The long awaited Terrorism (Protection of Premises) Act 2025, Martyn’s Law for short, gives well needed clarity. The Act received Royal Assent last year, but the main legal duties are not yet enforceable. Therefore, organisations have a valuable implementation window to move beyond policy reviews and focus on operational readiness, says Lloyd Major, pictured, CEO of the event logging and incident management software developer Halo Solutions.
Martyn’s Law is an operational shift toward live operational capability. It is less about introducing new obligations and more about formalising a standard that operators already recognise: safety and security need to be embedded into how the organisation runs every day and not used only when required. For organisations preparing for enforcement, this creates a genuine opportunity to strengthen how its current operations function in daily practice.
What the law is really asking for
The Act does not simply require businesses to define actions, but to ensure that those actions can be carried out by real people, in real conditions, where information may be unclear and time is limited. For larger premises and events the requirements go further. Organisations must also assess their vulnerabilities and implement measures that reduce both the likelihood of an attack being successful and the potential impact if one occurs. This introduces considerations around monitoring, movement, physical security, and information management.
Alongside this, there is a clear expectation around documentation and auditability. Organisations must be able to explain what they have in place, why those decisions were made, and how they contribute to reducing harm. This is not just about satisfying a regulator – it is about creating a record that supports learning, accountability, and continuous improvement. For enhanced tier premises and events, clear senior accountability will also be essential.
What readiness looks like
Across all venue environments, effective operations tend to share a consistent set of characteristics.The first is that procedures are made clear and focused for the teams on the ground. They need to centre on core procedures such as evacuation, invacuation, lockdown, communication. These are designed to be applied quickly, without requiring interpretation of complex scenarios. Secondly, teams need to be trained in a way that builds confidence and resilience. Staff need to know the intent behind a procedure, not just the steps. Exercises and staff training must be practical and reflect real conditions, so the emphasis should be on understanding intent and making decisions.
This then leads on to the importance of information flowing effectively. That means ensuring that incidents and updates are reported from the ground as they happen, allowing control rooms to maintain a live, accurate picture. Doing this supports faster, safer and more informed decision-making. Activity should also be recorded consistently and ideally contemporaneously. Any actions, communications, and decisions need to be logged in real time, creating a reliable audit trail. This supports both compliance and continuous improvement. If information is scattered across radios, paper logs, spreadsheets, private messages and separate contractor systems, leaders may not see the full picture until much later. That creates risk during the incident and weakness during review.
Finally, teams should nominate a strong leadership team to enforce these practices in a quick and calm manner. These people will be championing standards, reviewing performance, and ensuring that safety and security remain a priority. In these environments, compliance is not treated as a separate exercise but a by-product of how the operation functions.
Why paperwork and technology are not enough
When organisations are faced with new regulatory requirements it’s natural to look for solutions that can be implemented quickly and confidently. Yet that often leads to two common approaches. The first is expanding documentation by creating more detailed procedures, plans, and policies. The second is investing in technology by introducing systems intended to manage or automate compliance. Both can play a role. Neither will do it all for the business.
Martyn’s Law does not require businesses to prove that they have the most detailed procedures, or the most advanced systems. It requires them to demonstrate that their operation can respond effectively. That outcome cannot be purchased or documented into existence. Technology, for example, can significantly improve visibility, communication, and auditability. A well-implemented incident management system can provide a single source of truth, enable real-time reporting, and create stronger, more reliable, time-stamped records of activity. These are all valuable capabilities, particularly when it comes to evidencing decisions and coordinating teams. But those benefits only materialise when the surrounding operation supports them.
If reporting is inconsistent, data will be incomplete. If teams are not engaged, systems will be bypassed. If processes are unclear, technology will reflect that confusion rather than resolve it. The same applies to documentation. Detailed procedures may appear comprehensive, but if they are too complex to interpret quickly, they introduce hesitation at the exact moment clarity is needed. The legislation, and the guidance supporting it, point in a different, better direction. They point to having clarity over complexity, usability over excessive detail, and adaptability over rigid instructions.
Culture
The statutory guidance is explicit that protective security is based on a good security culture. It describes this as shared values across an organisation that shape how people think about and approach security, and notes that it takes effort and leadership to build.
Culture is sometimes treated as vague or secondary when leaders are faced with legal duties and regulatory expectations, however in practice, culture determines whether those duties work. It determines whether staff report suspicious behaviour quickly, or assume someone else will; whether contractors are included in briefings, or treated as separate from the core operation; whether exercises are taken seriously, or treated as box-ticking; whether control rooms receive useful information early, or fragmented updates too late. For governments looking at Martyn’s Law from outside the UK, this is one of the most important lessons: regulation can set expectations, but it cannot create operational maturity by itself. When there is a good culture in place, compliance becomes far more straightforward. Without it, even well-designed processes can struggle to deliver the intended outcome.
The real measure of preparedness
Martyn’s Law will now push organisations to review policies, procedures and governance. But the real test will be whether organisations can act effectively when it matters, not just create detailed documents of procedures. That means building a culture where safety and security are part of daily operations. Where training is taken seriously. Is easily remembered. And enacted when it counts. Where contractors are included, information moves quickly and leadership is visible. Where tools and procedures are simple enough to use and strong enough to stand up to scrutiny.
Public safety is not strengthened by paperwork alone. It is strengthened by people, culture, coordination and the discipline to keep improving before an incident forces the issue.





