The UK workplace guide to Martyn's Law and protective security

Martyn's Law is the most significant change to UK public safety legislation in a generation. It places a legal duty on premises and event operators to prepare for terrorist threats, and it covers a far wider set of workplaces than most people realise.

The Act received Royal Assent in April 2025. Commencement is expected in Spring 2027. Between now and then, qualifying premises have to do real work: assess capacity, define procedures, train staff, and put systems in place that produce evidence of compliance.

This guide explains what the law requires, who's in scope, what the Standard and Enhanced tiers actually mean, and why protective security is fundamentally a data and systems problem, not just a procedures one.

1. What is Martyn's Law?

Martyn's Law is the common name for the Terrorism (Protection of Premises) Act 2025. It's named for Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena attack. His mother, Figen Murray, campaigned for nearly a decade to make protective security a legal duty for the venues the public passes through every day.

The Act creates a minimum legal standard for terrorism preparedness at qualifying premises and events. It doesn't require every venue to do the same thing. It scales the duty to the size of the location and the level of public access.

The point of the law is preparedness, not prediction. Responsible persons are expected to put reasonably practicable procedures in place so that, in the event of an attack, people on the premises have the best possible chance of staying safe.

2. Who the law applies to

Premises are in scope if they meet three conditions:

• They consist of at least one building
• They're used for a qualifying activity (retail, hospitality, entertainment, education, healthcare, public sector, transport, places of worship, sports grounds, and more)
• They have a capacity of 200 or more people

Public events are in scope if they have an 800+ capacity, are accessible to the public, and use access controls like ticketing or payment.

That covers a much wider set of UK workplaces than most people expect. Corporate HQs that host public events. University campuses. Hospital lobbies. Conference centres. Retail flagships. Multi-tenant office buildings. Even mid-sized community venues.

The responsible person

Every qualifying premises must identify a responsible person. This is usually the operator, owner, or employer with control of the premises. For Enhanced tier premises, you also need a designated senior responsible individual who is accountable for compliance.

3. Standard tier vs Enhanced tier: side by side

The Act creates two tiers based on capacity:

• Standard tier: 200 to 799 people
• Enhanced tier: 800 or more people

Here's how the duties compare:

The Standard tier is designed to be achievable for small and mid-sized premises. The Enhanced tier is intentionally more rigorous because the consequences of an incident at high-capacity premises are more severe.

4. Key dates and the road to Spring 2027

The Act builds in time to prepare. The implementation period is at least 24 months, which is why commencement is expected in Spring 2027 rather than immediately.

5. The SIA's role as regulator

The Security Industry Authority is the regulator for Martyn's Law across the entire UK. The SIA already regulates the private security industry, which makes it a natural fit for this expanded remit.

Once the Act commences, the SIA will:

• Maintain a register of qualifying premises and events
• Issue guidance on how to comply
• Inspect Enhanced tier premises and investigate suspected breaches
• Issue compliance notices and apply financial penalties
• Refer the most serious breaches for potential criminal liability

The SIA has said its regulatory approach will be supportive, proportionate, and risk-based. That's encouraging, but it doesn't mean being lenient. Enhanced tier premises in particular should expect documented evidence requirements to be substantial.

6. Why Martyn's Law needs a single source of truth

Most of the duties in the Act come down to one question: do you know who's on your premises right now, and can you act on that information fast?

That's a data problem before it's a procedure problem. And it's the single biggest reason that workplaces with disconnected tools struggle to demonstrate compliance, while workplaces with a centralised platform don't.

The disconnected stack breaks down in an emergency

Most UK workplaces have the right tools on paper. Badge readers from a physical access control system. A separate mass notification tool. A paper visitor log at reception.

On a normal day, that setup works. In an incident, it doesn't. The directory is out of date because nobody synced the new joiners. The mass notification tool reaches a subset of employees but not contractors or visitors. The visitor log is a piece of paper in the lobby. Each system holds one signal, but no system holds the truth.

Reconstructing what happened across four systems after an incident is exactly the situation Martyn's Law is designed to prevent.

