This very important update to Martyn’s Law has been prepared by Stewart Brown, Surelock’s Senior Security Consultant and has already been featured in the online Professional Security Magazine –
https://professionalsecurity.co.uk/news/interviews/martyns-law-the-musts-shoulds-and-coulds/
Reading any legislation can be Arduous, Stewart has meticulously done this and offered his advice here.
Surelock are well versed in this important legislation and available for consultations or training - https://www.surelock.org/services/martyns-law don’t leave it till the last minute!
Here is a detail review and explanations on the two (2) different Statutory Guidance documents & attachments (Sec. 12 & Sec. 27) issued on 15th April 2026 under the Terrorism (Protection of Premises) Act 2025 – Martyn's Law. These documents have to be read along with the actual Act for full understanding
Just to clarify that under Sections 12 & 27 of the Act, the phrase used is "Guidance", whereby the Home Office have now titled Section 27 as "Statutory Guidance" (129 pages & 53 supplementary pages) and the Security Industry Authority (SIA) have titled the Section 12 information as "Statutory Operational Guidance" (67 pages).
This is in response to a LinkedIn post just over a week ago, when referring that a University Head of Security at a AUCSO meeting that the Statutory Guidance documents have not been read & then the Question: does a security professional need to read it, if so by when? Can they get away with reading a digest & knowing the gist of it, or knowing of it & doing a crafty word search if queried?
Answer - unfortunately all owners/operators of premises & event’s organisers in scope of this Act need to be aware of their legal responsibilities under the Act & security professionals need to fully understand the Act & Statutory Guidance documents to be able to give best advice & advise properly, how to comply with this new legislation (as solicitors, SIA & the courts) will eventually challenge the wording & interpretation of the Act to great costs. These documents need to be understood now & therefore compliance may be achieved by 3rd April 2027, when it comes into force. I expect the SIA are working to a six (6) month before timescale as getting requirements explained & documented will take about that time, so by the 3rd October 2026 will probably be a date that owners/operators of premises & event’s organisers should have responded (or started work) to the Act's requirements.
Statutory Guidance
It is a fair document (it is the first of its kind) but unfortunately does not define or explain the title word 'Terrorism', which would have been helpful and relevant. I know various governments & countries across the world and academics have struggled with this & appear to have different versions, but a simple phrase like "any potential act that creates or intimates fear or terror to or on the general public" may have sufficed.
Also in Chapter 3: Glossary of terms, they have not mentioned or defined 'Protection of Premises' or given any indication of what they mean by that phrase, which are two major omissions as these two points are what the Act is all about, whereby they have explained other words 'Appropriate' and 'Reasonably practicable' in detail, amongst others.
With regards to the requirements detailed & 'Terms used', they have highlighted in bold the words, MUST, SHOULD and COULD with the following explanations 'Meaning in guidance' as:
MUST – A legal requirement in the Act.
SHOULD - Not an express requirement in the Act but strongly recommended & encouraged good practice.
COULD - Not a legal requirement but an optional suggestion or example
On initial reading of the 129 pages (9 Chapters) then the additionally 3 supplementary documents (A, B & C), there is a fair amount of duplication of words & phrases that owners/operators of premises & event organisers have to try & work out what is relevant & intended, but I have broken down that there appears to be in total 124 actual requirements, that I take the Security Industry Authority (SIA) will follow & enforce during their investigative & regulatory approach role.
Simplified (I think) there are the use of the words: MUST 55 times, SHOULD 91 times and COULD 50 times, & in some requirements there is more that one of these words used in the actual requirement paragraph, phrase or details.
There are 72 requirements that affect ALL the Standard Tier premises, Enhanced Tier Premises & Events
There are 74 requirements that affect Standard Tier premises
There are 118 requirements that affect Enhanced Tier premises and
There are 122 requirements that affect Events
Chapter 3: Glossary of terms, does explain the following words or phrases:
- 'Appropriate' means 'Suitable' (but this would be subjective to a view of an individual/organisation/company)
- Immediate vicinity – this is an area close to the premises. There is no fixed distance associated with this term (they should have given some indication of distance or explained what they consider immediate vicinity)
- 'Reasonably practicable' means 'proportionate' - the responsible person should weigh what can be done to achieve the objectives of procedures &/or measures, balanced against the cost, time & difficulty of implementation..... (proportionate is again a subjective view)
- 'Responsible person or responsible persons' - this is the individual, organisation or company with control of the qualifying premises or individual, organisation or company with control of the premises at which the qualifying event is taking place, for the purpose of the event (this person is therefore legally responsible for all aspects of the Act)
- Senior individual – where the responsible person for enhanced tier premises or a qualifying event is an organisation or company, a senior individual must be designated to ensure compliance with the Act. The senior individual is someone who is involved in the management or control of the responsible person (this does not negate the responsible person from the legal requirements of the Act)
The Glossary of terms (pages 14 – 18) does detail the Public protection procedures (paras. 7.33 to 7.49) of 'Evacuation', 'Invacuation', 'Lockdown' & 'Communication' briefly, but does not mention or explain the Public protection measures of 'Monitoring', 'Movement control', 'Physical Security' & 'Security of Information' until page 92, (paras. 8.7 to 8.12) & pages 96 – 113, (paras. 8.25 to 8.48), which really does not clearly assist the responsible person or anyone else trying to advise on how to protect premises and/or events effectively.
