Blend
/
Compliance Training 9 April 2026

Martyn's Law Training for Venues: What You Need Before 2027

The Terrorism (Protection of Premises) Act 2025 requires venue staff training by 2027. Here's what Martyn's Law requires and what training should look like.

By Tom Payani

The Terrorism (Protection of Premises) Act 2025 — known as Martyn's Law — received Royal Assent on 3 April 2025. The government has confirmed an implementation period of at least 24 months, meaning the law will be fully enforceable by April 2027. The Security Industry Authority will regulate compliance.

If your premises or event can hold 200 or more people at any time, you are within scope. And training is one of the core requirements.

This article explains what Martyn's Law requires, which tier your venue falls into, what training obligations apply, and what effective training looks like in practice.

The Two Tiers

Martyn's Law creates a tiered system based on capacity.

Standard tier: 200-799 people. This covers most pubs, restaurants, small theatres, community halls, places of worship, retail stores, and small outdoor events. Standard tier premises must implement "reasonably practicable" measures to reduce vulnerability and improve preparedness. Staff training is a central component.

Enhanced tier: 800+ people. This covers large venues — arenas, stadiums, festival sites, large theatres, shopping centres, and major event spaces. Enhanced tier premises face additional requirements including a security plan, designated security coordinator, and more comprehensive training obligations.

The capacity assessment is based on a reasonable expectation of how many people could be present at any one time — not the maximum licensed capacity. A pub that regularly hosts 250 people on a Saturday evening is in the standard tier, even if its fire certificate allows 400.

What the Standard Tier Requires

Standard tier obligations are designed to be achievable for smaller venues without a dedicated security function. The core requirements are:

Staff awareness training. All relevant staff must be trained to recognise hostile reconnaissance — the process by which an attacker surveys a target before an attack. This is not about turning pub staff into counter-terrorism officers. It is about developing basic awareness: noticing unusual behaviour, knowing what to report, and knowing how to report it.

An understanding of how to respond. Staff should know what to do in an attack situation. The government recommends the "Run, Hide, Tell" response framework. But knowing this framework exists is not the same as knowing how to apply it in a specific venue layout, under pressure, with members of the public present.

Procedures for evacuation, invacuation, and lockdown. Different attack types require different responses. A vehicle attack outside may call for invacuation (moving people deeper inside the building). An attack inside may require evacuation or lockdown. Staff should know which procedure applies to which scenario and how to execute it in their specific premises.

A documented approach. The Act requires premises to demonstrate that they have taken steps. Verbal briefings without records will not satisfy a regulator. Training should be documented — who received it, when, and what it covered.

What the Enhanced Tier Requires

Enhanced tier premises must meet all standard tier requirements plus additional obligations.

A written security plan. This must include a risk assessment specific to the premises, mitigation measures, and training provisions. The plan must be reviewed and updated regularly.

A designated security coordinator. Someone at the organisation must be named as responsible for the security plan and its implementation, including training.

More comprehensive training. Enhanced tier training goes beyond basic awareness. It should cover threat assessment, communication protocols with police and emergency services, crowd management during an incident, and coordination between different staff roles.

The Free Resources — And Why They Are Not Enough

The government has signposted several free training resources through the ProtectUK platform, including the ACT Awareness e-learning programme and the SCaN (See, Check and Notify) training.

These resources are useful as a baseline. ACT Awareness provides a general introduction to counter-terrorism awareness. SCaN focuses on behavioural detection — noticing indicators that someone may be planning an attack.

However, these resources have limitations.

They are generic. ACT Awareness covers the same content regardless of whether you operate a pub, a shopping centre, or a festival. The threat profile, venue layout, staff composition, and response options are fundamentally different across these contexts. Generic training does not prepare staff for the specific decisions they would face in their specific venue.

They are information-based, not decision-based. Watching a video about hostile reconnaissance teaches staff what it is. It does not test whether they can recognise it in context, or whether they know what to do next. The difference between knowledge and capability is where most training falls short.

They do not generate strong evidence. A completion certificate from a generic e-learning module demonstrates attendance, not comprehension. When the Security Industry Authority assesses compliance, evidence that staff can apply their training will carry more weight than evidence that they clicked through a video.

What Good Training Looks Like

Effective Martyn's Law training shares characteristics with effective training for any operational compliance requirement. It should be specific to the venue, practised through realistic decisions, and documented.

Venue-specific scenarios. Training should be set in a context that mirrors the learner's actual working environment. A scenario set in a large arena is not relevant to a 300-capacity community theatre. The decisions, the layout, the available resources, and the number of staff differ. Training that reflects the learner's reality builds transferable capability.

Decision-driven, not information-driven. Staff should practise making decisions — not just absorb information. What do you do when you notice someone photographing the fire exits? What do you do when a suspicious package is reported by a member of the public? What do you do when you hear an explosion outside the building — evacuate, invacuate, or lockdown? These decisions should be rehearsed before they are needed in practice.

Clear escalation paths. Every scenario should reinforce who to contact, how to contact them, and what information to provide. "Call 999" is necessary but insufficient. Staff should know their venue's internal communication protocol, the location of communication equipment, and who is authorised to make decisions about evacuation or lockdown.

Regular refresh. Annual training at minimum. Additional training when staff turnover occurs, when the venue layout changes, when the threat level changes, or when lessons are learned from incidents elsewhere.

Documentation. Training records should capture who completed training, when, what content was covered, and (for scenario-based training) how the learner responded. This documentation supports compliance when the Security Industry Authority conducts assessments.

The Timeline

The implementation period gives venues until approximately April 2027 before enforcement begins. That sounds like time. For larger enhanced tier venues with dedicated security functions, it is workable. For smaller standard tier venues — the pub, the community hall, the small theatre — the challenge is different.

These venues typically do not have security teams. The people who need training are bar staff, front-of-house volunteers, event coordinators, and venue managers. They have other jobs to do. Training needs to be efficient, relevant, and proportionate to the actual risk profile.

Starting now means training can be delivered incrementally — an initial session followed by annual refreshers — rather than as a last-minute scramble before enforcement. It also means staff build familiarity with procedures over time, which is substantially more effective than a single compressed session.

Getting Started

The practical first steps for any venue within scope:

  1. Determine your tier. Assess your typical occupancy against the 200 and 800 thresholds. This is based on reasonable expectation, not maximum capacity.

  2. Conduct a basic risk assessment. Consider the venue's location, layout, access points, typical events, and any previous security incidents. This does not need to be a professional security audit — but it should inform your training content.

  3. Train your staff. Use the free government resources as a foundation, but supplement with training that is specific to your venue and tests decision-making, not just awareness.

  4. Document everything. Keep records of training sessions, attendees, and content covered. This is the evidence base that supports compliance.

  5. Plan for refresh. Schedule annual refresher training and additional sessions for new staff.

Our Martyn's Law scenario training puts venue staff through realistic situations where they practise recognising threats and making response decisions in a context that mirrors their working environment. It is designed for the standard tier — achievable in a short session, specific enough to be useful, and documented for compliance evidence.

If you are unsure whether your current training meets what Martyn's Law will require, the compliance training diagnostic provides a structured starting point.

Martyn's Law protect duty venue security compliance training terrorism protection UK regulation

Compliance Training Diagnostic

Score your organisation's compliance training against what regulators actually expect. 2 minutes.

Free: AI Training Audit for Your Team

See where AI could improve your training programs. Interactive 5-minute assessment.

Start the Audit
← Back to all posts