Martyn’s Law is about protective security and immediate incident response to terrorism. A Business Continuity Plan (BCP) is about keeping the organisation running after any disruption. They connect, but they are not the same. Update your BCP to handle the impacts that a terrorism incident could create (loss of site, loss of people, reputational pressure), and make sure your emergency/venue response plan hands off cleanly to crisis management and continuity. The law is not yet in force; there will be at least a 24‑month implementation period from April 2025 and statutory guidance will follow.
Sources: Home Office factsheet; ProtectUK overview; legal commentary from Eversheds Sutherland and FTB Chambers.
Home Office | ProtectUK | Eversheds Sutherland | FTB Chambers
Martyn’s Law, formally the Terrorism (Protection of Premises) Act 2025, aims to improve protective security and organisational preparedness at publicly accessible premises and qualifying events. It requires those responsible to consider how they would respond to a terrorist attack, and for larger venues to take proportionate steps to reduce vulnerability. The Act received Royal Assent on 3 April 2025; the government has signalled an implementation period of at least 24 months before it comes into force, with statutory guidance to be published to help duty‑holders comply. A new regulatory function within the Security Industry Authority (SIA) will support, advise and enforce.
Sources: Home Office factsheet, ProtectUK.
The regime is tiered by expected capacity. Current explanations from legal commentators indicate a standard duty for premises of roughly 200–799 capacity and an enhanced duty at 800+ for premises/events that are wholly or mainly open to the public, with private gatherings excluded. Always check final statutory guidance for definitive thresholds and scope.
Sources: Eversheds Sutherland, Home Office factsheet.
It’s understandable that people conflate Martyn’s Law with continuity. Both sit under the resilience umbrella and both may be triggered by the same event. But their purposes are different.
In other words, Martyn’s Law covers the moment of attack and the immediate aftermath in terms of life safety and protective security. BCP covers how you operate once that immediate phase stabilises.
Sources: Home Office factsheet, ProtectUK.
A terrorism incident can create continuity impacts, but not always. Your BCP should care about the effects, not the cause. Typical effects that may flow from a Martyn’s Law‑type incident include:
Treat the terrorism incident as a cause that could trigger one or more of these effects; plan continuity around the effects.
Your security risk assessment may consider attack scenarios such as attacks at ingress/egress points, queues, inside event spaces, on perimeters, or coordinated multi‑site activity. For continuity purposes, translate these into operational impacts: loss of site, loss of people, regulatory constraints, and reputational pressure.
Ask practical questions. If the primary venue is inaccessible for weeks, where do you go? If 20% of your events team is traumatised and unavailable, how do you deliver? If public scrutiny is intense, who leads messaging and with what sign‑off cadence? Categorise impacts into a handful of continuity scenarios rather than trying to plan for every plot variant.
For each impact scenario, define how you will continue operations: alternative venues and suppliers, remote or hybrid delivery models, scaled‑down service menus, staff substitution and surge arrangements, and structured support for affected employees (including psychological support and phased return).
Document who owns immediate response at the venue, what they must do (evacuation, invacuation, lockdown), who they notify, and when the situation escalates to crisis management and BCP. Keep roles and decision rights crystal‑clear so protective security, crisis leadership and continuity complement each other rather than clash.
Train staff, practise evacuation/invacuation/lockdown, and run exercises that test leadership decisions, relocation, communications, managing misinformation, media pressure and staff wellbeing. Include suppliers and partners so that your recovery plan works beyond your four walls.
Define a single chain of command that all plans reference. This is the simplest way to avoid duplicated or conflicting playbooks during a high‑stress incident.
The Act is designed to be proportionate. Government communications emphasise practical, accessible steps and upcoming statutory guidance to help duty‑holders comply without necessarily purchasing specialist services. Focus on clarity of roles, rehearsed procedures and targeted training first.
After any violent incident, people come first. Plan for trauma‑informed support, liaison with families, phased return‑to‑work, and the reality that some staff may not be able to return to the same roles quickly, if at all. This is not just humane; it is essential to continuity.
Design table‑top and live exercises that simulate:
Test the organisation’s ability to cope, not the attacker’s tactics.
No. The Act received Royal Assent on 3 April 2025, with an implementation period of at least 24 months before commencement. Statutory guidance will be published during that period.
A new function within the Security Industry Authority (SIA) will act as the regulator, supporting, advising and enforcing proportionately.
The Act applies to certain publicly accessible premises and ticketed events; private gatherings are excluded. Scope is tiered by expected capacity, with standard and enhanced duties aligned to venue size. Always consult the latest guidance for definitive thresholds and inclusions.
No. It adds counter‑terrorism preparedness alongside your existing safety and resilience obligations. Integrate plans, but keep their purposes distinct.
Think of Martyn’s Law as your immediate protective response capability, and your BCP as your recovery and continuity capability. Both matter. Both should be rehearsed. But they solve different problems. Keep them aligned and you will protect people better and recover faster.