Statutory guidance

Terrorism (Protection of Premises) Act 2025: Statutory guidance

Updated 21 April 2026

Statutory Guidance

April 2026

Presented to Parliament pursuant to section 27(4) of the Terrorism (Protection of Premises) Act 2025

Chapter 1: Status and using this guidance

1.1 This statutory guidance is issued by the Home Office under section 27 of the Terrorism (Protection of Premises) Act 2025, subsequently referred to throughout this guidance as ‘the Act’. ^{[footnote 1]} Section 27 of the Act has been commenced to facilitate the publication and laying before Parliament of this guidance. Further details will be provided on when the substantive requirements of the Act itself will be commenced.

1.2 The Act is commonly known as ‘Martyn’s Law’ in recognition of Martyn Hett, one of the 22 victims of the Manchester Arena attack in 2017. Martyn’s mother, Figen Murray OBE, has led the Martyn’s Law Campaign Team and campaigned for the introduction of the Act.

1.3 The Act applies to England, Wales, Scotland and Northern Ireland. While counter‑terrorism (CT) is the responsibility of the UK government, many of the premises and events in scope of the Act are in devolved areas such as health and education.

1.4 The Act intends to improve organisational preparedness and protective security across the UK. It requires that those responsible for certain premises and events take steps to prepare for potential terrorist attacks and help keep people safe in the event of an attack. In addition, certain larger premises and events are required to consider their vulnerability to acts of terrorism, and, where appropriate, take reasonably practicable steps to reduce those vulnerabilities.

1.5 This guidance has been written to support those responsible for premises and events in scope of the Act to meet the legal requirements. Expert security partners in the National Counter Terrorism Security Office (NaCTSO) and the National Protective Security Authority (NPSA) have developed additional material and guidance to support those responsible for public venues and spaces to consider appropriate protective security. While there is no statutory requirement to put in place the recommendations from this additional material, those responsible for premises and events may wish to consider these additional resources as part of their approach. See non-statutory supplementary document C. ^{[footnote 2]}

1.6 The Security Industry Authority (SIA) will be responsible for fulfilling the regulatory functions set out in the Act. In addition to this guidance, the SIA will publish their own guidance, including statutory guidance under section 12 of the Act.

1.7 Other relevant legislation is referred to in this guidance. The Act does not supersede other legislation, and all legislation must be complied with. Those who have requirements placed on them by this Act may also have obligations under other legislation. This includes, but is not limited to, legislation relating to health and safety, fire safety and licensing, as well as obligations under the Equality Act 2010. The responsible person will want to consider other relevant legislative requirements when meeting the Act’s requirements.

1.8 Prior to Royal Assent, the government completed extensive stakeholder engagement, including two public consultations and pre-legislative and Parliamentary scrutiny during development and passage of the legislation. However, as per section 27(3), before publishing guidance, the Secretary of State “must consult such persons as [they] consider[s] appropriate”.

1.9 The Home Office completed a targeted consultation with sector leads and associations to ensure coverage of Schedule 1 qualifying uses and other government departments and operational partners. This consultation took place over a period of three months.

1.10 As part of the consultation, the Home Office worked with analysts to develop a set of open-ended, qualitative questions in relation to the guidance that were standardised across all consultation sessions. Break-out sessions from larger panels were facilitated by Home Office officials to go through the queries of the consultees systematically. Home Office officials analysed the feedback received and amended this document accordingly or, where they did not, had a clear rationale.

1.11 In response to consultation feedback, this statutory guidance has been substantially revised to improve clarity, consistency and usability. Some of the actions taken include:

• To support readability, summary boxes and checklists have been introduced at the beginning and end of each chapter.
• The former single chapter on requirements has been divided into two to distinguish more clearly between those applying to standard tier and enhanced tier premises (definitions below).
• Infographics in chapters 4 and 5 have been updated to enhance clarity.
• Officials have worked to ensure the document reads with a consistent voice throughout.
• Given the number of novel concepts introduced by the legislation, consultees requested further illustrative examples, many of which have been added.
• Consultees expressed interest in additional non-statutory materials to support understanding of the legislation, which the government is exploring separately.

1.12 There is a statutory requirement to keep the guidance under review. In addition, the government has developed a monitoring and evaluation programme for the legislation. This will enable better understanding of how the guidance is implemented in practice and collect feedback and learning from end users for future implementation.

Using this guidance

1.13 This guidance includes information on the legal requirements under the Act and steps that must be taken to meet these. The legal definition of certain words is used throughout the document. This may be different to how these words are used on a day-to-day basis.

1.14 The terms ‘standard duty’ and ‘enhanced duty’ are used in the Act. In this guidance, ‘standard tier’ and ‘enhanced tier’ are used instead as these are commonly used phrases among sectors in scope. In addition, the words ‘must’, ‘should’, and ‘could’ are used throughout this guidance. Figure 1 below sets out the meaning of these.

Figure 1: Terms used in the statutory guidance

Term used	Meaning in guidance
Must	A legal requirement in the Act.
Should	Not an express requirement in the Act but strongly recommended and encouraged good practice.
Could	Not a legal requirement but an optional suggestion or example.
Standard tier	Premises which fall in scope of the standard duty in the Act are ‘standard tier’ premises.
Enhanced tier	Premises which fall in scope of the enhanced duty in the Act are ‘enhanced tier’ premises. Qualifying events are subject to the same requirements as enhanced tier premises.

1.15 It is recommended that this guidance is read in full. The guidance:

• provides background information and the context behind the development of the legislation (chapter 2)
• introduces and clarifies key terms related to the legislation and the wider protective security landscape, using a glossary of terms (chapter 3)
• provides information to determine whether premises fall in scope of the Act’s requirements as qualifying premises (chapter 4)
• provides information to determine whether events fall in scope of the Act’s requirements as qualifying events (chapter 5)
• supports organisations and individuals to understand who is responsible for premises and events in scope of the Act, and their roles and responsibilities (chapter 6)
• sets out the requirements of the Act under the standard duty, also known as the standard tier (chapter 7)
• sets out the requirements of the Act under the enhanced duty, also known as the enhanced tier (chapter 8)
• provides details on the role of the SIA as the regulator and how it will discharge its functions (chapter 9)

1.16 It is important to note that the procedures and measures set out in the Act are intended to help reduce the risk of physical harm to people. This includes staff at the premises or event. In the requirements of the Act is the concept of ‘reasonably practicable’: there is no requirement for those responsible for premises or events to undertake (or to expect their staff to undertake) actions that are not reasonably practicable because those actions would compromise their own safety.

The examples contained in this document have been written to illustrate specific concepts in the Act and to aid understanding. The examples are not exhaustive and will not directly apply to all premises or events. The examples are not instructions on what should be done in specific circumstances as each qualifying premises and qualifying event will be unique and it is essential that those responsible consider the specific circumstances of the premises or event. The Home Office is not liable if the examples are applied without proper consideration of the individual circumstances of the premises or event.

Chapter 2: Context and drivers for legislation

2.1 The aim of the UK government’s counter-terrorism strategy, CONTEST 2023, is to reduce the risk from terrorism to the UK, its citizens and its interests overseas. Protect and Prepare are two of the key strands of CONTEST. ^{[footnote 3]} It is the responsibility of the government and its agencies to detect and disrupt terrorist activity.

2.2 The Act complements existing Home Office, Counter Terrorism Policing (including NaCTSO) and NPSA work to support the delivery of better protective security and counter-terrorism capabilities at venues and public spaces, through non-legislative and voluntary methods across the UK.

2.3 The Act is based on the assumption that a terrorist attack might occur anywhere. Therefore, the requirements in the Act are not related to considering the likelihood of an attack at specific premises or events. Instead, the Act mandates that the responsible person for standard tier premises, enhanced tier premises and qualifying events considers what public protection procedures are appropriate and reasonably practicable to achieve the objective of reducing the risk of physical harm caused to individuals if an act of terrorism were to occur. For enhanced tier premises and qualifying events only, the responsible person is required to consider what public protection measures are appropriate and reasonably practicable to achieve the objective of reducing the risk of physical harm caused to individuals if an act of terrorism were to occur, as well as to achieve the objective of reducing the vulnerability of their premises or event to acts of terrorism.

Terrorism in the UK

2.4 The current terrorist threat level is stated on MI5’s website. ^{[footnote 4]} The CONTEST strategy summarised the current threat facing the UK as “enduring and evolving”, with a domestic threat which is “less predictable and harder to detect and investigate”. Recent attacks in the UK have demonstrated that there remains terrorist intent to target members of the public at a broad range of venues and public spaces.

2.5 It is not always possible to predict where in the UK an attack might happen, or the type of premises or events that may be impacted – either directly as the target of an attack or indirectly by being located near the target of an attack. To ensure better preparedness and to improve public safety, a broad range of premises and events need to be ready to act to reduce harm.

2.6 It has been judged that the risk from terrorism is rising. ^{[footnote 5]} Independent research conducted in 2019 showed that, without legal compulsion, counter-terrorism security efforts are often deprioritised behind other legally required activities (for example, health and safety, and fire safety) .^{[footnote 6]} This results in inconsistent security efforts across the UK.

2.7 Although terrorist attacks are rare, the impact of terrorist attacks can be devastating and long-lasting. Research indicates that the fear of terrorism alone has a significant impact on individuals. It can cause people to change their activities to avoid risk, for example, relocating outside of cities or being unwilling to use public facilities and transport. These behavioural changes go on to affect the economy and public wellbeing more generally . ^{[footnote 7]}

The evolution of the Act

2.8 In 2019, the Prevention of Future Deaths Report in relation to the 2017 London Bridge and Borough Market attack called for action to mitigate the risk of terrorism. ^{[footnote 8]} In 2021, the publication of the Manchester Arena Inquiry Volume One Report produced recommendations including the introduction of legislative requirements to improve the safety and security of public venues. ^{[footnote 9]}

2.9 In 2021 and 2024, the government undertook public consultations to inform the legislation. ^{[footnote 10]} Extensive engagement with operational and security partners, businesses, local authorities, the Martyn’s Law Campaign Team and other stakeholders also shaped the legislation. A draft Bill was published by the government in May 2023 for pre-legislative scrutiny by the Home Affairs Select Committee (HASC) in June 2023. On 12 September 2024, a revised Bill was introduced to Parliament. On 3 April 2025, the Bill achieved Royal Assent and became the Terrorism (Protection of Premises) Act 2025.

2.10 The implementation period is at least 24 months from Royal Assent to allow those in scope of the Act to prepare for the requirements of the Act coming into force (this is known as commencement) and to fully establish the SIA as the regulator. While there is no legal requirement to comply until the legislation comes into force, those in scope of the Act will wish to begin considering the requirements. This guidance has been published in advance of commencement to enable those responsible to prepare.

2.11 The legislative requirements set out in the Act were developed in collaboration with expert security partners. They are designed to be proportionate, and to deliver a UK-wide step-change to set protective security on the same footing as other regulatory regimes such as health and safety, fire safety and online safety by setting legal minimum requirements for preparedness across a wide range of premises and events.

2.12 Protective security is based on a good security culture. A security culture is a set of values, shared by everyone in an organisation, which determine how people are expected to think about and approach security. A good security culture takes effort to build and cascades from the top down. ^{[footnote 11]} There is a wide variety of protective security procedures and measures that could be implemented in advance of, in addition to, or alongside, the Act’s requirements to ensure effective protective security. The ProtectUK and NPSA websites set out further details. ^{[footnote 12]}

2.13 Supplementary document C outlines further resources which can help to build effective protective security in addition to the legislation. ^{[footnote 13]} This is a non-statutory document that includes signposts to counter-terrorism awareness products and products which may advise on more sector-specific concerns. Where good protective security measures and preparedness procedures already exist at premises and events, the legislation is designed to build on that foundation.

