Protecting premises from terrorist attacks

This article contains public sector information licensed under the Open Government Licence v3.0.

Intended to protect certain larger premises and events in the UK from terrorist attacks, the Terrorism (Protection of Premises) Act 2025 will impact on premises with a capacity of 200 or more people, and there will be additional measures for premises or events with a capacity of 800 or more people (affecting larger premises such as shopping centres, schools and stadiums or arenas).

While the legislation will not come into force for at least two years, those responsible for relevant premises and events will need to understand their new obligations and prepare accordingly. The penalties for non-compliance are potentially very severe.

Background to the act

Counter-terrorism policing assesses that, since March 2017, there have been 15 domestic terror attacks in the UK (not including Northern Ireland-related terrorism), and security services and law enforcement have together disrupted 43 late-stage plots. Both the Manchester arena inquiry and the London Bridge inquest called for new legislation to protect the public.

The government is aware that without legal compulsion, counter-terrorism protective security and preparedness often fall behind other legally required activities such as health and safety. The act introduces that legal compulsion for certain larger premises and events.

The act is also known as “Martyn’s Law”, named after Martyn Hett, who was tragically killed in the Manchester arena attack.

Purpose of the act

The act is intended to improve protective security and organisational preparedness for premises and events by requiring that those responsible consider the terrorist risk and how they would respond to an attack. Also, certain larger premises and events must adopt additional measures to reduce their vulnerability to terrorist attacks.

There is currently no consistency of approach to the consideration of risk posed by terrorist attacks and the act seeks to address this through the requirements that it imposes, clarifying who is responsible at qualifying premises and events, with the intention of raising security standards.

The act establishes a tiered approach linked to the activity that occurs at the premises or the relevant event and to the number of people who it is reasonable to expect may be present at the same time at the premises or event. So, there will be a “standard tier” (“standard duty premises”) and an “enhanced tier” (“enhanced duty premises”).

The act’s requirements are subject to the concept of “reasonably practicable”. This will allow those responsible to consider the nature of their activities, operating environment and available resources, to ensure a proportionate and premises specific approach to compliance.

What’s in scope?

To fall within the scope of the act, premises (known as “standard duty premises”) must satisfy all of the following four criteria:

1. There is at least one building (or the premises are in a building).
2. The premises are wholly or mainly used for one or more of the uses specified in the act (Schedule 1), which includes restaurants, shops, entertainment and leisure activities, sports grounds, museums, hotels, places of worship, conference centres, hospitals, transportation stations, schools and colleges and other facilities or services provided to visiting members of the public.
3. It is reasonable to expect that at least 200 individuals may be present at least occasionally.
4. The premises are not excluded under the act (Schedule 2) such as certain parks and gardens.

The premises will be known as “enhanced duty premises” if 800 or more individuals may be expected at the premises (unless the act specifies otherwise), with additional duties for those responsible.

To fall within the scope of the act, an event must satisfy all the following criteria:

1. It will take place at a building, other land or a building and other land (including part of a building or a group of buildings).
2. The relevant premises are accessible to members of the public for the purpose of the event.
3. It is reasonable to expect that there will be at least 800 individuals present for the event at once, at some point during it.
4. There will be measures to check entry conditions are met, such as a ticket checks.
5. The event is not excluded as mentioned above in relation to premises.

Who is the responsible person?

For qualifying premises, the responsible person is the person who has control of the premises in connection with their relevant use, such as a sports ground or hotel. Where there is more than one use, it will be the person in control of the premises in connection with whichever use is the principal use at the premises.

For a qualifying event, the responsible person is the person who has control of the premises at which the event will be held for the purposes of the event. The circumstances will determine the identity of the responsible person. For example, if a concert is to be held in a park and the company putting on the event takes control of an area of the park for the purposes of that concert, the company putting on the event will be the responsible person.

However, if a stately home puts on a concert in its grounds and maintains control of the site for the purposes of that concert, the stately home will be the responsible person. This would be the case even if the stately home contracted others to organise certain aspects of the event such as door security or ticketing.

Requirements

“Standard duty premises”

This applies generally to those premises where it is reasonable to expect that from 200 up to and including 799 individuals (including staff) may be present at the same time at least occasionally.

The responsible person will be required to notify the Security Industry Authority (SIA) of their premises and have in place, so far as reasonably practicable, appropriate public protection procedures. These procedures are to be followed by people working at the premises in the event of a terrorist attack and may be expected to reduce the risk of physical harm being caused to people, relating to evacuation, invacuation (moving people to a safe place), locking down the premises and communicating with people on the premises.

There is no requirement for “standard duty premises” to put in place physical measures. The requirements are focused on simple, low-cost activities, with costs relating primarily to time spent.

“Enhanced duty premises” and qualifying events

Enhanced duty premises and qualifying events are premises or events where it is reasonable to expect that 800 or more individuals (including staff numbers) may be present on the premises at least occasionally or attend the event at the same time. There are additional requirements beyond those for standard duty premises. The responsible person will also be required to do the following:

1. Have in place, so far as reasonably practicable, appropriate public protection measures that could be expected to reduce both the vulnerability of the premises or event to an act of terrorism and the risk of physical harm being caused to individuals if an attack was to occur there or nearby. For example, enhanced duty premises will be required to implement measures relating to the monitoring of the relevant premises and their immediate vicinity.
2. Document the public protection procedures and measures in place, or proposed to be put in place, and provide this document to the SIA. This document should include an assessment of how the public protection procedures and measures reduce vulnerability and/or the risk of harm.
3. Where the responsible person is not an individual, they must designate a senior individual with responsibility for ensuring that the responsible person complies with these requirements.

Enforcement

The act establishes a regulator to oversee compliance, through a new function of the Security Industry Authority (SIA). The core principle of the regulator’s activity will be to support, advise and guide businesses to implement the act’s requirements. It will only use its powers and sanctions to address serious and persistent cases of non-compliance. This will include the power to fine those who fail to fulfil the requirements (up to £18m or 5% of worldwide revenue, whichever is the higher) and shut down premises and events in the enhanced tier in the most serious cases of non-compliance. There are also criminal offences.

There will be an implementation period of at least 24 months before the act comes into force. This will allow the SIA’s new function to be established and to ensure that those responsible for relevant premises and events understand their new obligations, enabling them to plan and prepare accordingly.