for the final months of the implementation period is a high-risk strategy. Leading venues are already using security management software to bridge the gap between policy and practice. By centralizing risk data, automating incident response playbooks and maintaining a live security plan that updates as threats change, platforms like Noggin provide the digital audit trail necessary to satisfy SIA regulators.

The window to formalize your security infrastructure is open now. To see how Noggin can automate your 2027 compliance, request a demonstration today.