Chapter 3: Glossary of terms

The following glossary explains the key concepts and terms included in the Act and used in this guidance. It may be useful to refer to the glossary while reading the following chapters. Where further information on a concept or term is included in a specific chapter, it is signposted.

Terms

Appropriate (section 5, section 6 of the Act)

Appropriate means suitable. Those responsible for qualifying premises and events must ensure that procedures and/or measures are appropriate, taking account of the specific context of the premises or event.

See paras. 7.21 and 8.24.

At the same time

This is a common term and is understood to mean together or simultaneously. In the Act, the term refers to individuals being present on the premises together at any one time.

See paras. 4.31 to 4.34.

Communication (section 5 of the Act)

Communication is one of the four types of public protection procedure set out in the Act. Communication involves providing information to people on the premises or at the event, alerting people to danger and providing instructions, where it is safe to do so.

See paras. 7.46 to 7.49.

Compliance notice (section 13 of the Act)

A statutory notice issued by the SIA requiring the recipient to comply with a requirement of the Act within a specified period.

See para. 9.10.

Co-operation (section 8 of the Act)

In some cases, an individual or organisation can have some level of control of premises in the enhanced tier or a qualifying event without being the responsible person. In these circumstances, they must co-operate with the responsible person, so far as is reasonably practicable, to help meet the Act’s requirements.

Additionally, where premises form part of larger qualifying premises, they may need to co‑operate with the responsible person for the larger premises for the purposes of that responsible person complying with the requirements of the Act.

See paras. 6.21 to 6.22.

Co-ordination (section 8 of the Act)

In some cases, there may be multiple responsible persons for qualifying premises or events. They must co-ordinate with each other, so far as is reasonably practicable, to meet the Act’s requirements.

Additionally, where qualifying premises form part of other qualifying premises, the responsible persons must co-ordinate with each other, so far as is reasonably practicable, to meet the Act’s requirements.

See paras. 6.16 to 6.20.

Enhanced duty/enhanced tier (section 2(2), section 2(3) of the Act)

The Act establishes a tiered approach for premises – the standard duty and the enhanced duty (also known as the standard and enhanced tiers). Enhanced tier premises are qualifying premises that can reasonably expect 800 or more individuals to be present at any one time, from time to time, for the purpose of a Schedule 1 use.

See chapter 4 for the criteria to be in scope of the Act as qualifying premises (and paras. 4.35 to 4.39 for excluded premises and those subject to different thresholds). See chapter 5 for the criteria to be in scope of the Act as a qualifying event and chapter 8 on enhanced tier requirements.

Evacuation (section 5 of the Act)

Evacuation is one of the four types of public protection procedure set out in the Act. Evacuation involves getting people away from danger by moving them out of the premises or event (or part of the premises or event).

See paras. 7.33 to 7.38.

From time to time (section 2 of the Act)

This means occasionally. In the Act, the phrase ‘from time to time’ is used within the definition of qualifying premises and it refers to how often 200 or more individuals (including staff) can reasonably be expected to be present on the premises at the same time.

See paras. 4.31 to 4.34.

Immediate vicinity (section 5, section 6 of the Act)

This is an area close to the premises. There is no fixed distance associated with the term.

See paras. 7.12 to 7.14.

Invacuation (section 5 of the Act)

This is one of the four types of public protection procedure set out in the Act. Invacuation involves moving people away from danger to a place within the premises or event where there is less risk of physical harm being caused to them. This can include bringing people into the premises or event from outside or moving people from one part of the premises or event to another, where it is safe to do so.

See paras. 7.39 to 7.40.

Lockdown (section 5 of the Act)

This is one of the four types of public protection procedure set out in the Act. Lockdown is the process of securing the premises or event, to prevent individuals entering or leaving.

See paras. 7.41 to 7.45.

The National Counter Terrorism Security Office (NaCTSO)

Police-hosted unit supporting the Protect and Prepare strands of the UK government’s counter-terrorism strategy. NaCTSO manages the ProtectUK website, a source of relevant guidance. ^{[footnote 14]}

The National Protective Security Authority (NPSA)

The UK government’s national technical authority for physical and personnel protective security. The NPSA website is a source of protective security guidance. ^{[footnote 15]}

Penalty notice (section 17, section 19, section 21 of the Act)

A statutory notice requiring a specified amount to be paid to the SIA. This may include daily penalties for continued non-compliance.

See paras. 9.12 to 9.16.

Principal use (section 4 of the Act)

Where premises have multiple Schedule 1 uses (set out in Schedule 1 to the Act), the relevant Schedule 1 use is whichever of those uses is the principal use of the premises. The individual or organisation with control of the premises for the purposes of its principal Schedule 1 use is the responsible person.

See paras. 4.17 to 4.19 and paras. 6.3 to 6.5.

Public protection measures (section 6 of the Act)

Public protection measures are measures relating to monitoring, movement, physical safety and security, and security of information. These measures seek to reduce the risk of physical harm to people and reduce the vulnerability of the premises or event to terrorist attacks. Public protection measures are relevant to enhanced tier premises and qualifying events.

See paras. 8.7 to 8.55.

Public protection procedures (section 5 of the Act)

Public protection procedures are sets of actions that staff can take if they suspect an act of terrorism is occurring, or is about to occur, at the premises, at the event or in the immediate vicinity. The procedures are evacuation, invacuation, lockdown and communication. Public protection procedures seek to reduce the risk of physical harm to people. Public protection procedures are relevant to standard tier premises, enhanced tier premises and qualifying events.

See paras. 7.4 to 7.62.

Qualifying event (section 3 of the Act)

Events meeting the criteria set out in section 3 of the Act and subject to enhanced duty requirements.

See chapter 5.

Qualifying premises (section 2 of the Act)

Premises meeting the criteria set out in section 2 of the Act. Depending on the number of individuals that can reasonably be expected to be on the premises, qualifying premises may be subject to standard or enhanced duty requirements.

See chapter 4.

Reasonably practicable

Reasonably practicable means proportionate. In considering what is reasonably practicable, the responsible person should weigh what can be done to achieve the objectives of procedures and/or measures, balanced against the cost, time and difficulty of implementation. ^{[footnote 16]} The responsible person must consider what is reasonably practicable when ensuring that appropriate public protection procedures and/or measures are in place.

See paras. 7.20 to 7.28, 8.18 to 8.20, 8.25.

Responsible person or responsible persons (section 4 of the Act)

For qualifying premises, this is the individual, organisation or company with control of the qualifying premises for the purpose of its Schedule 1 use. For qualifying events, this is the individual, organisation or company with control of the premises at which the qualifying event is taking place, for the purposes of the event. The responsible person must ensure that the requirements of the Act are met.

See chapter 6.

Restriction notice (section 14 of the Act)

A statutory notice requiring the recipient to comply with specified restrictions relating to the use of the premises or the continuation of the event. This is issued by the SIA.

See para. 9.11.

Schedule 1 use (Schedule 1 to the Act)

A Schedule 1 use is one of the specific types of activities listed in Schedule 1 to the Act. Premises that are wholly or mainly used for any of these activities may fall within the scope of the legislation, if they meet the other criteria under section 2 of the Act, and therefore become qualifying premises.

See para. 4.17 and figure 3.

Scope

This means the boundaries or coverage of the Act (in essence, what is covered under the Act and what is not covered).

Security Industry Authority (SIA)

The regulator for the Terrorism (Protection of Premises) Act 2025. ^{[footnote 17]}

Senior individual (section 10 of the Act)

Where the responsible person for enhanced tier premises or a qualifying event is an organisation or company, a senior individual must be designated to ensure compliance with the Act. The senior individual is someone who is involved in the management or control of the responsible person.

See paras. 6.8 to 6.12 and paras. 8.69 to 8.74.

Staff

Throughout this guidance, staff means all those working at qualifying premises or events, including employees, contractors, volunteers and others. Staff may be full time, part time, shift workers or follow other working patterns.

Standard duty or standard tier (section 2(2), section 2(3) of the Act)

The Act establishes a tiered approach for premises – the standard duty and the enhanced duty (also known as the standard and enhanced tiers). Standard tier premises are qualifying premises that can reasonably expect 200 to 799 individuals to be present at the same time, from time to time, for the purpose of a Schedule 1 use.

See chapter 4 for the criteria to be in scope of the Act as qualifying premises (and paras. 4.35 to 4.39 for excluded premises and those subject to different thresholds) and chapter 7 on standard tier requirements.

Vulnerability (section 1(1)(b) of the Act)

Weaknesses that may be exploited by an attacker to achieve an impact, such as harm to people or an organisation. The presence of a threat is required to exploit a vulnerability.

Wholly or mainly (section 2 of the Act)

Wholly or mainly means entirely or mostly. This is one of the criteria for qualifying premises – that the premises are wholly or mainly used for a use set out in Schedule 1 to the Act.

See paras. 4.17 to 4.21.

Chapter 4: Scope – qualifying premises

4.1 This chapter outlines the criteria for premises to be in scope of the Act. For events, see chapter 5.

4.2 The criteria for ‘qualifying premises’ are set out in section 2 of the Act. Premises that satisfy the four criteria below will be qualifying premises.

Criteria for qualifying premises

• The site meets the definition of premises in the Act (paras. 4.6 to 4.16).
• The premises are wholly or mainly used for one or more of the uses specified in Schedule 1 to the Act (paras. 4.17 to 4.21). ^{[footnote 18]}
• It is reasonable to expect that from time to time 200 or more individuals may be present on the premises at the same time (paras. 4.22 to 4.34).
• The premises are not excluded from being in scope of the Act, as specified in part 1 of Schedule 2 to the Act (para. 4.35). ^{[footnote 19]}

4.3 This chapter of the guidance explains the above criteria so that individuals and organisations can better understand whether premises fall in scope of the Act and, if so, under which tier – the standard tier or the enhanced tier. A location that does not meet the criteria in this chapter may still host events that are in scope of the Act. See chapter 5 for more information on events that may be in scope.

4.4 Supplementary document B provides illustrative examples to expand on the concepts outlined below. ^{[footnote 20]} The document is non-statutory and the illustrative examples are intended to support those responsible for premises and events in interpreting the criteria outlined in the scope chapters. The examples are not instructions on what should be done in specific circumstances as all qualifying premises and qualifying events will be unique and it is essential that the responsible person considers the specific circumstances of the premises or event.

4.5 Figure 2 on the next page provides an overview of the criteria that determine whether premises are in scope of the Act.

Figure 2: Decision tree to determine whether premises are in scope of the standard tier, in scope of the enhanced tier, or out of scope of the Act ^{[footnote 21]}

Key

1. The definition of premises can be found in section 2(2) of the Act.

2. The categories of use set out in Schedule 1 to the Act are:

• 1. shops etc
• 2. food and drink
• 3. entertainment and leisure activities
• 4. sports grounds
• 5. libraries, museums and galleries
• 6. halls etc
• 7. visitor attractions
• 8. hotels etc
• 9. places of worship
• 10. health care
• 11. bus stations, railways etc
• 12. aerodromes
• 13. childcare
• 14. primary and secondary education
• 15. further education
• 16. higher education
• 17. public authorities

3. The Act specifies that premises within the standard tier will reasonably expect from time to time to have a maximum number of between 200 and 799 individuals (including staff) at the same time in connection with one or more Schedule 1 uses. For enhanced tier premises or qualifying events, it is 800 or more individuals (including staff).

4. Excluded premises in Schedule 2 to the Act include:

• Legislatures and devolved administrations.
• Parks, gardens and other open-air premises used for recreation or leisure (only applies to open access premises which do not have measures to secure or check that access is restricted).
• Transport premises that are already subject to relevant existing legislative requirements to consider and mitigate threats.

