Erol Ayvaz, CEO of Serve First, and Alan Baldwin, pictured, CEO of United Outcomes, suggest practical steps that operators can take in the immediate term to support Martyn’s Law and its vital goal of keeping people safe, while strengthening preparedness and compliance ahead of the Act’s implementation.
What steps should we be taking to prepare for Martyn’s Law? It’s a frequent question raised by venues and operators keen to get ahead with their preparations for the new law, but sometimes uncertain about where to start and what to do now.
Whilst the Government’s 24-month implementation period is clearly a necessary step to allow for full statutory guidance and enforcement arrangements to be finalised, it puts many businesses in a challenging position: They recognise that they will need to make significant arrangements and adjustments to their operations to comply with the new law, but right now they do not have full clarity as to what these adjustments will need to be.
Roughly 180,000 UK venues fall under Martyn’s Law, and for many, the scale of the task ahead feels significant, with risk assessments to complete, staff training to plan and evidence, documentation to consolidate and site-specific vulnerabilities to review. Furthermore, arrangements must be in place before the Security Industry Authority (SIA) begins phased monitoring and enforcement, expected to take place from April 2027.
It’s understandable that some operators worry about expensive physical upgrades or complex documentation. However, it’s important to remember that Martyn’s Law is grounded in proportionality: it calls for reasonable, practical, and documented measures to reduce harm – not major stadium-level security for every venue.
What it does demand is proper consideration and clarity regarding risks, procedures, and how compliance can be demonstrated. Where to start? Here are some key steps that operators and venues can take in the immediate term to get ahead:
- Get the basics right
By now, many venues are familiar with how Martyn’s Law applies to qualifying premises such as retail and hospitality venues, places of worship, visitor attractions and educational settings, and whether Standard or Enhanced duties apply. Getting this classification right is an essential starting point, as it determines your obligations and how the SIA will assess compliance.
A comprehensive risk assessment is the foundation of Martyn’s Law compliance, and this is the first step to take, as it will reveal the vulnerabilities you must address and form the backbone of your defensible decision-making. For organisations that need help getting started, there are apps by providers such as Serve First which can prompt and guide in this area. A strong assessment should evaluate points such as:
- points of crowding and congregation
- likely attack targets based on layout and access patterns
- existing evacuation, invacuation, lockdown, and communication procedures
- staffing levels and roles
- the accessibility of secure areas
- visibility of potential hostile reconnaissance opportunities
For Standard Duty premises, the emphasis is on Public Protection Procedures (PPPs), reactive actions that reduce harm during an incident. For Enhanced Duty venues and qualifying events, assessments must also consider Public Protection Measures (PPMs), which are proactive and preventative.
Additionally, although Martyn’s Law addresses physical terrorism risk, modern threat activity often involves hybrid tactics. A hostile actor may test digital systems to support physical intrusion. Enhanced Duty premises should therefore also assess issues such as the secure handling of sensitive plans and layouts, access control to digital operating procedures, and cyber hygiene of operational systems.
2. Turn findings into a readiness plan and gap analysis
Once findings are understood, operators should take steps to address the following:
- prioritise risks
- map gaps against legal obligations
- sequence improvements appropriately
- align actions with budgeting cycles
- build in review points as guidance evolves
Many venues initially overestimate the need for expensive physical measures. Proportionate solutions often involve procedural improvements such as clearer communication routes or better crowd movement planning.
Regulators increasingly expect documented reasoning of why decisions were made, not just what was implemented.
- Prioritise and track staff training
Training is one of the most important – and most overlooked – components of Martyn’s Law. Frontline staff are often the first to notice something unusual and the first port of call that the public turns to in a crisis.
It is therefore important that venues ensure staff understand basic PPPs (Standard Duty venues) as well as providing deeper, scenario-based training at Enhanced Duty venues, and there is a range of free government training available here, which is well worth exploring.
In today’s threat environment, this extends beyond physical response protocols – staff should also understand how social engineering, phishing attempts or suspicious digital behaviour can relate to physical threat indicators, a reflection of the growing cyber-physical convergence facing many operators.
Just as important is recording and being able to evidence training for audit purposes. Whether you use a digital system, Learning Management System (LMS) or existing compliance software doesn’t matter; the ability to evidence who was trained, when, and on what, is essential.
- Make compliance manageable
Martyn’s Law doesn’t just require you to do the work, it requires you to prove you’ve done it. Real-time audit and reporting tools are a useful tool in addressing this problem, with digital platforms enabling dynamic risk assessments to be undertaken and recorded, documenting decisions as you make them, and assigning actions to specific team members.
Progress and completion can be tracked, gaps proactively flagged, and compliance-ready reports generated at the touch of a button. As well as being good practice to keep this kind of audit trail, it may also provide useful information for insurers and senior leadership teams, as well as the SIA.
These types of tools are available now and are a good place to start, with useful screening questions and prompts to tailor advice and guide venues towards focusing on the right areas.
- Centralise documentation
Disconnected systems are the enemy of compliance. When your risk assessment lives in one folder, your training records in another, and your procedures in a third, you can’t see the full picture or easily prove you’ve met your obligations.
Better and more centralised document management is set to be a key cornerstone of Martyn’s Law, and using a single, tailored platform where all relevant activity and records can live, ready to present to the regulator or an inspector, means that compliance stops being a static exercise and becomes a live and evolving part of your day-to-day operation.
In conclusion
Martyn’s Law is set to significantly impact the operations of many UK venues and operators in order to bring about improvements to public safety and increase the UK’s resilience in dealing with terrorist incidents. Whilst the work needed to comply with the new law might seem daunting, with the right tools in place to support compliance, it is a chance to strengthen security culture, improve cross-team coordination, and create greater situational awareness across every layer of an organisation. Our advice is simple:
- Get the basics correct from the start; seek advice to help guide you if necessary
- Commission or conduct a structured risk assessment
- Turn that into a prioritised readiness plan and budget
- Test and practice your plans
- Make training, audits and documentation part of everyday operations
- Keep your risk assessment and plans under regular review
By acting now, and taking advantage of tools to help provide a clearer understanding of your duties and responsibilities under the new law, you will be better placed to satisfy inspectors and insurers, and, most importantly, support the overall aim: keeping people safe.
About the authors
Erol Ayvaz
Erol Ayvaz is the CEO and Co-Founder of Serve First, an audit and compliance software platform. With over 20 years spent in customer experience (CX) focused roles, Erol has worked with consumer brands, including SUBWAY, Nando’s, and Ladbrokes, across retail, hospitality, and franchising.
Serve First now works with brands across sectors including retail, facilities management, hospitality, leisure and franchising, most recently joining forces with risk and security specialist United Outcomes to create a risk assessment and planning app for venue and event operators looking to comply with Martyn’s Law. Visit www.servefirst.co.uk.
Alan Baldwin
Alan Baldwin is CEO of United Outcomes. A former chief police officer with 32 years’ experience, he has served with five UK police forces and worked in the public and private sectors and NGOs around the world, with board-level experience including roles as CEO and COO. His experience includes overseeing major public safety operations at events such as the London 2012 Olympics, counter-terrorism responses, and football fixtures across the Premier League, Europe, and international competitions, and he has also played a key role in civil contingency planning as part of the COBRA Covid19 Foresight Group. Visit www.united-outcomes.com.
