The statutory guidance for the Terrorism (Protection of Premises) Act 2025 (aka Martyn’s Law) gives organisations the clarity they’ve been asking for around what’s expected, and now many are asking the same question: What will it really take to be Martyn’s Law Compliant?.

For many, the instinct will be to approach this like any other regulatory change — review the requirements, update policies, and implement new processes or systems.

That approach will address part of the requirement, but it won’t fully meet the intent behind the legislation.

Because Martyn’s Law is not primarily about what you have written down, it’s about what your operation is capable of doing when it matters. At its core, this is a shift from compliance on paper to capability in practice.

What Has Changed: From Best Practice to Legal Requirement

For years, protective security has been guided by best practice and voluntary adoption. The challenge has been consistency.

Some organisations have invested heavily in preparedness. Others have focused on areas with clearer regulatory pressure.

Martyn’s Law changes that balance.

It establishes a legal baseline for preparedness, requiring organisations to take proportionate steps to reduce harm in the event of a terrorist incident.

Importantly, it does this without prescribing exact solutions.

Instead, it requires organisations to determine what is:

• Appropriate to their environment
• Reasonably practicable based on risk, resource, and context

You are no longer being asked whether you are aware of best practice.
You are being asked whether your operation can demonstrate preparedness.

That includes:

• Having clear procedures
• Understanding vulnerabilities
• Being able to evidence decisions
• Ensuring everything works together under pressure

The assumption underpinning the legislation is simple:

You cannot predict exactly what will happen. But you can control how well you are prepared to respond.

Martyn’s Law Requirements Explained

When broken down into practical terms, the Act sets out four key areas organisations must address.

1. Appointing a Responsible Person

Each premises or event must have a Responsible Person.

For enhanced tier environments, this includes a senior individual accountable for compliance.

This is not just an administrative requirement.

It establishes:

• Clear ownership of safety and security
• A focal point for coordination
• Accountability for how procedures and measures work in practice

In effective operations, this role becomes more than oversight. It becomes a driver of standards, training, and continuous improvement.

2. Public Protection Procedures

All in-scope organisations must be able to respond through four core actions:

• Evacuation
• Invacuation
• Lockdown
• Communication

Most organisations already have policies & procedures for these in some form. The difference under Martyn’s Law is the expectation that these are:

• Clearly defined
• Understood by staff
• Usable under pressure
• Adaptable to real-world scenarios

This is not about having conceptual procedures written down somewhere buried in a hard drive or sitting on a shelf. It’s about creating and reinforcing practices that are widely and easily applicable, suitable and realistic for your organisation, and well known by all staff so that they can apply them when needed without hesitation.

3. Public Protection Measures (Enhanced Tier Only)

Larger or more complex environments must go further by:

• Assessing vulnerabilities
• Implementing proportionate mitigations
• Considering:
  • Monitoring and surveillance
  • Movement and access
  • Physical security
  • Information security

This moves beyond response into prevention and risk reduction.

4. Documentation and Auditability

Organisations must be able to:

• Document procedures and measures
• Explain how they reduce risk
• Provide evidence to the regulator (SIA)

This creates a clear expectation of defensible operations.

It’s not enough to act appropriately, you must be able to demonstrate that you did.

Why Procedures Alone Won’t Deliver Compliance

When preparing for Martyn’s Law, it is natural to look for ways to implement the requirements efficiently, which often leads to two approaches:

• Expanding documentation
• Introducing new technology

Both can add value. Neither solves the problem on their own.

The legislation does not require you to have the most detailed procedures or the most advanced systems, it requires you to demonstrate that your operation can respond effectively under pressure.

That outcome cannot be created through documentation alone.

It also cannot be purchased…

Technology can significantly improve visibility, communication, and auditability. A well-implemented incident management system can provide a single source of truth, enable real-time reporting, and create reliable, time-stamped records.

But those outcomes depend on how the operation around it functions; If reporting is inconsistent then systems will reflect that inconsistency; if teams are not engaged then tools will be bypassed; if processes are unclear then technology will not resolve but expose those gaps.

The same applies to documentation.While detailed procedures may appear robust, if they are not usable in practice then they introduce hesitation rather than clarity.

This is why the legislation points beyond tools and documents, toward something more fundamental.

The Role of Culture in Achieving Martyn’s Law Compliance

At the heart of the statutory guidance is a principle that underpins everything else: effective protective security is built on a shared security culture.

This is not an abstract concept. It has clear operational implications.

A strong security culture influences how people behave when something happens. Like whether:

• Incidents are reported quickly,
• Information is shared openly,
• Individuals take responsibility or wait for instruction,
• Teams coordinate effectively across boundaries.

It also shapes how the organisation prepares:

• How seriously training is taken
• How procedures are developed and reviewed
• How lessons are learned and applied

This is why the guidance places responsibility at both organisational and leadership levels. Culture is not something that sits alongside compliance — it is what enables compliance to function in practice. And it doesn’t occur by accident. It comes from clear expectations, consistent behaviours and ongoing engagement from leadership

When culture is strong:

• Procedures are understood because they are used
• Systems are effective because they are trusted
• Decisions are made with confidence

Without it, even well-designed processes and expensive technologies struggle to deliver the intended outcome, which becomes particularly important when looking at how operations perform day-to-day.

What Will ‘Good’ Look Like?: A Compliant and Capable Operation

In practice, well-prepared organisations tend to share the same characteristics.

Clear, adaptable procedures

• Focused on core actions (evacuate, invacuate, lockdown, communicate)
• Simple enough to be understood quickly
• Flexible enough to apply across different scenarios

Trained and confident teams

• Regular, realistic exercises that build decision-making capability.
• Procedures are tested in realistic scenarios
  discover how the teams at Excel London are approaching realistic testing and training
• Staff understand why actions are taken, not just what to do
• Confidence is built through repetition

Real-time operational visibility

• Information is reported from the ground as it happens
• Control rooms maintain an accurate, shared picture
• Decisions are based on current, reliable information

Defensible audit trails

• Actions and decisions are recorded as they happen
• Organisations can clearly demonstrate:
  • What was known
  • What was done
  • Why decisions were made

This is essential for the learning and continuous improvement that ensures policies, procedures, tools and training all remain up to date and relevant.

Strong leadership and accountability

The Responsible Person and wider leadership team are actively involved in setting standards, reviewing performance, and ensuring that safety and security remain a priority.

In environments like these, compliance isn’t treated as a separate exercise to be ‘ticked off’, but is a by-product of how the operation functions.

Martyn’s Law does not introduce new risk. It highlights that some operations are reliant on assumptions, workarounds and unproven or untested processes.

The organisations that will feel most confident in their compliance with Martyn’s Law will not be those with the most documentation or the highest tech spend.

They will be the ones where:

• Teams understand their role
• Information flows clearly
• Decisions are made with confidence
• And safety and security are embedded into daily operations

When that’s in place then compliance is no longer something separate.

It becomes a natural outcome of a well-run operation.