5. Find out how you can assess reasonable expectation for your premises by following this link: Terrorism (Protection of Premises) Act 2025: Scope (Premises) – GOV.UK

Criterion one: Does the site meet the definition of premises?

4.6 The first criterion is whether the site meets the definition of premises under the Act. To meet the definition of premises, the site must be a building, or a building and other land. A building can include part of a building or a group of buildings.

4.7 For a site to meet the definition of premises under the Act, there must always be a building on the site that is accessible to the public to any extent. ^{[footnote 22]} It is important to note that limiting access to only certain members of the public – for example, those who have paid to enter, have a ticket or pass, or are members or guests of a club, association or similar body – does not stop the premises from being treated as publicly accessible.^{[footnote 23]} There is no specific requirement that the building is made of a certain material or is of any particular size.

Part of a building

4.8 Some premises may have buildings that are primarily used for uses that are not listed in Schedule 1 to the Act but have a separate part of the building that is used for a Schedule 1 purpose. ^{[footnote 24]} The separate part of the building may be in scope of the Act if the other criteria are also met.

Example: A building includes a large factory and a shop selling some of the factory’s produce. The principal use of the building is as a factory – this is not listed as a Schedule 1 use and would therefore not be in the scope of the Act. However, part of the building is used as a shop, which is a Schedule 1 use. Therefore, the part of the building used as a shop could be in the scope of the Act if the other criteria are met.

A group of buildings

4.9 There are many premises which could consist of a group of buildings used for a Schedule 1 use or uses. Common examples could include buildings (and associated land) at a university campus, a hospital complex or a hotel, spa and event centre complex. Indicative factors that define a group of buildings could include that they are in close geographical proximity, that they share a principal Schedule 1 use, or that the responsible person is the same for all or most of the buildings in the group (recognising that there may be some buildings within the group under the control of other individuals or organisations).

Example 1: Fourteen separate buildings in close proximity form part of a hospital complex. The hospital trust operates all fourteen buildings as the responsible person. Therefore, the fourteen buildings are a group of buildings.

Example 2: A supermarket chain has several stores of different sizes situated in the same city. The responsible person for the supermarket chain calculates the reasonable expectation of the number of individuals (including staff) who may be present at the same time, from time to time, at each individual store. ^{[footnote 25]} Based on this calculation, some premises are out of scope of the Act, some are standard tier premises, and two superstores are enhanced tier premises.

They consider whether these qualifying premises could constitute a group of buildings under the Act. However, the closest two stores in scope of the Act are 800 metres apart with numerous other buildings between them. Those other buildings are under the control of various other persons with a variety of different uses.

Therefore, all the stores operated by the supermarket chain are premises in their own right with their own unique circumstances requiring tailored public protection procedures, or public protection procedures and measures, depending on the relevant tier. The responsible person decides that none of their stores constitute a group of buildings.

A building and other land

4.10 A building will often have land associated with it which is used together with the building for a specified use or uses in Schedule 1 to the Act. The term ‘other land’ refers to land that forms part of the premises and is used for, or is associated with, its specified uses. The land will be under the control of the responsible person as part of the premises.

4.11 Land associated with a building will often have a boundary – for example, security fences around a theme park. However, there will be examples of a building and other land which do not have a clear boundary. Examples of a building and other land could include a pub with a beer garden, a restaurant with outside seating, a hotel with grounds that are used by guests and the public, and a stately home and garden.

4.12 There are also premises that are primarily outdoors but include one or more buildings on site – for example, certain racecourses, showgrounds, zoos or theme parks. As the definition of premises refers to the building and the other land, it is not relevant whether individuals are expected to be present in the buildings, only gathered on the land outside, or a mixture of both.

Premises within other premises

4.13 There are examples of premises that will be in scope of the Act and have multiple units within them – for example, a shopping centre or an entertainment complex which includes cinemas, restaurants and arcades. All of these would usually have separate responsible persons.

4.14 If smaller premises within larger premises meet the criteria to be in scope of the Act, the smaller premises themselves will be qualifying premises in addition to the larger premises. The smaller premises will only be qualifying premises if it is reasonable to expect that from time to time 200 or more individuals may be present on the premises at the same time in connection with one or more uses specified in Schedule 1 to the Act. Smaller premises within larger ones will only qualify for the enhanced tier (under section 2(3)) if it is reasonable to expect that from time to time 800 or more individuals may be present on the premises at the same time in connection with one or more uses specified in Schedule 1 to the Act.

4.15 Where smaller (qualifying or non-qualifying) premises are within larger qualifying premises, co-ordination and co-operation requirements may apply. (See paras. 6.16 to 6.20 for further information on co-ordination and paras. 6.21 to 6.22 for further information on co-operation.)

4.16 Where smaller premises within larger premises are not in scope, the requirements of the Act to put in place procedures and measures do not apply to the smaller premises. However, see paras. 6.23 to 6.24 for further information on responsibilities for non-qualifying premises.

Criterion two: Are premises wholly or mainly used for one or more specified uses?

4.17 The second criterion is whether premises are wholly or mainly used for one or more specified uses as set out in Schedule 1 to the Act. Premises may be used for more than one Schedule 1 use and therefore those responsible for premises may need to assess how premises are used most of the time or if there is a principal use. Figure 3 provides examples of the types of premises that may be covered as Schedule 1 specified uses.

Figure 3: Examples of premises that may be used for specified uses in Schedule 1 to the Act

Specified use in Schedule 1 to the Act	Premises that may be used for this specified use: examples are non-exhaustive
Shops etc.	This covers premises involved in the sale of both goods and services. This includes shops, retail units, showrooms, post offices, banks, fuel stations and shopping centres.
Food and drink	This includes bars, pubs, restaurants, cafés and food halls.
Entertainment and leisure activities	This includes nightclubs, theatres, cinemas, concert halls, arenas, theme parks, zoos, aquariums, amusement arcades, casinos, gyms, leisure centres, swimming pools and bowling alleys.
Sports grounds [footnote 26]	This includes sports arenas or stadia where sports or other competitive activities take place in the open air (or would take place in the open air, but for the closing of any retractable roof) and where accommodation has been provided for spectators.
Libraries, museums and galleries etc.	In addition to libraries, museums and galleries, this includes archives or sites where a collection of objects or works (considered to be of scientific, historic, artistic or cultural interest) is exhibited outdoors or partly outdoors.[footnote 27]
Halls etc.	This includes village halls, community centres, venues for hire for events or activities, exhibition halls and conference centres.
Visitor attractions	This includes any attraction of cultural, historic, touristic or educational value. This could include heritage railway lines.
Hotels etc.	In addition to hotels, this includes hostels and holiday parks.
Places of worship	This includes churches, mosques, synagogues, temples, gurdwaras, cathedrals and other places of worship. Para. 4.37 sets out specific criteria for places of worship.
Health care	This includes hospitals, primary care clinics and doctor and dentist surgeries.
Bus stations, railway stations etc.	This includes railway, bus and coach stations, tramway stations or any other stations forming part of a transport system which uses a mode of guided transport and is not a trolley vehicle system. Para. 4.35 sets out the transport premises which are excluded from the Act.
Aerodromes	This includes facilities used for the landing and departure of aircraft. Many aerodromes are excluded, including if they are used exclusively for military purposes or if there is a security plan in force under section 24AE of the Aviation Security Act 1982, as per Schedule 2, para. 4(a) to the Act. [footnote 28]
Childcare	This covers premises used for early years provisions. This includes day cares, pre-schools and nurseries. Para. 4.38 sets out specific criteria for childcare.
Primary and secondary education	This covers educational institutions and schools for children under the age of 16 years. This includes alternative provision academies and pupil referral units or other institutions, as per Schedule 1, para. 14(2) to the Act. Paras. 4.38 to 4.39 set out specific criteria for primary and secondary education.
Further education [footnote 29]	This covers premises used for full-time education suitable to the requirements of persons over compulsory school age who have not attained the age of 19 years. This includes colleges and sixth-form colleges, and independent training providers that are (wholly or partly) publicly funded. Paras. 4.38 to 4.39 sets out specific criteria for further education.
Higher education	This includes universities and their associated institutions; institutions conducted by a higher education corporation, which are registered higher education providers, or which provide higher education courses, where this is the principal use; and residential accommodation for students managed by or on behalf of a higher education institution. Para. 4.39 sets out specific criteria for further education.
Public authorities	This covers any premises used by a public authority for the provision of facilities or services to members of the public. This includes household waste recycling centres.

4.18 In considering whether premises are used wholly or mainly for a Schedule 1 use, consideration should be given to all the circumstances surrounding the use of the premises. In particular, consideration should be given to the amount of time that the premises are used for the Schedule 1 use compared with the amount of time that the premises are used for any other use. It is possible that premises may have more than one Schedule 1 use. In those circumstances, the responsible person will be the person with control of the premises for the principal use.

Example: A site contains several buildings, which have various Schedule 1 uses. The site consists of one building containing a secondary school, with a gym in part of the same building, a theatre in another building, and a café in a third building.

The three buildings are not connected to one another but have shared common areas, including a car park and green spaces.

The secondary school is wholly or mainly used for the Schedule 1 use of secondary education, although it is also used for the Schedule 1 use of entertainment and leisure through its hosting of community activities during the evenings and at the weekend.

The gym, within the same building, is also wholly or mainly used for the Schedule 1 use of secondary education, as it is mostly used by pupils and staff of the school, but it is open to the general public for limited hours in the evenings and at the weekend.

The café and the theatre are both used by the school for the Schedule 1 use of secondary education. The school uses the café for school lunches and food technology classes, and the theatre for drama classes and school plays.

However, both the café and the theatre are open to the general public throughout their opening hours and are wholly or mainly used for the Schedule 1 uses of food and drink and entertainment and leisure respectively.

4.19 Consideration should be given to whether the premises will be continuously used for a particular use or uses over a period of time (rather than simply considering the use or uses which the premises are used for at the time the assessment is made).

Example 1: A university site consists of several halls of residence which accommodate its students during the academic year. The university manages these halls of residence.

At the end of the academic year, the university rents out the halls of residence to the public as a hostel. Between the months of August and September, the premises are wholly used as a hostel. In August, the responsible person for the university (the governing body) assesses that the premises are mainly used to accommodate its students.

Example 2: A large sports stadium is purpose-built for sports events. It holds sports events every weekend and on certain weekdays during the season. In addition, the stadium can be hired for conferences throughout the year on days when sports events are not taking place.

The main business use of the stadium is as a sports stadium. The conference usage is a secondary use that uses the premises during downtime. Therefore, it can be considered that use as a sports ground is the main use of the premises.

4.20 Where the numbers of individuals that are reasonably expected to be present differ significantly from one time to another, such as when the premises are closed to the public or are not being used for their Schedule 1 use, it may be appropriate for public protection procedures or measures to vary.

4.21 Where the premises are not qualifying premises because they are not wholly or mainly used for Schedule 1 uses, the premises may still be in scope of the Act if a qualifying event takes place there. The premises would come into scope of the Act for the duration of the qualifying event taking place. For instance, if a stately home that is otherwise out of scope as a private residence is hired by an event organiser to host a one-off festival that meets the qualifying event criteria, then the parts of the property used for the event would be in scope for the purposes of holding that qualifying event. See chapter 5 for further details on qualifying events.

Criterion three: Do the premises meet the threshold for the number of individuals at the premises?

Supplementary document A sets out some example (non-exhaustive) methods that may be used to assess the number of individuals expected to be present. The supplementary document is non-statutory and may be useful to read alongside this part of the guidance.^{[footnote 30]}

4.22 The third criterion is that it is reasonable to expect that, from time to time, 200 or more individuals may be present on the premises at the same time in connection with one or more uses specified in Schedule 1 to the Act. See paras. 4.31 to 4.34 for more detail on understanding at the same time and from time to time.

