Martyn’s Law is coming. Here’s what you need to do now.

Martyn’s Law is coming. Here’s what you need to do now.

Martyn Hett was fun. 

A superfan of Coronation Street, he had a tattoo of Deirdre Barlow in prison on his leg. In 2014, he won ‘Couples Come Dine with Me’. 

In 2017, he died.  

The 29-year-old was one of 22 people who were killed in a terrorist bombing at an Ariana Grande concert in Manchester Arena – one of the largest bombings ever to have taken place in the UK. 

Now, a law under his name – Martyn’s Law, also known as Protect Duty – is expected to come into force that will compel public venues in the UK to take wide-ranging security measures to protect visitors. It will have important ramifications for public safety, businesses, and the security industry. 

What is Martyn’s Law?

Memorial for the victims of the Manchester Arena bombing. Photo: David Dixon.

Martyn’s Law is legislation to improve protective security and organisational preparedness at publicly accessible locations. It became a government priority after an effective public campaign to improve venue security led by Figan Murray, Martyn’s mum, and other parents of the people killed at the concert.   

The Draft legislation was introduced to Parliament in the Queen’s Speech on 10th May 2022 and is likely to be introduced by the end of 2023.   

The context of the legislation will be: ‘Proportionality will apply to cost – “reasonably practicable” and size and scope of organisations will apply.  Large organisations with greater risk will be expected to do more that small companies with limited resources.’ 

The key findings from the Public Inquiry into the Manchester attack led by Sir John Saunders included: 

  • The Protect Duty-holder must assess the risks as current risk assessments were not suitable or sufficient for the threat from terrorism. 

  • Depending on the outcome of the risk assessment, the Protect Duty-holder must decide what needs to be done to mitigate the risks. Currently, appropriate mitigation measures are not identified sufficiently. 

  • The Protect Duty-holder should carry out the actions which have been identified.   

  • There should be a system of checking that the actions have been carried out.   

  • If there has been a failure to carry out the actions, enforcement action should follow. Non-compliance with the new legislation could result in sanctions (fines or prohibition orders). 


Who will be affected?    

The most affected organisations will be public venues with a capacity of over 100 persons, such as pubs, night clubs, universities, shopping centres, cinemas, large office blocks with public or shared areas open to the public. These include: 

  • Large organisations with over 250 employees (several premises and locations).   

  • Arenas – Joint stakeholders, promoters, venders, venue owners. 

  • Publicly accessible locations (PAL) like beaches, parks, pedestrian areas in towns, leisure centres, shopping centres, sporting clubs. 

  • Duty holders include: landlords, tenants, owners or facility management companies. 

  • Exempt industries: Aviation, Rail and Maritime.  Extant legislation and regulations include the implementation of counter terrorism measures for these industries. 

 Whilst much of the focus will be on larger venues, it is important for smaller companies to put measures in place such as risk assessments, training staff and monitoring UK threat levels.


What does that mean for venues? 

All venues and publicly accessible areas falling under Martyn’s Law must do the following: 

ASSESS the risk of a terrorist attack – conduct suitable and sufficient risk assessments for terrorist attacks based on current terrorist methodologies e.g: 

  • Scenario-based table-top exercises to identify organisational risk appetite, identify potential risks and vulnerabilities, identify resources to mitigate and roles and responsibilities.  

  • Vulnerability studies of sites, physical security and shared areas where the division of labour and liability between departments or organisations must be made clear and agreed. 

  • Risk assessments must cover the risk requirements for the different levels of threat: low – an attack is highly unlikely; moderate – an attack is possible but not likely; substantial – an attack is likely; severe – an attack is highly likely; critical – an attack is highly likely in the near future. 


  • Plan – amend current crisis response plans or create new plans, including stakeholder engagement plans.   

  • Identify and implement control measures – physical security (CCTV, access barriers etc). 

  • Identify any gaps in planning, roles and responsibilities and resource allocation.  Conduct a cost benefit analysis as appropriate. 

  • Train staff – hostile reconnaissance and incident reporting, trauma first-aid, terrorist methodologies (types of attack).  

  • Maintain current knowledge of terrorist methodologies and the threat level as set by UK. Keep up with the latest Horizon Scanning1.  

  • Ensure all stakeholders are kept up to date on the threat level and specifically briefed if the threat level increases or decreases.


  • Record the implementation of the identified mitigation measures through change management processes, exercise programmes, senior management and organisational reporting and a staff training system. 

  • Amend all appropriate documentation, risk registers, legal and other registers. Include as an agenda item on management meetings and staff meetings. 

  • Set KPIs to record progress and close out the mitigation measures. 

  • Continual review based on exercises, training and staff/stakeholder engagement campaigns and internal audits. 


Inverroy can help you prepare for Martyn’s Law 

Inverroy Crisis Management believes that every organisation should have a plan for when an emergency or disruption occurs. 

We can help with all aspects of the Assess, Mitigate and Record/Evidence process through: 

  • Templates for all policy, processes, and practices: risk assessments, Crisis response and emergency preparedness plans, exercises, checklists, and internal audits. 

  • Consultant engagement for all of the above as well as amending existing management systems or creating new systems based on your business priorities. 

  • Compliance frameworks and advice.  

  • Horizon scanning. 

The feedback from the Home Office consultation exercise further stated the need for pertinent online material to assist organisations with terrorist risk management planning. 

Inverroy has developed an online resilience platform – Inverroy Digital – to make it easier and more secure for organisations to create their Business Continuity and Emergency Response Plans. Inverroy Digital keeps all your plans in one place, centrally updated and accessible, and available even during a cyber-attack.  

For more information on how we can help you prepare for Martyn’s Law, please contact  


Featured photo credit: Manchester Arena by Joel Goodman.

Subscribe To Our Newsletter
Sign up with your email address to receive news and updates