Martyn’s Law Statutory Guidance:
The statutory guidance for the Terrorism (Protection of Premises) Act 2025 — commonly referred to as Martyn’s Law — has now been published.
This matters because it brings much-needed clarity. Until now, organisations in scope have been working from the Act itself and the accompanying Home Office myth-busters and factsheets. The statutory guidance goes significantly further: it sets out, in specific and legally-weighted language, exactly what organisations are required to do, what is strongly recommended, and what they might consider doing depending on their specific circumstances.
Here’s what you need to understand.
The three-word framework: Must. Should. Could.
The statutory guidance uses three words with distinct legal meanings, and reading them as interchangeable is a mistake that could leave your organisation exposed.
‘Must’ denotes a legally enforceable obligation. These are not suggestions. If an organisation in scope fails to meet a ‘must’ requirement and is inspected after the implementation period, it may face enforcement action. This will be overseen by the Security Industry Authority (SIA), which will act as the regulator.
‘Should’ reflects practice the regulator considers highly recommended. Departing from ‘should’ requirements without a documented and defensible reason is unlikely to withstand scrutiny from the SIA.
‘Could’ represents options and considerations. These are context-dependent — what is appropriate at one premises may not be appropriate at another.
Understanding which category each requirement falls into is the starting point for any meaningful readiness assessment.
Bespoke over broadstroke
The guidance reinforces a principle already embedded in the Act: your public protection procedures must be tailored to your specific premises.
The legislation requires organisations to assess what is ‘reasonably practicable’ for their site. That assessment cannot be lifted wholesale from another organisation’s plan or from a generic template, even a good one. The physical layout of your premises, the nature of your activities, your staffing levels, and the profile of the people who use your space all affect what ‘reasonably practicable’ looks like in practice.
This has a direct implication for how organisations approach compliance. The skills required to establish what is reasonably practicable are not the same as those required for fire safety or general health and safety. The methodology is different. The threat picture is different. The regulatory expectations are different.
Organisations that rely on their existing health and safety provider to cover Martyn’s Law obligations run a genuine risk — not because those providers are poor at what they do, but because terrorism risk management is a distinct discipline with distinct requirements.
The implementation timeline: April 2027
With statutory guidance now available, the government’s position is clear. Organisations in scope have 12 months from the publication of the guidance to demonstrate readiness. The expectation is full readiness by April 2027.
That timeline is not as long as it sounds. For organisations with multiple premises, complex operational patterns, or no prior engagement with the legislation, the assessment and documentation process takes time. Starting late compresses the available runway and increases the likelihood of a rushed — and potentially inadequate — response.
How to access the statutory guidance
The statutory guidance is publicly available here.
At 127 pages, it is, as you would expect for legislation of this importance, a substantial and detailed document. Many organisations will need help making sense of what it means specifically for their premises and their activities. If you would prefer a structured, guided approach, the Prova platform has been built by counterterrorism subject matter experts for precisely that purpose. It is not a general compliance tool with a Martyn’s Law module bolted on — it is purpose-built for this legislation.