4.23 A reasonable method should be used to calculate the greatest expected number of individuals at the premises at the same time. This figure must include staff working at the premises in connection with a Schedule 1 use. Throughout this guidance, staff refers to all those working at premises or events, whether as employees, contractors, volunteers or otherwise. Only those attending or working in the part of the premises used for a Schedule 1 use should be included in the assessment. The responsible person could use a suggested method outlined in supplementary document A.

4.24 The responsible person should consider, for example, the busiest trading or visiting times to establish the maximum numbers of individuals in attendance. Where the method chosen to assess the reasonable expectation of individuals present (either listed in supplementary document A or another method) does not include the number of staff expected to be present – for example, historic ticketing or attendance data or fixed seating/standing positions – this must be added to the final assessment figure.

4.25. Whatever method the responsible person chooses, it must be evidenced and must satisfy the SIA, if necessary, that it is a reasonable way of assessing attendance in the particular circumstances of the premises. The SIA can require the responsible person to provide information about how the assessment was carried out using information gathering powers at Schedule 3 to the Act. ^{[footnote 31]}

4.26 Where it can be reasonably expected that between 200 and 799 individuals will be present on the premises at the same time, from time to time, the premises will be in the standard tier (if the other criteria in this chapter are also met). If the figure is 800 or more individuals, the premises will be in the enhanced tier (if the other criteria in this chapter are also met).

4.27 The premises will not be drawn into scope of the Act if the greatest number of individuals expected to be present on the premises at the same time, from time to time, is 199 or fewer. The reasonable expectation of individuals present may change over time. It is therefore possible for the premises to move from one tier to another or out of scope of the Act entirely based on how many individuals it is reasonable to expect will be present at the same time, from time to time.

4.28 There are special considerations for some premises, such as places of worship and some educational facilities. These types of premises will always be standard tier premises if they can expect 200 or more individuals to be present at the same time, from time to time, even if the enhanced tier threshold of 800 or more individuals is reached. Paras. 4.36 to 4.39 explain which qualifying premises are subject to different criteria.

4.29 Where there is a group of buildings (which are one qualifying premises), the number of individuals reasonably expected in each building at the same time should be added together to assess the number of individuals at the premises.

4.30 Where there are premises within premises (for example, units in a shopping centre), the number of individuals expected to be in each of the premises within the shopping centre (for example, each individual shop) should be added together for the purposes of calculating the number of individuals at the shopping centre. However, when calculating the number of individuals within individual premises in the shopping centre (for example, a small clothes shop), the number of individuals in the shopping centre as a whole, or in other premises within the shopping centre, should not be added together.

Example: A shopping centre has 38 units, comprising 32 retail stores, 3 restaurants and 3 coffee shops in the same building. The shopping centre operator is responsible for the premises overall because they control the common areas, entrances and exits. The operator assesses that 800 or more individuals (including staff) are expected to be present within the shopping centre – including its individual units – at any one time and concludes that the premises fall in scope of the enhanced tier.

The shopping centre operator rents out the smaller units within the premises to retailers and other companies who assume control of the individual units. Some of the units are qualifying premises as they meet the number of individuals it is reasonable to expect for the standard or enhanced tiers, and therefore those responsible for those premises must ensure the appropriate requirements are in place for the relevant tier.

The shopping centre operator is the responsible person for the centre itself and must ensure that appropriate public protection procedures and measures are in place for the centre. The shopping centre operator liaises with the responsible persons for the smaller qualifying premises within the shopping centre regarding some of the procedures – for example, lockdown and evacuation procedures (see chapter 7 for further information on procedures and chapter 8 for more information on measures) to ensure these are effectively co-ordinated (see paras. 6.16 to 6.20).

From time to time and at the same time

4.31 ‘From time to time’ is a common term and is understood to mean occasionally. In the Act, this term refers to how often 200 or more individuals (including staff) can be reasonably expected to be present on the premises. The term is used to recognise that this number can vary due to many factors over time such as fluctuations due to the time of day, the day of the week, or the season (for example, increases in numbers during the Christmas period). There is a degree of predictability inherent to ‘from time to time’. If 200 or more individuals (including staff) can reasonably be expected to be present on the premises on occasion, this criterion is likely to be met.

Example: A clothing shop has a maximum occupancy figure of 300 based on its assessment of safe occupancy for fire safety. However, historic records show that the shop usually has well below 200 individuals (including staff) on the premises at the same time. Those responsible for the shop therefore initially consider the shop to be out of scope of the Act.

However, the number of individuals on the premises at the same time has exceeded 200 individuals (including staff) in the last three years on several occasions during Black Friday and January sales. On those occasions, the capacity of 300 individuals (including staff) has been reached several times.

While the average number of individuals on the premises at the same time is below 200, it is reasonable to expect that 200 or more individuals will be present on the premises at the same time, from time to time. Therefore, those responsible for the shop re-consider their assessment and realise that the premises are in scope of the standard tier.

4.32 ‘At the same time’ is also a common term and is understood to mean together or simultaneously. In the Act, the term refers to individuals being present on the premises together at any one time.

4.33. If premises within the standard tier (200 to 799 individuals) unexpectedly exceed the enhanced tier threshold (800 or more individuals), and this could not have been reasonably expected and is not expected to happen again, the premises will remain within the standard tier. This could be because the increase in attendees is due to circumstances that are not reasonably expected, considering past attendance patterns and the purpose for which the premises are used.

Example: A retail shop has a safe occupancy figure of 950 individuals including staff. Using historic data over previous years, the shop demonstrates its actual usage at peak times is 450 which meets the standard tier threshold. ^{[footnote 32]} However, one of its products gains unexpected social media attention overnight. The following day, due to the popularity of the product, visitor numbers unexpectedly increase at the shop, and the number of individuals present at the same time increases into the enhanced tier threshold.

In this situation, the retail shop will remain within the standard tier, assuming the shop could not have reasonably expected the increase in the number of individuals present and does not expect this increase to occur again in the future.

4.34 If premises are not in scope of the Act but have an unexpected, one-off occurrence when the number of individuals present exceeds the standard tier threshold, the premises will remain out of scope of the Act. This is the case as long as the occurrence could not have been reasonably expected and is not expected to happen again. However, planned and expected occurrences that take the premises over the threshold of either tier from time to time will draw the premises into scope under the relevant tier – for example, this could happen during seasonal sales and bank holiday attendance surges.

Example: A village hall hosts regular community activities including sports clubs, Guides, Scouts and jumble sales. The hall has a safe occupancy figure of 250 individuals.^{[footnote 33]} If it were expected that 200 or more individuals (including staff) would be present at any one time, from time to time, the hall would be in the standard tier. However, historic records of attendance at these activities demonstrate that there have not been more than 150 individuals on the premises at any one time in the last five years. Therefore, those responsible for the village hall consider that it is out of scope of the legislation.

A band from the village has recently had chart success and has hired the hall to play a concert for the community. They expect to sell 220 tickets and have additional support staff, which will result in 250 individuals being present on the premises at any one time for this event. The premises will not be drawn into the standard tier and will remain out of scope of the legislation, as this event was unforeseen and is not expected to be repeated. The event will not be a qualifying event under the legislation, as that would require there to be 800 or more individuals at the event at any one time and this will not be the case here.

However, if the band’s success continues and they subsequently hire the hall to play further concerts on the premises, and it is reasonable to expect that 200 or more individuals may be present on the premises at the same time, the premises would be drawn into scope of the standard tier.

Criterion four: Are the premises excluded or exempt from being in scope of the Act?

4.35 Schedule 2 to the Act excludes certain premises from being in scope: ^{[footnote 34]}

• Houses of Parliament, devolved legislatures and devolved governments: Premises occupied for the purposes of either the Houses of Parliament; the Scottish Parliament or a part of the Scottish Administration; the Senedd Cymru or the Welsh Government; or the Northern Ireland Assembly or a Northern Ireland Department are not in scope of the Act.
• Parks, gardens, recreation grounds, sports grounds (which are not designated sports grounds) and other open-air premises used for recreation, exercise or leisure: ^{[footnote 35]} These are excluded from scope, unless there are measures in place to secure or check that members of the public who wish to access the premises have: paid to do so, have tickets or passes allowing access, or are members or guests of a club, association or similar body. If controls are in place for certain facilities at premises, but those controls do not limit public access to the premises generally (that is, the premises other than those specific facilities), then the premises are excluded from scope. ^{[footnote 36]} For example, a sports ground may charge users a fee to hire pitches, but those charges are not a condition to access the premises in general (other than the hired pitches), so the sports ground more generally is not in scope.

Example 1: A ruined abbey is a tourist attraction. Those responsible for the ruined abbey (a heritage organisation) consider that it is in scope of Schedule 1(7) to the Act due to the abbey’s use as a visitor attraction of cultural, historic, touristic or educational value. They expect the number of individuals (including staff) to be present on site at any one time, from time to time, to be 800 individuals or more. Therefore, they initially assess that the site may be enhanced tier premises. However, the site is an open-air tourist attraction. As it has no building, and it is not a building and other land, it is not in scope of the Act as premises under the criteria for qualifying premises.

Separately, the site is regularly hired for theatrical performances where 800 or more individuals attend and where entry controls are in place based on ticketing. These events are qualifying events in scope of the Act under section 3. This is because the site qualifies as premises under the criteria for qualifying events. To be defined as premises for the purposes of a qualifying event, the Act sets out that, “the premises at which the event is to be held consist of a building, other land or a building and other land (and for these purposes ‘building’ includes part of a building or a group of buildings)”. The ruined abbey site consists of other land.

Therefore, the ruined abbey is in scope during these events, and the responsible person is the relevant events organisation.

As time goes on, the heritage organisation with responsibility for the ruined abbey decides to build toilet facilities and a café on the site. These facilities are all under the control of the heritage organisation. The site now has a building and other land and is in scope of section 2(2)(a) of the Act. The premises would now be in the enhanced tier, as it is foreseeable that the regular events would be attended by 800 or more individuals at any one time, from time to time.

Example 2: A junior football club run by volunteers plays most of its home matches at the local sports ground. This is fully accessible to the public with no access controls and there is no spectator accommodation, such as stands and terraces. Average attendance at each match, including the players, volunteers and parents, is 60. However, sometimes the club hosts tournaments at the sports ground with attendance of 200 or more individuals at any one time, from time to time.

As the sports ground is publicly accessible with no access controls and no spectator accommodation, it is neither qualifying premises nor a qualifying event. Therefore, there is no responsible person, and these matches are not in scope of the Act.

• Transport security: Transport premises (for example, at applicable airports, national rail and underground premises, international rail premises, and port facilities) are excluded where they are already subject to existing legislative requirements to consider and mitigate threats.

Exempt premises

• Crown premises (Schedule 3 to the Act, para. 14): ^{[footnote 37]} As a general rule of statutory construction, an Act does not bind the Crown save by express words or necessary implication. For the purpose of this Act, Crown premises include premises belonging to a government department or held in trust for His Majesty for the purposes of a government department. However, the requirements can apply to Crown premises that are not occupied by the Crown, if the premises meet the other criteria to be in scope of the Act. For instance, if there are government premises, or parts of premises, that are under the control of other parties, they can be in scope where they meet the relevant qualifying criteria.

Premises subject to different thresholds

4.36 There are types of premises in scope of the Act that are always treated as standard tier premises if they meet the qualifying premises criteria, even if 800 or more individuals (including staff) are reasonably expected to be present at the same time, from time to time.

