Martyn’s Law: Practical Steps to Take Now

Erol Ayvaz, CEO of Serve First, and Alan Baldwin, CEO of United Outcomes, combine their expertise to outline key practical steps operators can take to support Martyn’s Law and its vital goal of keeping people safe, while strengthening preparedness and compliance ahead of the Act coming into force.

Across the UK, venues and operators are asking the same question: What steps should we be taking now to prepare for Martyn’s Law?

Whilst the Government’s 24-month implementation period is clearly a necessary step to allow for full statutory guidance and enforcement arrangements to be finalised, it has placed many businesses in a challenging position: They recognise that they will need to make significant arrangements and adjustments to their operations in order to comply with the new law, but as yet, they do not have full clarity as to what these adjustments will need to be.

The result is that many venues are keen to get ahead with their preparations, but sometimes uncertain about where to start.

Roughly 180,000 UK venues fall under Martyn's Law, and for many, the scale of the task feels significant, with risk assessments to complete, staff training to plan and evidence, documentation to consolidate and site-specific vulnerabilities to review.

Furthermore, all of this must be in place before the Security Industry Authority (SIA) begins phased monitoring and enforcement, expected to take place from April 2027.

Understandably, some operators are concerned about costly physical upgrades or complex documentation requirements. However, it is worth bearing in mind that Martyn’s Law is grounded in proportionality: It requires reasonable, practical, documented steps to reduce harm, not necessarily major-stadium-level security for every venue.

What it does demand is proper consideration and clarity regarding risks, procedures, and how compliance can be demonstrated.

So where to start? Here are some key steps to take now:

1. Get the basics right

By now, many venues are familiar with how Martyn's Law applies to qualifying premises such as retail and hospitality venues, places of worship, visitor attractions and educational settings, and whether Standard or Enhanced duties apply. Getting this classification right is an essential starting point, as it determines your obligations and how the SIA will assess compliance.

A comprehensive risk assessment is the foundation of Martyn's Law compliance, and this is the first step to take as it will reveal the vulnerabilities you must address and form the backbone of your defensible decision-making. For organisations that need help getting started, there are apps by providers such as Serve First which can prompt and guide in this area.

A strong assessment should evaluate points such as:

● points of crowding and congregation
● likely attack targets based on layout and access patterns
● existing evacuation, invacuation, lockdown, and communication procedures
● staffing levels and roles
● the accessibility of secure areas
● visibility of potential hostile reconnaissance opportunities

For Standard Duty premises, the emphasis is on Public Protection Procedures (PPPs), reactive actions that reduce harm during an incident. For Enhanced Duty venues and qualifying events, assessments must also consider Public Protection Measures (PPMs), which are proactive and preventative.

Additionally, although Martyn's Law addresses physical terrorism risk, modern threat activity often involves hybrid tactics. A hostile actor may test digital systems to support physical intrusion. Enhanced Duty premises should therefore also assess issues such as the secure handling of sensitive plans and layouts, access control to digital operating procedures, and cyber hygiene of operational systems.

2. Turn findings into a readiness plan and gap analysis

Once findings are understood, operators should take steps to address the following:

● prioritise risks
● map gaps against legal obligations
● sequence improvements appropriately
● align actions with budgeting cycles
● build in review points as guidance evolves

Many venues initially overestimate the need for expensive physical measures. Proportionate solutions often involve procedural improvements such as clearer communication routes or better crowd movement planning.

Regulators increasingly expect documented reasoning of why decisions were made, not just what was implemented.

3. Prioritise and track staff training

Training is one of the most important - and most overlooked - components of Martyn's Law. Frontline staff are often the first to notice something unusual and the first port of call that the public turns to in crisis.

It is therefore important that venues ensure staff understand basic PPPs (Standard Duty venues) as well as providing deeper, scenario-based training at Enhanced Duty venues, and there is a range of free government training available here, which is well worth exploring.

In today's threat environment, this extends beyond physical response protocols - staff should also understand how social engineering, phishing attempts or suspicious digital behaviour can relate to physical threat indicators, a reflection of the growing cyber-physical convergence facing many operators.

Just as important is recording and being able to evidence training for audit purposes. Whether you use a digital system, Learning Management System (LMS) or existing compliance software doesn't matter; the ability to evidence who was trained, when, and on what, is essential.

4. Make compliance manageable

Martyn's Law doesn't just require you to do the work, it requires you to prove you've done it. Real-time audit and reporting tools are a useful tool in addressing this problem, with digital platforms enabling dynamic risk assessments to be undertaken and recorded, documenting decisions as you make them, and assigning actions to specific team members.

Progress and completion can be tracked, gaps proactively flagged, and compliance-ready reports generated at the touch of a button.

As well as being good practice to keep this kind of audit trail, it may also provide useful information for insurers and senior leadership teams, as well as the SIA.

These types of tools are available now and are a good place to start, with useful screening questions and prompts to tailor advice and guide venues towards focusing on the right areas.

5. Centralise documentation

Disconnected systems are the enemy of compliance. When your risk assessment lives in one folder, your training records in another, and your procedures in a third, you can't see the full picture or easily prove you've met your obligations.

Better and more centralised document management is set to be a key cornerstone of Martyn's Law, and using a single, tailored platform where all relevant activity and records can live, ready to present to the regulator or an inspector means that compliance stops being a static exercise and becomes a live and evolving part of your day-to-day operation.

In conclusion, Martyn's Law is set to significantly impact the operations of many UK venues and operators in order to bring about improvements to public safety and increasing the UK’s resilience in dealing with terrorist incidents. Whilst the work needed to comply with the new law might seem daunting, with the right tools in place to support compliance, it is a chance to strengthen security culture, improve cross-team coordination, and create greater situational awareness across every layer of an organisation.

Our advice is simple:

● Get the basics correct from the start; seek advice to help guide you if necessary
● Commission or conduct a structured risk assessment
● Turn that into a prioritised readiness plan and budget
● Test and practice your plans
● Make training, audits and documentation part of everyday operations
● Keep your risk assessment and plans under regular review

By acting now, and taking advantage of tools to help provide a clearer understanding of your duties and responsibilities under the new law, you will be better placed to satisfy inspectors and insurers, and, most importantly, support the overall aim: keeping people safe.

—

About the authors

Erol Ayvaz is the CEO and Co-Founder of Serve First, an AI-driven audit and compliance software platform. With over 20 years spent in customer experience (CX) focused roles, Erol has worked with some of the world’s most recognised consumer brands, including SUBWAY, Nando’s, and Ladbrokes, across retail, hospitality, and franchising, where he led programmes to help improve service delivery, auditing and compliance.

Serve First now works with brands across sectors including retail, facilities management, hospitality, leisure and franchising, most recently joining forces with risk and security specialist United Outcomes to create a risk assessment and planning app specifically for venue and event operators looking to comply with Martyn’s Law. www.servefirst.co.uk

Alan Baldwin is CEO of United Outcomes. A former chief police officer with 32 years’ experience, he has served with five UK police forces and worked with public and private sector organisations and NGOs around the world, with board-level experience including roles as CEO and COO. His experience includes overseeing major public safety operations at events such as the London 2012 Olympics, counter-terrorism responses, and major football fixtures across the Premier League, Europe, and international competitions, and he has also played a key role in civil contingency planning as part of the COBRA Covid19 Foresight Group. www.united-outcomes.com