Martyn’s Law: What Live Music, Sport And Events Businesses Should Be Doing Now – Human Rights

Article Insights

The Terrorism (Protection of Premises) Act 2025 (the
Act) – commonly known as “Martyn’s
Law” – is set to transform the way public venues and
events across the UK approach security and preparedness for
terrorist threats.

The Act is named in memory of Martyn Hett, one of the 22 victims
of the 2017 Manchester Arena terrorist attack. Since his death, his
mother, Figen Murray, has led a tireless campaign to improve public
safety and ensure that lessons are learnt from that event – a
campaign that led to the passing of this legislation.

The Act received Royal Assent in April 2025 and is anticipated
to come into force around April 2027, giving businesses plenty of
time to prepare. When it does, owners and operators of a wide range
of premises and event spaces will be subject to a new duty intended
to enhance venue security and improve public safety.

While we wait for the Act to come into force, venues and
organisers should start identifying which sites and activities fall
within scope, what practical steps are needed for compliance, and
how to ensure related technologies – such as facial
recognition – are secure and legally compliant.

In this article, we provide an overview of the new law and
highlight some of the key provisions and considerations for those
affected.

Who does it apply to?

The Act applies to “qualifying
premises” which are premises that consist of a
building (or part of, or a group of buildings), that are wholly or
mainly used for certain specified purposes (such as entertainment,
leisure, sport, retail, hospitality, museums, visitor attractions,
conference centres, and higher education), and in respect of which
it is reasonable to expect that from time to time 200 or more
individuals may be present on the premises at the same time.
Certain premises are specifically excluded, for example, government
premises and transport hubs.

Premises are classified according to capacity:

• standard duty premises are qualifying premises
  where 200-799 individuals may be present at the same time.




• enhanced duty premises are qualifying premises
  where 800+ individuals may be present at the same time.

Note that places of worship, childcare settings, schools, and
further education institutions are always treated as standard duty
premises, even if the number of individuals that might attend
exceeds 800.

The Act also applies to “qualifying
events” which are ticketed, members-only, or paid-for
events open to members of the public held at premises that are not
classified as enhanced duty premises but where 800 or more
individuals may be present at the same time. For example, a
qualifying event might be a temporary outdoor music festival.

What is required?

The requirements depend on the classification of the
activity:

• for standard duty premises, public protection
  procedures must “so far as reasonably
  practicable” be in place, with the objective of reducing
  the risk of physical harm being caused to individuals if an act of
  terrorism were to occur on the premises. These procedures cover
  evacuation, lockdown (preventing entry or exit), and clear
  communication with those on site. Importantly, those responsible
  for standard duty premises are not obliged to install new physical
  security measures.




• for enhanced duty premises and
  qualifying events, public protection measures must
  be in place to reduce vulnerability to terrorist attacks and
  minimise the risk of harm caused if an act of terrorism were to
  occur. The measures must be assessed and kept under review and must
  cover:




• • monitoring the premises or event, and its immediate
    surroundings;

  
  

  • managing how people move into, out of, and within the
    site;

  
  

  • improving physical security at the premises or event; and

  
  

  • ensuring the security of information relating to the premises
    or event.

The procedures and measures must be documented and submitted to
the Security Industry Authority (SIA), the entity
responsible for the enforcement of the Act, along with an
assessment of how they are expected to reduce risk and
vulnerability. The extent and scope of the procedures and measures
required is likely to be clarified by the Government in guidance to
be released before the Act comes into effect.

Who is responsible?

Responsibility for compliance falls on the
“responsible person“, which is the
person or organisation with “control” of the premises or
event. Where multiple parties share control, such as landlords,
operators, or event promoters, each will be considered a
responsible person under the Act. They must, so far as is
reasonably practicable, coordinate and work together, especially
where premises overlap or are adjacent.

How will the Act be enforced?

The SIA will have powers to advise, investigate and enforce
compliance with the Act. Where it identifies a breach, the SIA can
issue compliance notices (requiring remedial action) or restriction
notices (which can limit how, when or by whom a venue is used, or
even prohibit an event from taking place). Penalties for
non-compliance are significant: up to £10,000 for standard
duty breaches, and for enhanced premises or events, up to the
greater of £18 million or 5% of qualifying worldwide revenue,
with additional daily penalties for ongoing breaches. Criminal
liability may arise for failure to comply with notices or for
providing false or misleading information.

Commercial takeaways for live music, sport and events

While we wait for the Government’s official guidance, there
are several practical steps that venues and organisers can take now
to prepare:

• Map out premises to identify which are likely to be caught by
  the standard or enhanced duties.




• Understand which planned events might constitute qualifying
  events.




• Identify the “responsible person” for each premises
  or event, and, for organisations, appoint a senior individual to
  oversee compliance. Where multiple parties are involved, such as
  landlords, operators, or promoters, establish clear protocols for
  coordination and information sharing.




• Review and refresh your incident response plans to ensure they
  cover the applicable protections and measures, which may include
  evacuation, invacuation or shelter, lockdown, and effective
  communication with the public (using PA systems, screens, or mobile
  messaging as appropriate).

These plans should be aligned with your existing safety and
crowd management procedures, and you could consider scheduling
drills or exercises to ensure staff and contractors understand
their roles and responsibilities.

If you are caught by enhanced duties, you could consider
reviewing entry and crowd management procedures such as queuing
systems, bag checks, and vehicle access controls, assessing
monitoring tools like CCTV and radio communications, and
implementing access controls in relation to sensitive site
information (e.g., plans or control room details).

Be mindful that procedures and measures will need to work for
disabled spectators, families, touring crews and other vulnerable
groups, and multilingual communications should be considered where
appropriate.

Legal considerations

We recommend that you review and update contracts with
promoters, hirers and contractors where needed to reflect the new
duties. You may also need to consider insurance and the costs of
compliance as part of a wider liability discussion.

In addition, any venue/event considering deploying a technology
solution (e.g., a ticketing system or an ID verification system)
will need to be mindful of laws regulating:

• Data protection if the solution processes
  personal data of staff or attendees e.g., the Data Protection Act
  2018. Stricter protections apply to the processing of “special
  category personal data”, which includes biometric data and
  will therefore need to be considered as part of a data privacy
  impact assessment carried out for any biometric verification or
  ticketing solution.




• Artificial intelligence if the solution
  constitutes an “AI system” under the EU AI Act and falls
  into scope. If it does, compliance obligations may apply depending
  on the venue/event’s use of the solution and its
  “operator” classification.




• Equality and human rights to ensure that
  direct or indirect discrimination against individuals does not
  occur e.g., that an automated verification solution does not
  discriminate against event attendees contrary to the Equality Act
  2010.

It’ll be important to ensure that third-party vendors or
hosting providers are subject to appropriate contractual
obligations and restrictions, including compliance with law
obligations, and that robust audit and information security
measures are in place.

Staying prepared and further updates

As statutory guidance from the Home Office and the Security
Industry Authority (SIA) is released, organisations should stay
informed and be ready to adapt their plans and procedures
accordingly. We will continue to monitor developments and publish
further updates as the implementation period progresses.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.