4.37 Places of worship that can reasonably expect 200 or more individuals (including staff) to be present on the premises at the same time, from time to time, will be in scope of the standard tier, even if that number of expected individuals is 800 or more. ^{[footnote 38]}

4.38 All premises used for childcare or primary, secondary or further education that can reasonably expect 200 or more individuals (including staff) to be present on the premises at the same time, from time to time, will be in scope of the standard tier, even if that number of expected individuals is 800 or more. ^{[footnote 39]} Existing safety and safeguarding requirements mean there are likely already procedures in place at these establishments. These may include, for example, access control, lockdown and evacuation procedures.

4.39. The operating environments for childcare and primary, secondary and further education establishments are significantly different to higher education premises, such as universities. Parts of higher education premises are usually freely accessible to members of the public and/or may frequently be accessed by the public for different events. As such, higher education premises are treated in the same way as other premises in scope and can fall within the enhanced tier, if the criteria are met. A higher education institution is defined in paragraph 16(3) of Schedule 1 to the Act. ^{[footnote 40]}

Chapter 4 – summary

• Premises must meet all the criteria at section 2 of the Act to be qualifying premises. Otherwise, the premises will be out of scope.

Standard tier (see chapter 7 for requirements relevant to the standard tier)

• For premises to be in scope of the standard tier, it is reasonably expected that between 200 and 799 individuals may be present at the same time, from time to time.
• If the principal use of the premises is childcare, education (primary, secondary or further education) or as a place of worship, the premises will be in the standard tier even if it can be reasonably expected that 800 or more individuals will be present at the same time, from time to time.

Enhanced tier (see chapter 7 and chapter 8 for requirements relevant to the enhanced tier)

• For premises to be in scope of the enhanced tier, it is reasonably expected that 800 or more individuals may be present at the same time, from time to time.

Chapter 5: Scope – qualifying events

5.1 This chapter focuses on events that are drawn into scope of the Act. If an event is being hosted at premises, see chapter 4 to determine whether the premises satisfy the criteria to be qualifying premises.

5.2 The criteria for qualifying events are set out in section 3 of the Act. Events that satisfy the following six criteria will be qualifying events.

Criteria for qualifying events

• The event takes place at premises as defined in section 3(1) – that is, a building, other land, or a building and other land (paras. 5.5 to 5.9). This is a wider definition than that applied to qualifying premises as it also includes land without buildings.
• The event takes place at premises that are not already covered by the Act as enhanced tier premises (paras. 5.10 to 5.11).
• The event is accessible to the public (paras. 5.12 to 5.15).
• It is reasonable to expect that, at some point during the event, 800 or more individuals may be present on the premises at the same time in connection with their use for the event (paras. 5.16 to 5.21).
• The event has measures in place to check that attendees satisfy an entry condition (paras. 5.22 to 5.26).
• The event is not taking place at excluded premises (para. 5.27).

5.3 Supplementary document B provides illustrative examples to expand on the concepts outlined below. ^{[footnote 41]} The supplementary document is non-statutory and the illustrative examples are intended to support those responsible for premises or events in interpreting the criteria outlined in the scope chapters. The examples are not instructions on what should be done in specific circumstances as all qualifying premises and qualifying events will be unique, and it is essential that the responsible person considers the specific circumstances of the premises or event.

5.4 Figure 4 on the next page provides an overview of the criteria that determine whether an event is in scope of the Act.

Figure 4: Decision tree to determine whether events are in scope of the Act ^{[footnote 42]}

Key

1. The definition of events can be found in section 3(1)(a) of the Act.

2. The event must be taking place at a location that is not already in scope of the Act as enhanced tier premises. If the premises meet the criteria to be enhanced tier premises, please see the infographic on qualifying premises.

3. Members of the public must be able to access all or part of the premises for the purposes of attending the event. Events will not be qualifying events under the Act where the condition for entry is personal to the attendees and, as a result, access is not open to the public.

4. The event must have measures in place to check that attendees satisfy a condition of entry. This is the requirement that, to enter the event, members of the public have paid, have a ticket or pass, or are members or guests of a club, association or similar body.

5. Certain events are excluded from being qualifying events under Part 2 of Schedule 2 to the Act. These are:

• an event held at premises specified or described in the following paragraphs in Schedule 2 to the Act

  • paragraphs 1 and 2 (legislatures and devolved administrations),
  • paragraph 4 (transport security).

• an event that is to be held at premises wholly or mainly used for a use specified in the following paragraph of Schedule 1: paragraph 9 (places of worship), paragraph 13 (childcare), paragraph 14 (primary and secondary education), or paragraph 15 (further education)

6. To be in scope, it should be reasonable to expect that 800 or more individuals will be present at the event at the same time, at some point during the event. This figure must include staff working at the event. Only those attending or working in the part of the premises connected with the event should be captured.

Find out how you can assess reasonable expectation for your event by reading this content:

Terrorism (Protection of Premises) Act 2025: Scope (Events) – GOV.UK

Criterion one: Does the event take place at premises as defined in the Act?

5.5 The first criterion is whether the event occurs at a location which meets the definition of premises under section 3(1) of the Act, that is a building, other land, or a building and other land. For these purposes ‘building’ includes part of a building or a group of buildings. There is no specific requirement that the building is made of a certain material or is of any particular size.

Part of a building

5.6 The definition of a building includes part of a building. There are many instances where only part of a building will be used to host an event.

A group of buildings

5.7 There are instances where a single event takes place across multiple buildings.

Example: A private warehouse complex, consisting of several buildings, is being used to host an art fair over a weekend. Outside of the event, the warehouse complex does not fall in scope of the Act. However, as the art fair meets the qualifying event criteria, the buildings can be considered as being used to host a qualifying event for the duration of the art fair.

Other land

5.8 An event can occur on land without buildings, such as in a park or field. For example, a music festival in a field would be defined as being hosted at premises under ‘other land’.

A building and other land

5.9 An event may occur within a building and on land which is associated with that building. The land will be part of the premises, and both the building and the land will be used for hosting the event.

Criterion two: Are the premises where the event takes place not currently covered by the Act as enhanced tier premises?

5.10 Where an event takes place at enhanced tier premises, the event is not considered a qualifying event under the Act (see chapter 4 for information on enhanced tier premises). Those responsible for enhanced tier premises already have an obligation to consider and ensure that appropriate public protection procedures and measures are in place, so far as is reasonably practicable, in relation to all the activities that take place there. This approach ensures consistency and clarity of responsibility. Therefore, to be a qualifying event under the Act, the event must be taking place at a location that is not already in scope of the Act as enhanced tier premises. See chapter 6 for information on who is responsible for the Act’s legal requirements.

5.11 If an event occurs across a range of buildings and locations, and some of these premises (but not all) already fall in scope under the enhanced tier, the responsible person for each of the enhanced tier premises will be responsible for activities that are taking place at their premises in relation to the event. If the responsible person for the enhanced tier premises and the event organiser is different, the organiser will be required to co-operate where: (i) the responsible person for the premises requires the organiser’s support or other co‑operative steps to meet the Act’s requirements, and (ii) the organiser has control of the premises (see paras. 6.21 to 6.22). For more information on how the Act applies to events that occur across a range of locations and buildings, see paras. 5.38 to 5.42 and figure 5.

Criterion three: Is the event accessible to the public?

5.12 Members of the public must be able to access all or part of the premises for the purposes of attending the event. An event will satisfy this criterion where members of the public are eligible to attend the event in principle, even if they ultimately cannot attend due to available tickets selling out, for example.

5.13 Events will not be qualifying events under the Act where the condition for entry is private or personal to the attendees and, as a result, access is not open to the public. Some examples include where access is restricted to relatives and friends invited to a wedding reception or employees invited to a corporate event that is not open to the public. Such events are not considered publicly accessible because the general public do not have the option to attend.

5.14. Events that are not open to the general public might take place at premises that already fall in scope of the Act as qualifying premises – for example, at hotels and places of worship. In such cases, the premises will remain in scope of the Act due to the broader activities that take place there. The responsible person for the premises will continue to be the person in control of the premises and control will not transfer to the organiser of the private event.

Example 1: A private company invites some of its employees and customers to a networking event. The organiser expects 900 people to attend (including staff), and it plans to host the event in its private office building. Employees and customers will receive an invite and must confirm their attendance. Attendees will have their names added to a guest list, which will determine whether they are granted access to the event. As attendance is restricted and not open to the general public if not invited, the event is not considered publicly accessible and does not fall in the scope of the Act.

Due to the success of the event, the organiser plans to host a similar event the following year. However, they choose to hold it at a nearby hotel that already falls within the enhanced tier of the Act. The responsible person for the hotel must consider the events that will take place to ensure the measures and procedures in place for the hotel are appropriate. Responsibility under the Act will not transfer to the private company organising the networking event.

Example 2: A private members’ club offers a range of amenities, including a swimming pool, screening rooms, a gym and a restaurant. The private members’ club is in scope of the Act as standard tier premises. This is because it is wholly or mainly used for entertainment and leisure activities, which is a specified use under Schedule 1 to the Act. Furthermore, those responsible for the private members’ club reasonably expect 200 or more individuals (including staff) to be present on the premises at the same time, from time to time.

In determining the use of the club under Schedule 1, it is irrelevant that access may be limited to members of the public who have paid to access the premises, have tickets or passes allowing access, or are members or guests of a club, association or similar body.

The club subsequently chooses to organise a ticketed event in a separate location to the club – specifically a park. The event offers musical entertainment, games, and food and drink. Only members are invited, and they must demonstrate their membership to gain entry. The organiser reasonably expects 2,000 members and staff to be present at the same time. This event would constitute a qualifying event, and the members’ club would be the responsible person for the event. They must ensure that the enhanced duty requirements are met for the event.

5.15 Where an event is considered accessible to the public and therefore satisfies this criterion, attendees will additionally need to meet a specific entry check. Further information can be found at paras. 5.22 to 5.26.

Criterion four: Does the event meet the threshold for the number of individuals expected to be present at an event?

Supplementary document A sets out some example (non-exhaustive) methods that may be used to assess the number of individuals expected to be present. The supplementary document is non-statutory and may be useful to read alongside this part of the guidance.^{[footnote 43]}

5.16 The fourth criterion requires an assessment of the maximum number of individuals who can reasonably be expected to attend the event at some point and at the same time. A wide range of methods can be used to assess the number of individuals expected to attend at some point, at the same time, at qualifying events.

5.17 To be in scope, it should be reasonable to expect that 800 or more individuals will be present at the event at the same time, at some point during the event. This figure must include staff working at the event. ^{[footnote 44]} Only those attending or working in the part of the premises connected with the event should be included in the figure. This includes back-of-house areas used by staff in support of the event, such as kitchens.

5.18 Where the method chosen to assess the number of individuals reasonably expected to be present (either listed in supplementary document A or another method) does not consider the number of staff – for example, historic ticket data or fixed seating/standing positions – staff numbers must be added to the final assessment figure.

5.19 The threshold for the maximum number of individuals is not an average throughout the duration of the event. It is an assessment of the highest number of attendees at any point.

Example: A festival sells two types of tickets – one for all-day admission and one for evening-only admission from 6pm. Using ticket sales data, the responsible person expects 250 members of the public and 30 staff on site until 6pm with a further 600 members of the public and 40 staff expected after 6pm. This results in 850 attendees and 70 staff in total. The festival will therefore fall within the enhanced duty for the duration of the event, and be subject to enhanced duty requirements, based on the greatest number of individuals expected to be present at the same time, at some point.

5.20 The threshold will only be met if at least 800 individuals are expected to be present at the same time. Some events choose to manage crowd entry and exit by staggering arrivals using timed entry. Where such an event reasonably expects a maximum attendance of under 800 individuals (including staff) at any one time, it will not be a qualifying event.

Example: The organisers of a light show in a park choose to manage crowd entry and exit by allocating each ticket holder a specific time of entry. These measures ensure no more than 300 individuals (including staff) are reasonably expected to be present at the event at any one time. As a result, this event is not a qualifying event.

