Martyn’s Law: prepare for insurers, not just regulators

What the statutory guidance requires, how insurers are likely to respond, and why a joined-up broking and advisory approach sets firms apart.

There is often a period between legislation being passed and brought into force when obligations are defined, timelines published and the regulator identified, but enforcement has not yet begun. For organisations within scope of the Terrorism (Protection of Premises) Act 2025, that period is narrowing quickly.

The Act, commonly known as Martyn’s Law, received Royal Assent on 3 April 2025. The Home Office published statutory guidance in April 2026, with accessible material updated in May 2026, and the Security Industry Authority (SIA) has consulted on its approach to assessment and review. There is no legal requirement to comply until the Act comes into force, but boards, operators, landlords and insurers are unlikely to wait until commencement before testing how prepared organisations are in practice.

Less than twelve months is not long to move from awareness of the law to an embedded set of public protection procedures: trained staff, documented plans, coordinated responsibilities across landlords and tenants and, for larger premises, vulnerability assessments capable of withstanding regulatory scrutiny. Nor is this solely a legal or operational exercise. For many organisations, preparedness under Martyn’s Law will increasingly influence how insurers and underwriters assess risk quality.

 

Two tiers, two postures

The Act takes a tiered approach. Premises that can reasonably be expected to host between 200 and 799 individuals at the same time, from time to time, for a Schedule 1 use fall within the standard tier. Premises that can reasonably be expected to host 800 or more individuals fall within the enhanced tier. Qualifying public events are also enhanced-tier where they are expected to host 800 or more people and have access controls, such as ticket checks or payment barriers. Some categories, including places of worship, childcare premises and certain education premises, remain within the standard tier even where attendance exceeds that threshold.

The Schedule 1 list is broader than it first appears. Shops, hospitality venues, leisure and entertainment sites, sports grounds, libraries, museums, galleries, halls, visitor attractions, hotels, places of worship, healthcare settings, transport hubs, aerodromes, childcare and education premises, and public authorities may all fall within scope. A separate part of an otherwise out-of-scope building may itself qualify. Publicly accessible events expected to draw 800 or more people, with some form of perimeter entry checks, may also qualify even where they take place outside enhanced tier premises.

The practical implication is that scope is often less straightforward than it first appears. A community trust operating a hall, a hotel group with a 250-cover restaurant, a faith building with an associated nursery, or a developer letting parts of a mixed-use site may each require careful analysis. In many cases, determining scope becomes a substantive exercise in its own right.

 

What “reasonably practicable” actually asks of the responsible person

Every qualifying premises and event will have a ‘responsible person’, typically the organisation in control of the premises for the Schedule 1 use, or in control of the premises in connection with the event. For enhanced tier premises or qualifying events, a senior individual must be designated to ensure the Act’s requirements are met. The guidance is clear that this must be someone sufficiently senior and that responsibility cannot be delegated, even if tasks can.

All premises and events in scope must ensure appropriate public protection procedures are in place so far as is reasonably practicable, covering four areas:

  • Evacuation
  • Invacuation
  • Lockdown
  • Communication
 

The phrase “so far as is reasonably practicable” signals proportionality and aligns with health and safety legislation, but it does not make compliance optional. The procedures expected of a 250-seat regional theatre will differ from those expected of a 30,000-seat arena. Staff responsible for carrying out procedures should be adequately informed and, where appropriate, trained.

Enhanced tier premises and qualifying events face additional duties. The responsible person must put in place appropriate public protection measures, again so far as is reasonably practicable, across four areas:

  • Monitoring the premises or event and its immediate vicinity for suspicious activity.
  • Controlling the movement of people.
  • Mitigating the potential impact of an attack or hindering attackers.
  • Protecting sensitive information about the premises or event from those who do not need it.
 

Enhanced-tier procedures and measures must be documented, with an assessment of how they reduce the vulnerability of the premises or event and the risk of physical harm. Compliance documents must be provided to the SIA.

The term “immediate vicinity” is used deliberately without a fixed distance. The guidance recognises that what counts as the immediate vicinity will vary by premises, event, and circumstance. This reflects a familiar protective security pattern: assessment, judgement, proportionate measures, and documentation.

Preparation, not products

In publishing the statutory guidance, the Home Office and ProtectUK have been explicit that neither the Home Office nor the SIA endorses third-party products offered by the private sector in respect of compliance with the legislation. The Government’s stated intent is that those responsible for premises and events in scope can comply without needing to buy specialist compliance services.

That is the right framing for the next twelve months. The priority is not to purchase a purported compliance solution. It is to understand scope, identify the responsible person and senior individual where required, determine what is reasonably practicable, draft procedures and enhanced-tier measures, train relevant staff, and create the documentary record the SIA will expect to see. It is also to consider how that preparedness will be evidenced to insurers and underwriters, for whom operational resilience and risk presentation are increasingly linked.

The SIA has powers to access premises and events, gather information, and issue compliance, restriction, and penalty notices. In serious cases, criminal offences are available and senior personnel involved in management or control of the organisation may be prosecuted. The Act does not create a private compensation right, but the regulatory and reputational consequences are substantial.

What triggers a K&R insurance claim?

More than you might expect. Comprehensive policies can be triggered by the unexplained disappearance of an insured person – no confirmation of a kidnap required. Malicious or violent threats alone can activate crisis support, with no ransom demand needed. Active assailant incidents, home invasion, and stalking can all be covered by extensions to the coverage. Policies can be extended to cover evacuations linked to security crises and geopolitical developments The policy has evolved well beyond its name.

No. While K&R insurance is frequently associated with travel to high risk destinations, it covers a broad range of critical security incidents, both at home and abroad. Evacuation support, crisis response, reputational protection and business continuity are all part of the Security Risks toolkit, making it a far more versatile product that its origins suggest.

Any organisation or individual with exposure in environments where personal security risks are elevated. This includes companies and organisations with staff travelling to high-risk regions, executives who may be targets for extortion or stalking, and businesses operating in sectors that attract a higher threat profile. Regardless of travel destinations or office locations, organisations who recognise their duty of care towards and consider crisis management a key corporate governance priority should be considering Security Risks insurance.

Blackthorn
document.addEventListener('DOMContentLoaded', function () { document.querySelectorAll('.elementor-background-video-container').forEach(function (el) { el.style.opacity = '0'; setTimeout(function () { el.style.transition = 'opacity 1.5s ease'; el.style.opacity = '1'; }, 5000); }); });