Martyn’s Law: What New Anti-Terrorism Guidance Means for Event Organizers
Named for a victim of the 2017 Manchester Arena bombing, Martyn’s Law will place new counterterrorism duties on those running publicly accessible UK premises and events. Liam Lane and Constance Strasser of Peters & Peters examine what the recently published statutory guidance clarifies — from the tiered obligations to the emphasis on clear, recorded decision-making — and practical steps to consider now.
In May 2017, nearly two dozen people were killed and thousands more were injured in a terrorist bombing at a concert in Manchester, UK. Among those killed was Martyn Hett, and the law named for him is expected to enter into full force next year.
Following the April publication of statutory guidance under Martyn’s Law (formally titled the Terrorism (Protection of Premises) Act 2025, organizations are now better-placed to understand how the legislation will operate in practice and what is required of them, as the guidance provides much-needed clarity on scope, responsibilities and the tiered framework that applies to qualifying premises and events.
A shift in expectations for event organizers
One of the key messages emphasized in the guidance is that the act represents a cultural shift in how security is approached in large, publicly accessible premises and events across the UK. The act assumes that a terrorist attack could occur anywhere and therefore places responsibility on those running premises and events to ensure they are always prepared, not only for large-scale or high-profile events.
For event organizers, this marks a move away from treating counterterrorism as a specialist or reactive issue and toward embedding it within core planning, risk management and operational decision-making.
The guidance outlines a two-tiered system, dividing events into two categories based on capacity, the standard tier (200-799 persons), the enhanced tier (800 or more persons). The guidance underlines that qualifying events are treated in line with enhanced-tier premises, meaning that organizers of larger events will face more extensive obligations, including assessing vulnerabilities and implementing appropriate mitigation measures.
Who is responsible?
One of the most practically significant issues for event organizers will be determining who bears responsibility under the act.
The guidance makes it clear that the responsibility will sit with the person or organization that has control of the premises or event. In the context of events, this can be complex. Multiple parties may be involved, including venue operators, event promoters, production companies and security contractors.
The guidance anticipates this complexity and introduces obligations of “co-operation,” where multiple parties have roles in delivering the event, and “co-ordination,” where there is more than one “responsible person.”
In practice, this means event organizers will need to clearly allocate responsibility at the contracting stage, ensure roles are documented and understood across all parties and avoid assumptions that the security responsibility rests solely with venues or third-party providers.
A failure to clearly define responsibility is likely to create a compliance risk and operational confusion in the unfortunate event of an incident.
‘Reasonably practicable’ standard
The concept of “reasonably practicable” is central to the act and the guidance. The guidance does not require organizations to eliminate all risk. It stresses that “there is no requirement for those responsible for premises or events to undertake (or to expect their staff to undertake) actions that are not reasonably practicable because those actions would compromise their own safety.” Instead, it requires steps that are proportionate, appropriate to the specific circumstances and balanced against cost, effort and operational impact.
Critically, the guidance emphasizes that organizations are not expected to implement measures that would put staff or others at undue risk, reinforcing that safety for all remains the overriding consideration.
For event organizers, this means moving away from a “checklist” mentality and toward a structured, risk-based approach. Examples of steps may include:
- Developing and rehearsing evacuation, invacuation, lockdown and communication procedures
- Ensuring staff and contractors are trained and aware of their roles
- Considering site layout and crowd flow in the context of security risks
- Assessing whether physical security measures are appropriate and sufficient
Enhanced-tier events will also need to consider vulnerabilities in advance and, where appropriate, take steps to reduce them, the key point being that decisions must be evidence-based and tailored rather than generic.
Clear and recorded decision-making
A running theme throughout the guidance is the importance of accountability, which is not limited to outcomes, but in the decision-making process itself.
Given the inherent flexibility brought to light in the “reasonably practicable” standard, organizations will need to be able to demonstrate how risks were identified, what options were considered and why particular measures were selected or rejected.
Maintaining clear and contemporaneous records will be critical in practice. For event organizers, this may include:
- Written risk assessments addressing terrorism-related threats
- Records of security planning meetings and decisions
- Documented allocation of responsibilities between parties
- Evidence of training and briefing for staff
Such records are likely to be important not only for regulatory compliance but also in the context of enforcement action by the Security Industry Authority, civil claims following an incident and reputational scrutiny, such as a public inquiry.
In this respect, parallels can be drawn between the act and existing regulatory regimes, such as health and safety, where documented reasoning and proportionality of measures are key.
Practical steps for event organizers
Although the act is not yet in force, the guidance makes clear that organizations should begin preparing during the implementation period. Steps include, but are not limited to:
- Scoping: Determine whether events are likely to fall within the act particularly the enhanced tier threshold.
- Responsibility mapping: Identify the likely “responsible person” and clarify allocation of responsibilities for staff members.
- Analysis of current security and safety arrangements: Compare current security and safety arrangements against the requirements outlined in the guidance.
- Developing procedures: Establish or refine plans for evacuation, invacuation, lockdown and communication.
- Embedding a security culture: Ensure that counter-terrorism considerations are integrated into event planning processes and provide appropriate training and briefings to all staff members.
- Documentation and governance: Implement systems for recording decisions and meetings.
Looking ahead
The guidance confirms that the act is intended to deliver a “step-change” in protective security across the UK.
For event organizers, the challenge will be to translate the flexibility built into the legislation into robust, defensible and practical measures. From a risk perspective, including reputational risk, safe operation and insurance agreements, organizations will need to adapt.
Organizations that begin early by clarifying responsibilities, adopting a structured approach to risk and embedding clear decision-making processes will be best placed not only to comply with the legislation but demonstrate effective and proportionate security standards in an increasingly complex risk environment.