5.21 Some events will occur across a range of buildings and locations, and some of these premises (but not all) may already fall in scope under the enhanced tier. Where individuals can move freely between the enhanced tier premises and the wider qualifying event, the responsible person for the event should include those individuals within the enhanced tier premises in their assessment of the expected number of individuals present.

Criterion five: Are there specific entry controls in place?

5.22 To be in scope of the Act, an event must have measures in place to check that members of the public wishing to access the event satisfy a condition of entry. This criterion will only be met if there are measures in place to check that members of the public have paid, have a ticket or pass, or are members (or guests) of a club, association or similar body to gain access. For entry controls to be in place, the event will need a well-defined and secure perimeter so that the entry check will be meaningful.

5.23 Examples of clubs or associations include sports clubs, trade associations, social clubs and professional bodies. However, the word ‘similar’ limits what qualifies. Bodies not considered similar to clubs or associations, such as companies or partnerships, would not meet this criterion.

Example: A members’ club organises an annual music festival in a park and only members are eligible to buy tickets. Proof of membership and tickets must be shown on entry, and the event organiser reasonably expects 800 or more individuals to attend the event, including staff. This is a qualifying event under the Act. The club enters a contract to hire a fenced area of the park, giving the club control of that location for the duration of the event. This means the club is the responsible person for the event.

5.24 This criterion applies both to paid-for events and to free events where there is a specific check on entry as described above. Entry checks can include, but are not limited to, tickets, wristbands, membership cards, emails, QR codes or barcodes which are checked for access to the premises where the event is taking place. Staff at the event will usually undertake these checks. However, this criterion will also be satisfied if the checks are undertaken by an automated or electronic system, for example, via turnstiles.

5.25 This means that not every kind of entry condition is covered. Other forms of entry conditions – for example, having specific search criteria or a dress code – do not meet this criterion. In addition, a suggested entry charge or donation does not satisfy this criterion, as it would not be a measure to check that someone has paid to enter the event, nor does it satisfy the other entry criteria listed above. Therefore, a suggested entry charge or donation is not a condition of entry for these purposes.

5.26 This criterion will also only be met if the check relates to accessing the premises or the part of the premises where the event is taking place. This means that a payment to take part in an event is not classed as a type of entry control, if that payment is not linked to entering the premises.

Example: A run taking place in a local park has an entrance fee for individuals to take part in the race, and participants are sent a QR code. The QR code is checked by staff before a runner is given a number to participate in the race. There is, however, no entry condition for the runners or spectators to enter the part of the park where the run is taking place. Instead, spectators can gather freely to watch. This event would not be in scope as there is no entry condition to the part of the park where the run is taking place. Instead, payment is linked to participation in the race.

Criterion six: Does the event take place at excluded premises?

5.27 Schedule 2 to the Act excludes certain types of premises from the scope of the Act and therefore any events held at such premises will not be included either. ^{[footnote 45]}

These are:

• Houses of Parliament, devolved legislatures and devolved governments: Premises occupied for the purposes of either the Houses of Parliament; the Scottish Parliament or a part of the Scottish Administration; the Senedd Cymru or the Welsh Government; or the Northern Ireland Assembly or a Northern Ireland Department, are not in scope of the Act.
• Transport security: Transport premises (for example, at applicable airports, national rail and underground premises, international rail premises, and port facilities) are excluded where they are already subject to existing legislative requirements to consider and mitigate threats.

Premises subject to different thresholds

5.28 There are types of premises in scope of the Act that are always treated as standard tier premises if they meet the qualifying premises criteria, even if 800 or more individuals are reasonably expected to be present at the same time, from time to time. This is sometimes referred to as the special consideration. An event will not be a qualifying event if it takes place at one of the types of premises that fall into that category.

5.29 All premises used primarily as places of worship that can reasonably expect 200 or more individuals to be present at the same time will fall within the standard tier, even if that number is 800 individuals or greater. An event at one of these types of premises will not be a qualifying event and so will not fall in scope of enhanced duty requirements. For example, a music concert which expects 800 or more attendees held at a church would not be a qualifying event. The premises would remain in the standard tier.

Example: A large synagogue is in the standard tier due to the special consideration for places of worship. The responsible person is the primary governing body with control of the synagogue. An events company hires the premises for a fundraising concert and reasonably expects there to be a maximum of 1,000 individuals (including staff) present at some point, at the same time.

Due to the special consideration for places of worship, the synagogue remains in the standard tier, and the event is not a qualifying event. Therefore, the responsible person for this event remains the governing body of the synagogue. While responsibility cannot be delegated under the Act, the hiring agreement may contain clauses binding the events organisation to undertake public protection duties.

5.30 The different threshold for places of worship applies only where the principal use of the premises is as a place of worship. A religious event held at premises that do not qualify for this different threshold – for example, premises wholly or mainly used as a town hall or a religious event that meets the qualifying event criteria – would not be subject to the different threshold. Instead, these events would be treated in the same way as any other event that constitutes a qualifying event or is held at qualifying premises.

Example: A community centre has a large hall that is available for hire. It is hired out for events and activities including amateur dramatics performances and craft markets, and as an overspill space for the local mosque for Friday prayers and during Ramadan. Those responsible for the community centre reasonably expect that 200 or more individuals (including staff) may be present on the premises at the same time, from time to time, to attend such activities. Therefore, the community centre is in scope of the Act as standard tier premises.

5.31 All premises used for childcare or primary, secondary or further education that can reasonably expect 200 or more individuals to be present at the same time will fall within the standard tier, even if that number is 800 individuals or greater. An event at one of these premises will not be a qualifying event and so it will not fall in scope of enhanced duty requirements. The premises would remain in the standard tier.

Example: A secondary school has 950 pupils and 35 staff. Given the special consideration for education (childcare, primary, secondary and further education), the school is within the standard tier. The responsible person is the governing body. During the school holidays, an events organisation hires the school playing fields for a music festival. The organiser expects to sell 900 tickets and to have a maximum attendance of 950 individuals (including staff) at any one time.

The responsible person of the school considers whether this may be in scope of the Act as a qualifying event. However, given the special consideration, events taking place at a school cannot fall in scope as qualifying events and the school remains in the standard tier. As such, the responsible person remains the school governing body as responsibility cannot be delegated to the events organisation. However, the responsible person chooses to specify the public protection duties in the contract of hire with the events organisation.

Qualifying events held at qualifying premises

5.32 Premises that would otherwise be standard tier premises may host events which constitute qualifying events, for the purpose of section 3 of the Act. In those circumstances, hosting the events can either draw the premises into the enhanced tier under section 2(3) of the Act or the event can constitute a qualifying event under section 3(1) of the Act. For further information on assessing the number of individuals present at qualifying premises, see paras. 4.22 to 4.34 and supplementary document A. For further information on assessing the number of individuals present at a qualifying event, see paras. 5.16 to 5.21 and supplementary document A.

5.33 In either case, it will be necessary for the responsible person to ensure a compliance document is prepared and that appropriate public protection procedures and measures, so far as is reasonably practicable, are in place either for the duration of the event (if the event is a qualifying event) or on an ongoing basis (if the premises are in the enhanced tier).

Premises hosting events on a one-off basis

5.34 If the premises are hosting a one-off event which will attract 800 or more individuals on a single occasion, the event would not result in the premises becoming enhanced tier premises under section 2(3) of the Act. This is because it would not, in those circumstances, be correct to say that it can reasonably be expected that 800 or more individuals will be present from time to time at the premises. In such cases, the event will be a qualifying event if it meets the criteria in section 3 of the Act.

Example: A football stadium usually expects 600 spectators and staff per game during the season, based on historic ticket sales, except for a testimonial game where attendance is expected to reach 1,000 spectators and staff. The testimonial, with an expected attendance that meets the enhanced tier threshold, is a one-off and is not expected to occur again. This supports the conclusion that the testimonial is a qualifying event.

5.35 If the premises are not in the enhanced tier, the enhanced duty requirements contained in section 6 of the Act will still apply to any qualifying event which is held on the premises and satisfies the criteria for qualifying events in section 3 of the Act. Outside the context of the qualifying event, the premises will remain in the standard tier. Where this is the case, the responsible person for the qualifying event will be the individual, company or organisation who has, for the duration of the event, control of the premises in connection with their use for the event. The responsible person for the qualifying event will be required to meet the qualifying event requirements.

Premises hosting events occasionally

5.36 If premises host events where it can reasonably be expected that 800 or more individuals will, from time to time, be present, the premises will qualify in the enhanced tier under section 2(3) of the Act. The term ‘from time to time’ is a common term and is generally understood to mean occasionally. This criterion will be met if there is a reasonable expectation that the threshold will be reached occasionally, for example, once a year, whether by hosting the same event or different events.

Example: A nightclub operator usually expects fewer than 800 individuals (including staff) in attendance at the same time, except for five or six nights a year where they expect additional attendance for special events. The nightclub therefore satisfies the criteria to be enhanced tier premises. This is because the events occur from time to time and satisfy the criteria for qualifying premises in section 2 of the Act.

5.37 Where this is the case, the responsible person for the qualifying premises will be the individual, organisation or company with control of the premises for the purposes of their Schedule 1 use. The responsible person for the premises must consider all the events that will take place to ensure the measures and procedures are appropriate, both during the event and outside the context of the event. ‘Appropriate and reasonably practicable’ means ensuring the procedures and/or measures are suitable and proportionate, considering the specific context of the premises and the event. What is considered suitable and proportionate may differ between the period when the premises are hosting the event and when they are not. For example, the responsible person may consider it appropriate and reasonably practicable to ensure public protection measures are in place only when the event is taking place. Whether this is appropriate and reasonably practicable will depend on the circumstances.

Example: A sports ground holds sports events every weekend with a maximum attendance of 400 spectators and staff. In addition, approximately 10 times a year, it hosts large events ranging from firework displays to music events. Depending on the event, it is expected that anywhere between 1,000 to 5,000 individuals will attend. The events occur from time to time, they come under Schedule 1 uses in the Act and otherwise satisfy the criteria for qualifying premises in section 2 of the Act. This supports the conclusion that the sports ground will be in the enhanced tier.

The responsible person for the enhanced tier premises will be required to determine what procedures and/or measures are appropriate – both for the sports events and the other events – while considering what is reasonably practicable. Due to the very different nature of the large events and the sports events, the responsible person may determine different procedures and measures are appropriate for the sports events and for each of the other large events.

Events occurring across a range of buildings and/or locations

5.38 If a single event with a single operator or organiser is taking place across several buildings that are not already in scope of the Act, the buildings are in the same geographical location, and the event meets the qualifying event criteria, it will be treated as a qualifying event.

Example: A one‑off art fair takes place across several outbuildings on a country estate. The country estate is not normally open to the public and, as a result, does not meet the criteria to be qualifying premises. The art fair is open to the public, who must purchase a ticket to gain access. The organiser reasonably expects 800 or more individuals (including staff) to attend the event at the same time. This would be a qualifying event under the Act.

The event organiser enters an arrangement with the landowner via a contract to hire the location for the duration of the event. As the event organiser has control over the location for the duration of the event, they are the responsible person for the qualifying event.

5.39 Events can also occur across a variety of buildings that are already in scope of the Act as standard tier premises or enhanced tier premises. In such a scenario:

• Enhanced tier premises: Areas of the event occurring in a building that is already in the enhanced tier will not be a qualifying event under the Act. Those responsible for enhanced tier premises must consider all the events that will take place to ensure the measures and procedures are appropriate. In this scenario, the responsible person for the enhanced tier premises will not change. However, if the responsible person for the premises and the event organiser is different, the organiser will be required to co-operate where: (i) the responsible person for the premises requires the organiser’s support or other co-operative steps to meet the Act’s requirements, and (ii) the organiser has control of the premises (see paras. 6.21 to 6.22).