The stated four (4) procedures are not too difficult to identify & comply with (after a lot of research & understanding), but the stated four (4) measures of: Monitoring, Movement control, Physical Security & Security of Information are phrases that need to be explained in detail and guidance given to understand what the SIA may need to be covered to achieve effective compliance with the Act.
The Statutory Guidance (paras. 8.56 to 8.67) states the responsible person for enhanced tier premises or qualifying events must document their compliance with the Act, using statements & assessment, then calling it a 'compliance document', which the SIA 'statutory operational guidance' also refers to. This guidance uses the word 'statements' that are required to set out public protection procedures & measures, but the SIA refer to compliance documents & does not refer to 'statements' or 'assessments' in any of their guidance, which causes confusion.
There are a number of examples given & figures (charts, lists & columns) with relevant information that assists the various chapters in the Statutory Guidance, which references & supports the relevant sections of the actual Act, but working out the various requirements needed to establish & identify terrorist assessments (potential threats/actions) & actual Protection of Premises aspects (for both Enhanced tier premises & qualifying events) is very difficult to work out & record to comply with the Act. I fully understand that all this process is new for owners/operators of premises & event's organisers but there is still a large number of unidentified matters that will have to be considered by the premises/events to satisfy the SIA that compliance is there for the safety of the public.
Now the Statutory Guidance (para. 6.7) actually states "It is not mandatory to use third-party products or services to comply with the Act's requirements. However, the responsible person may contract relevant services to assist in meeting their obligations under the Act if they consider necessary, helpful or appropriate (for example, a security provider, contractor and/or consultant who can advise on vulnerabilities, and appropriate public protection procedures or measures). The responsible person remains liable for ensuring that premises or events are compliant with the Act and should therefore be satisfied that any support provided by providers, contractors or consultants is suitable to meet their requirements, properly resourced and effectively delivered".
This above paragraph now identifies to owners/operators & events organisers that they can obtain specialist advice from the UK Security Industry (Security Consultants etc) if lacking experience & knowledge in interpreting and dealing with all (or any) aspects of Martyn's Law.
Statutory Operational Guidance
The Statutory Operational Guidance by the SIA under Section 12 of the Act, mainly relates to its role, regulatory functions, investigatory powers and enforcement which will evolve over time, after April 2027 & is still in the draft stage. Although it clearly identifies the compliance process, including notification, information-gathering & inspection, investigation, interviews, risk assessments & serving relevant notices during the compliance process.
The SIA are already engaging sufficient staff, inspectors & management to deal with their requirements under the Act & have new offices in Manchester, although these guidance documents reveal that the majority of contact will be done through an on-line portal/mechanism for correspondence & notices rather than telephone or face to face communications.
The SIA have the powers to seek information from the responsible person or other party, by (1) information request, (2) statutory information notice, (3) interview notice, or (4) inspection of premises (with or without a warrant).
There are three (3) types of statutory civil notices – compliance notices, restriction notices & penalty notices that they will serve on the responsible person for enhanced tier premises or qualifying events. Compliance notices are the process that the SIA will use to advise & probably support those in preparing & submitting compliance documents. SIA enforcement regime will follow with restriction notices (stop premises/events from operating?) then pursue with penalty notices (to punish non-compliance).
The responsible person for enhanced tier premises or large events, has to notify (register themselves) to the SIA & then provide compliance documents regarding the operational use of their premises or events before allowing members of the public to attend the venue.
The SIA under Section 1.2 of their Statutory Operational Guidance document, 5th paragraph actually states "The SIA publishes guidance and tools to support those in scope of the Act to comply, as set out in section 3 of this guidance. The SIA does not usually provide tailored regulatory advice on compliance to those in scope, except where it has identified a specific compliance issue" - to explain in simple terms, they do not provide site (premises or events) specific advice, unless they are dealing with the responsible person regarding a compliance matter/issue that has been identified by them.
Summary
To briefly summarise the above, the detailed Statutory Guidance document has 120+ requirements (MUST, SHOULD & COULD) for owner/operators & events organisers ('responsible person' position) that it is expected that the SIA will use to ascertain compliance under the Act.
Any guidance/advice that the Home Office have stated in this document will have to be considered or implemented, if not the responsible person will have to detail and justify why they cannot action or comply with the provisions of the Act.
As a consultant to clients I take it that any information (requirements) from this Statutory Guidance document provided by the Home Office under the Act, will need to be thought of, acknowledged, considered & explained by owners/operators or event organisers, then documented to enable them to comply with Martyn's Law Act.
All owners/operators of premises & events organisers that fall into the scope of this act, they will need to fully understand these requirements in order to satisfy the SIA that they are compliant in keeping members of the public safe on their premises or an event run by them.
There is a great amount of work still to be done before 3rd April 2027 when this Act comes into force, which we at Surelock International Limited are ready & can assist. We have adapted our Security Consultancy Services & current Security Survey/Audit process on all premises/events in the scope of this Act to comply with this new legislation & therefore be able to provide 'Compliance documentation' for owners/operators & events organisers to assist them in complying with this law.
Stewart BROWN
Senior Security Consultant
Surelock International Limited
Email: stewart.brown@surelock.org
Contact: https://www.surelock.org/contact-us