The single source of truth approach

A workplace platform like Envoy is the centralised source of truth for who is at your workplace and how to reach them. It does three things that disconnected tools cannot:

• Keeps the employee roster current automatically by syncing with Okta, Microsoft Entra ID, and your HRIS. New joiners appear, leavers are removed, no manual maintenance
• Unifies presence signals from Wi-Fi, badge swipes, SSO sign-ins, geolocation, kiosks, and visitor check-ins into one real-time view of who is actually onsite right now
• Reaches everyone in that view through one emergency notification system: SMS, email, push, Slack, Microsoft Teams, and Envoy Screens

When an incident happens, you alert everyone through one platform, get real-time safety responses, and come away with a full audit trail.

Here's how the two approaches stack up against the duties Martyn's Law expects you to meet:

Before, during, and after: the three moments that matter

The duties in Martyn's Law map cleanly to three moments. A single source of truth supports all three:

• Before an incident: pre-arrival screening, watchlist checks, and access control happen at the front door, with documented procedures the SIA can review
• During an incident: an always-current roster, real-time onsite view, and multi-channel emergency communications reach everyone fast and confirm who is safe
• After an incident: an immutable audit trail of every entry, notification, response, and action becomes the evidence base for the SIA, internal reviews, and legal teams

Why this matters for the SIA inspection

Enhanced tier premises need to demonstrate that their procedures actually work. That means producing evidence on demand: who was onsite during a drill, how quickly notifications reached them, who confirmed safety, who didn't, and what happened next.

A centralised platform produces that evidence as a byproduct of normal operations. A disconnected setup requires someone to assemble it manually under pressure. Only one of those scales.

7. A practical readiness checklist

Premises that wait until late 2026 to start preparing will find themselves behind. Premises that start now will be ready. Here's a practical short list:

1. Confirm your tier. Calculate maximum capacity for every site and event you operate.
2. Identify your responsible person. For Enhanced tier, identify the senior responsible individual.
3. Audit your current visitor and contractor sign-in process. If you can't produce an accurate on-site list in under two minutes, you have a gap.
4. Map your current systems. Where does identity, presence, and emergency communication actually live? Where are the gaps between them?
5. Document your evacuation, invacuation, and lockdown procedures. Test them.
6. Train your staff. The Act emphasises that procedures only work if the people running them know what to do.
7. Set up an emergency communication system that reaches everyone onsite, including visitors and contractors.
8. Keep records. Sign-ins, drills, training completion, watchlist screenings, and policy updates all become audit evidence.
9. Monitor SIA guidance as it publishes. The section 12 consultation is the key signal for how the regulator will operate.

8. How Envoy supports Martyn's Law readiness

Envoy is the workplace platform UK organisations use to bring visitor management, onsite presence, and emergency response into one centralised source of truth. That's exactly the foundation Martyn's Law expects.

Visitor management

Envoy’s visitor management system gives every entry point a documented, defensible workflow. Pre-arrival screening, digital sign-in, ID verification, watchlist checks, and audit-ready records run for every visitor, contractor, and guest, every time.

Presence signals 

Envoy eliminates the guesswork of who is onsite. It unifies presence signals from Wi-Fi, badge swipes, SSO sign-ins, geolocation, and kiosks into one trusted real-time view across every location.

Emergency & mass notifications

Envoy’s mass & emergency notification system lets you reach everyone onsite in seconds across SMS, email, push, Slack, Microsoft Teams, and Envoy Screens. Because it's built on the same data as Visitors and Presence, your notifications reach visitors and contractors automatically, not just employees in your directory.

Always-current rosters through identity sync

Envoy syncs your employee directory automatically from Okta, Microsoft Entra ID, and other HRIS systems. When someone joins, they appear. When someone leaves, they're removed. Your emergency roster is current every day without anyone maintaining it, which means roll calls and safety checks reach the right people the first time.

Audit-ready by default

Envoy records are always audit-ready. Every entry event, notification, response, and policy step is logged immutably and exportable on a set schedule. When the SIA asks for evidence, you have it ready, not reconstructed.

—
‍
Visitor and emergency management isn't the whole answer to Martyn's Law. Physical security, staff training, building design, and incident response all matter too. But the data layer underneath all of those is what makes them work, and a single source of truth is what makes the data layer dependable.

Get ready for Spring 2027

To see how Envoy becomes your single source of truth for workplace safety, schedule a demo.