• Standard tier premises: Areas of the event occurring at standard tier premises will either be part of the wider qualifying event, or the hosting of the event will draw the premises into the enhanced tier under section 2(3) of the Act. Paras. 5.32 to 5.37 contain detail on when an event at standard tier premises can be considered part of a qualifying event under the Act. Where a qualifying event is hosted at premises that fall within the standard tier, the responsible person for the premises may differ from the responsible person for the qualifying event. In such cases, the responsible persons will be required to co-ordinate to meet the Act’s requirements (see paras. 6.16 to 6.20). In addition, the responsible person for the standard tier premises may also be required to co-operate with the responsible person for the qualifying event (see paras. 6.21 to 6.22).

Example: A cross-city music event has one event organiser and is centrally organised. However, the event consists of separate performances occurring at many premises across the city, each operated by different businesses and organisations. The premises include music venues, theatres, hotel spaces, a pop-up stage and pubs. The music venues are all enhanced tier premises, but the theatres and pubs are a mixture of enhanced tier and standard tier premises. The pop-up stage satisfies the qualifying event criteria, as members of the public require a ticket to enter and the organiser reasonably expects 800 or more individuals (including staff) to attend at the same time. Attendees can purchase a ticket that grants access to all the events.

The responsible persons for the enhanced tier premises (the music venues) will not change for the purposes of the event. The responsible persons for the enhanced tier premises must consider all the events that will take place at their premises to ensure the measures and procedures are appropriate. The event organiser will be responsible for the qualifying event (the pop-up stage) as they will have control of that area for the duration of the event.

The parts of the event being held at standard tier premises (the pubs and theatres) will be a qualifying event if they meet the criteria at para. 5.2. If this is the case, responsibility will move to the individual, company or organisation with control of the premises for the purposes of the event taking place. This will, in most circumstances, be the event organiser. For more information on how the Act applies to events that occur at premises already in scope of the Act, see paras. 5.32 to 5.37.

5.40 Some events may be a mix of open-access areas, such as streets and towpaths, and other locations where entry is controlled – for example, at some marathons, triathlons, carnivals, festivals and parades. Where parts of these events fulfil the criteria set out in section 3 of the Act, the Act will apply to each part separately (for these purposes ‘building’ includes part of a building or a group of buildings).

5.41 Each area that has entry controls and reasonably expects 800 or more individuals to be present at the same time will be in scope of the Act’s requirements. This will be the case even if the other elements of the larger event do not fall in scope of the Act. Areas with no entry checks (for example, pavements, towpaths and open roads) will not be in scope of the Act, unless they are within the immediate vicinity of the qualifying event. More information on the immediate vicinity can be found at paras. 7.12 to 7.14.

Example: A city-wide marathon is taking place. This event does not take place within premises that already fall in scope of the Act and instead takes place across a mixture of open-access areas and areas with entry controls in place. The event organiser has control over all the locations and is therefore the responsible person.

The open-access areas include the roads on which participants are racing. The areas that have entry controls include staging areas, grandstands, starting areas and finishing areas. The event organiser considers each of the areas against the criteria for qualifying events. The organiser assesses that the grandstands, the staging areas and the starting and finishing areas are in scope of the Act as each separate area has measures in place to control entry to parts of the premises and can reasonably expect to have 800 or more individuals (including staff) present at the same time.

Other areas, for example, the pavements outside the ticketed grandstands and the roads on which participants are racing (that are not considered by the responsible person to be in the immediate vicinity in this instance) do not have entry checks in place. The responsible person therefore assesses that those areas are not in scope of the Act. The requirements of the Act will apply to each area that meets the qualifying event criteria (specified in para. 5.2).

5.42 Further detail on how the Act will apply to events that are a mixture of buildings that are not otherwise in scope of the Act, standard and enhanced tier premises, and open-access areas, can be found in figure 5 below.

Figure 5: Areas of events that are in or out of scope of the Act as a qualifying event

Area	Description	In scope as qualifying event?
Standard tier premises	The parts of an event delivered at standard tier premises will be a qualifying event if they meet the criteria at para. 5.2. For the purposes of the qualifying event, the responsible person will be the individual, organisation or company with control over the standard tier premises for the purposes of the event taking place. Alternatively, the hosting of events may cause the premises to become enhanced tier premises under section 2(3)(a) of the Act. See paras. 5.32 to 5.37 for more detail.	Yes, unless premises become enhanced tier premises.
Premises not already in scope of the Act	Premises not already in scope of the Act will fall in scope for the purpose of a qualifying event, if that event meets the event criteria. For example, an area of a private warehouse could be used for a music gig, which is part of a wider music event that occurs across a town or city, and that gig could bring the private warehouse into scope for the duration of the event. The responsible person will be the individual, organisation or company with control over the premises for the purposes of the event taking place.	Yes
Temporary structures at an event	The Act applies separately to each area that meets the 800 individual threshold and that has measures in place to check entry. For each temporary structure to fall in scope as a qualifying event, they must separately meet the event criteria. For example, a hybrid sporting event could have a start area, finish area and grandstands in separate locations, with separate checks on entry, that separately meet the qualifying event criteria. The responsible person will be the individual, organisation or company with control over the premises for the purposes of the event taking place.	Yes
Open-access areas at an event	An open-access area, with no checks on entry, would not meet the criteria for a qualifying event. However, some areas may need to be considered as part of the immediate vicinity of premises (see paras. 7.12 to 7.14 for more detail). There is no responsible person for these areas as they are not in scope of the Act, unless they are in the immediate vicinity of qualifying premises or a qualifying event.	No, but some areas may fall within the immediate vicinity.
Enhanced tier premises	An event or areas of the event occurring in a building that is already in the enhanced tier will not be a qualifying event under the Act. Those responsible for enhanced tier premises must consider all the events that will take place to ensure the measures and procedures are appropriate. In this scenario, the responsible person for the enhanced tier premises will not change.	No
Premises subject to different thresholds	Some premises are always treated as standard tier premises if they meet the qualifying premises criteria, even if 800 or more individuals are reasonably expected to be present at the same time, from time to time. An event will not be a qualifying event if it takes place at one of the types of premises that fall into that category. These premises can be found at paras. 5.28 to 5.31.	No

Chapter 5 – summary

• Premises must meet all the criteria at section 3 of the Act to be a qualifying event.

Events at qualifying premises

• Where an event does not meet the qualifying event criteria, it could still be taking place at premises that fall in scope of the Act as qualifying premises.
• Premises that would otherwise be standard tier premises can host events which constitute qualifying events, if the event meets the qualifying event criteria.
• An event is not considered a qualifying event if it takes place at enhanced tier premises. The responsible person for the premises will already have an obligation to consider and ensure appropriate public protection procedures and measures are in place, so far as is reasonably practicable, in relation to all the activities that take place there.

Events across a range of locations

• Some events may be a mix of open-access areas and other locations where entry is controlled. Where parts of these events fulfil the criteria set out in section 3, the Act will apply to each part separately.

Chapter 6: Responsibility for legal requirements

6.1 All qualifying premises and qualifying events will have a responsible person with the responsibility for ensuring the requirements of the Act are met. The identity of the responsible person is the individual, organisation or company that has control over the qualifying premises for the purpose of their Schedule 1 use, or control over the premises for the purposes of the qualifying event. ^{[footnote 46]} The determination of the responsible person is defined in the Act and is therefore not a matter of choice. The responsible person cannot delegate their legal responsibility to a contracted service provider, for example, but may delegate tasks.

6.2 The responsible person may have already been identified as having responsibility for compliance with other regulations and their requirements, such as health and safety or fire safety. The responsible person may not be a named individual or single person. It is most likely to be a company or an organisation. When the responsible person for enhanced tier premises or a qualifying event is a company or organisation, a senior individual must be designated (see paras. 6.8 to 6.12).

6.3 For qualifying premises, the responsible person will be the individual, company or organisation with control of the premises for the purpose of their Schedule 1 use. The principle of control has been used in other regulatory regimes such as fire safety. For the purposes of the Act, a person in control will ordinarily have physical possession of the premises at the relevant time, with the right and the ability to make decisions regarding their management and use, particularly as to who may or may not remain on site. The principle of control does not necessarily require the individual, company or organisation to be the owner of the premises or have exclusive rights and could, for example, be held by a leaseholder or licence holder.

Example 1: A company leases a building for use as a retail shop. The responsible person is the company operating the shop via the lease, as this is the relevant use of the building, rather than the owner of the building itself.

Example 2: A retail park is owned by a pension fund company as an investment. The pension fund company employs a property management company to let out the buildings. The units are leased by the property management company to different retailers. The retailer occupying each of the individual units is in control of their unit in connection with the Schedule 1 use, so each occupant is the responsible person for their respective unit.

Example 3: A pub is owned by a large brewery but is leased by a tenant. The brewery is the licence holder for the premises. Therefore, the responsible person is the brewery.

6.4 Where premises have two or more Schedule 1 uses, the responsible person will be the individual, organisation or company with control of the premises in connection with the principal use of the premises.

Example: A large hotel also has a conference centre and a restaurant on site. All of these uses are Schedule 1 uses under the Act. However, the primary purpose of the building is to provide accommodation as a hotel. The restaurant and conference facilities are secondary uses and are not the main reason for the premises to exist. This means the hotel would be considered the principal use of the premises. The responsible person would therefore be the individual, organisation or company with control of the premises for their use as a hotel.

6.5 For qualifying events, the responsible person is the individual, organisation or company which has control of the premises in connection with their use for the event. The responsible person can be different to the individual, organisation or company which has control of the premises outside of their use for the event. The responsible person cannot delegate their legal responsibility to a contracted service provider but may delegate tasks. For example, delegating organisation of the event to a provider.

Example 1: A concert, which meets the criteria to be a qualifying event under the Act, is being held in a park. The park is owned by a local authority. The company putting on the event takes control of an area of the park for the purposes of holding the concert. The company has a contractual agreement with the local authority (for example, a contract to rent or hire the site) giving over control of that area for the purposes of delivering the concert. This means the company putting on the event, not the local authority, is the responsible person for the event.

However, if the local authority were to remain in control of the area of the park in which the concert takes place, the local authority would be the responsible person. This would be the case even if the local authority contracted organisations to deliver aspects of the event, for example, to provide stewarding and security or to sell and check tickets.

Example 2: A village hall falls within the standard tier. A private company hires the hall for a one-off, ticketed fundraiser that meets all the criteria for a qualifying event. This fundraiser is the only occasion where the management committee of the hall reasonably expects attendance to reach the 800-person threshold (including staff) for enhanced tier premises and qualifying events. As a result, the fundraiser is a qualifying event under section 3 of the Act. See paras. 5.32 to 5.37 for more information on qualifying events held at qualifying premises.

As the private company putting on the event takes control of the hall for the duration of the event, the private company will be the responsible person for the event. The management committee of the village hall remains the responsible person for the premises outside of the event. The private company must therefore comply with the enhanced duty requirements, including notifying the regulator of the event and submitting a compliance document.

In such a scenario, the responsible person for the village hall and the private company will be required to co-ordinate to ensure the qualifying event meets the Act’s requirements.

6.6 The responsible person may be the same individual, organisation or company for several premises – for example, a company operating a chain of restaurants or shops, or a governing body for an educational or medical trust. If this is the case, the responsible person should consider how the Act’s requirements can be met at each individual premises, avoiding a one-size-fits-all approach.

6.7 It is not mandatory to use third-party products or services to comply with the Act’s requirements. However, the responsible person may contract relevant services to assist in meeting their obligations under the Act if they deem it necessary, helpful or appropriate (for example, a security provider, contractor and/or consultant who can advise on vulnerabilities, and appropriate public protection procedures or measures). The responsible person remains liable for ensuring that premises or events are compliant with the Act and should therefore be satisfied that any support provided by providers, contractors or consultants is suitable to meet their requirements, properly resourced and effectively delivered.

Designating a senior individual (enhanced tier premises and qualifying events only)

6.8 Where the responsible person for enhanced tier premises or qualifying events is an organisation or company, rather than a named individual or single person, the Act requires that the responsible person must designate a senior individual to ensure that the responsible person complies with the Act’s requirements.

6.9 The senior individual may delegate actions or tasks to others, such as a security manager or contracted security lead. However, they will maintain overall responsibility for compliance on behalf of the responsible person (see para. 6.12 for liability). A senior individual may be the same for several premises or events.

Example: The senior individual for a large cinema chain is a board member at the corporate headquarters, who has little knowledge of the individual premises operated by the chain. The senior individual therefore decides that it is reasonable for them to delegate day-to-day aspects of compliance to an individual at each site, while retaining overall responsibility for ensuring that the chain complies with the Act’s requirements.

6.10 The senior individual must be someone who has responsibility for managing the affairs of the responsible person or who has control of the responsible person rather than a lower-level employee. It will be for the company or organisation to assess which member of staff is appropriate and ensure that they are of sufficient seniority to ensure the premises or event are compliant with the Act. See paras. 8.69 to 8.74 for further information on this requirement.

6.11 Where an organisation is controlled by volunteers, it remains the case that the senior individual will be someone who has responsibility for managing the affairs of the responsible person, such as a member of a club’s management committee.

6.12 The senior individual is not liable for an organisation’s failure to meet requirements. However, senior personnel (including the senior individual) may be liable to prosecution under the Act if their organisation commits a criminal offence and it is proved that the offence was committed with their consent, connivance or occurred because of their neglect. See chapter 9 for further information on offences and penalties.

Control and hire of qualifying premises

6.13 When qualifying premises host different organisations and activities, such as when they are hired out, the responsible person remains the same. The responsible person will continue to oversee the requirements for the premises, and it is their responsibility to ensure that appropriate public protection procedures and/or measures are in place, so far as reasonably practicable, in accordance with the requirements of the Act. However, there is an exception to this. The responsible person will change if an event meets the criteria to be a qualifying event at standard tier premises, and the responsible person for the premises outside of the event is different to the responsible person for the event. See paras. 5.32 to 5.37 for more information on qualifying events held at qualifying premises.

Example: A large conference centre is available to hire for short-term events, usually lasting up to a week. The conference centre can be divided into smaller areas and sometimes multiple events take place at the same time. The conference centre operator controls the conference centre as enhanced tier premises for use as a conference venue (the Schedule 1 use) and is the responsible person.

The terms and conditions set by the responsible person for those hiring the facilities require some aspects of public protection procedures and measures to be delivered by the hirers. The conference centre operator, as the responsible person, has mechanisms in place to monitor the delivery of these requirements and ensure they are being delivered in practice.

6.14 Depending on the nature of the premises and the terms of the hire arrangement, the responsible person may look to the hiring party to deliver specific public protection procedures or measures. The responsible person should consider what is required from those hiring the premises. The responsible person should explain the legal requirements to any individual, organisation or company that hires the premises and explain what is expected from them. The responsible person will, however, maintain responsibility for oversight of the premises and overall compliance with the Act.

6.15 Communicating requirements and delivery expectations could be specified and agreed in the contract to hire the premises, like the arrangements which are usually in place at premises to ensure the requirements of health and safety and fire safety legislation are complied with. If requested by the SIA, the responsible person must be able to demonstrate that they clearly specified the requirements to the hirer and took reasonable actions to ensure that the hirer complied with these requirements.

Example: A stately home that is open to the public falls within the standard tier. A private company hires part of the stately home’s grounds for a one-off outdoor food festival that meets all the criteria for a qualifying event. The festival is the only occasion on which the operator of the stately home reasonably expects attendance to reach the 800-person threshold, including staff. As a result, the food festival is a qualifying event under section 3 of the Act. See paras. 5.32 to 5.37 for further information on qualifying events held at qualifying premises.

Because the event organiser takes control of part of the stately home’s grounds for the duration of the event, they will be the responsible person for that part of the premises used to host the event. During the event, the operator of the stately home remains the responsible person for the parts of the premises not used for hosting the event. Outside of the event, the operator of the stately home continues to be the responsible person for the premises.

Co-ordination

6.16 Those responsible for standard or enhanced tier premises or qualifying events must co-ordinate with each other, so far as is reasonably practicable, under specific circumstances:

• where more than one individual, organisation or company is responsible for qualifying premises or an event; and
• where qualifying premises form part of other qualifying premises.

6.17 Co-ordination helps to ensure there are no barriers to procedures and measures being delivered.

6.18 Where premises form part of other premises, co-ordination helps to ensure the plans in place deliver the required public protection outcomes without creating unintended dangers. For example, ensuring people can be moved away from danger efficiently while avoiding large numbers of people being funnelled together or too many people being in the same space.

Example: The responsible person of a department store reasonably expects 800 or more individuals to be on the premises from time to time, at the same time (including staff). Therefore, the department store is in the enhanced tier. The department store is located within a shopping centre, which is also enhanced tier premises. The responsible persons of both premises must co-ordinate with each other in complying with the requirements of the Act, so far as is reasonably practicable. The responsible persons co-ordinate to deconflict their evacuation plans and complement each other’s lockdown and communication plans.

6.19 The co-ordination requirement only applies to premises that fall in scope of the Act. This means that any premises that are out of scope of the Act, but are located within other qualifying premises, do not have any statutory requirement placed on them.

6.20 Additionally, those responsible for neighbouring premises could work together, where applicable and practicable. This could include planning to communicate with each other in the event of an emergency or carrying out run-throughs of procedures together.

Co-operation

6.21 There may be instances where, to comply with requirements of the Act, the responsible person for enhanced tier premises or a qualifying event requires permission, support or other co-operative steps from another individual, organisation or company with control of the premises or event to any other extent but who is not the responsible person. For example, a building owner who has leased the premises to a separate operator, premises within other premises, or a landowner who has given permission for a qualifying event to take place on their land. The building owner or landowner in these examples must, so far as is reasonably practicable, co-operate with the person responsible for the premises or event for the purposes of ensuring the responsible person’s compliance with the requirements of the Act.

6.22 How co-operation works in practice will depend on the particular circumstances and how premises or events are controlled, including any contractual arrangements that are in place. What is reasonably practicable will require an assessment of the objectives of public protection procedures and/or public protection measures, balanced against the cost, time and difficulty involved in implementing them (see paras. 7.20 to 7.32 and 8.18 to 8.29). ^{[footnote 47]}

Example: The responsible person for an art gallery in the enhanced tier identifies that they must consider measures in relation to physical security to meet their obligations under the Act. They consider that it may be appropriate to make structural changes such as adding concrete planters to increase their protection against a vehicle as a weapon attack. The responsible person’s lease agreement sets out that they should seek permission from the freeholder for any structural alterations and the holder should contribute a certain percentage of costs to ensure the premises remain fit for purpose. The freeholder must co‑operate with, and consider such a request from, the responsible person so far as is reasonably practicable.

Responsibilities at non-qualifying premises

6.23 Those responsible for premises that are not qualifying premises within the Act, but that form part of larger premises that are qualifying premises, do not have a requirement to ensure that public protection procedures or public protection measures are in place. However, where non-qualifying premises form part of larger qualifying premises in the enhanced tier, those responsible may need to co‑operate with the responsible person for the larger, enhanced tier premises for the purposes of that responsible person complying with the requirements of the Act. Such co‑operation could be achieved through contractual arrangements.

Example: A small coffee shop is out of scope of the Act, but it is located within a larger hospital complex that does fall in scope. The shop has a role to play in an evacuation procedure for the hospital overall. The responsible person for the hospital sets out a requirement to co-operate within the lease conditions for the small coffee shop, ensuring that the small coffee shop operator must co-operate with evacuation procedure requirements.

6.24 In practice, the responsible person for the larger premises could, for example, require the individual, organisation or company in control of the smaller premises to ensure procedures are in place as part of terms and conditions associated with a lease or rental agreement. This can be done to the extent that it is necessary for the responsible person for the larger premises to comply with their duties under the Act. It will often be necessary for the responsible person for the larger premises to inform and communicate with the controllers of smaller premises about their public protection procedures. This will often be necessary for the responsible person for the larger premises to comply with their own obligations to ensure that procedures and/or measures are in place.

Figure 6: Who does the legislation define as the responsible person?

Chapter 6 – summary

• All qualifying premises and events will have a responsible person. Usually this will be a company or organisation, but it could be an individual.
• For qualifying premises, the responsible person has control of the premises for the Schedule 1 use.
• For a qualifying event, the responsible person has control of the premises in connection with their use for the event.
• When the responsible person for enhanced tier premises or a qualifying event is a company or organisation, the responsible person must designate a senior individual to ensure the Act’s requirements are met.
• The senior individual must be in a sufficiently senior position and not a lower‑level employee.
• The responsible person and senior individual can delegate tasks but not overall legal responsibility.
• Those responsible for qualifying premises and events must co-ordinate with each other, so far as it reasonably practicable – for example, if premises or events have more than one responsible person, or if qualifying premises are within other qualifying premises.
• If an individual, organisation or company has control of enhanced tier premises or a qualifying event to any other extent but is not the responsible person, they must co‑operate with the responsible person of the enhanced tier premises or qualifying event, so far as is reasonably practicable, to ensure the requirements of the Act are met.

Chapter 7: Legal requirements under the Act

7.1 This chapter details the legal requirements in the Act. As with previous chapters, the word ‘must’ is used to indicate a legal requirement in the Act, ‘should’ is used to indicate something that is not an express requirement, but is strongly recommended or encouraged good practice, and ‘could’ is used for something that is not a legal requirement, but is an optional suggestion or example.

7.2 The following chapter provides information on the requirements that are applicable to those responsible for standard tier premises, enhanced tier premises and qualifying events. Throughout this chapter and paras. 8.2 to 8.6, additional considerations are provided for those responsible for enhanced tier premises and qualifying events (not standard tier premises) on public protection procedures for larger premises, building on the information within this part of the guidance.

The responsible person for qualifying premises or a qualifying event must:

• ensure appropriate public protection procedures (section 5 of the Act) are in place, so far as is reasonably practicable
• co-ordinate with other responsible persons as required, so far as is reasonably practicable (section 8 of the Act)
• notify the regulator that they have become responsible for qualifying premises or a qualifying event, or that they have ceased to be responsible, and any other information required in regulations (section 9 of the Act)

7.3 The Act sets a legal minimum standard for preparedness at qualifying premises and qualifying events. Those responsible for premises or events that fall out of scope of the Act, or those who want to ensure protective security at their premises or event is effective, can find further guidance on good practice protective security and preparedness at ProtectUK and NPSA. ^{[footnote 48]}

Requirements for all standard tier premises, enhanced tier premises and qualifying events

Public protection procedures (section 5 of the Act)

7.4 Those responsible for standard tier premises, enhanced tier premises and qualifying events must ensure that appropriate public protection procedures are in place, so far as is reasonably practicable.

7.5 The Act requires responsible persons to ensure appropriate procedures are in place that would reduce the risk of physical harm caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event. The Act is based on the assumption that a terrorist attack might occur anywhere. Therefore, the responsible person is required to consider what procedures are appropriate and reasonably practicable to achieve the objective of reducing the risk of physical harm caused to individuals if an act of terrorism were to occur. This assessment may require consideration of what is reasonably practicable – that is, the likely effectiveness of any particular procedure weighed against the burden of its implementation (in terms of cost and feasibility).

7.6 Many qualifying premises and events will already undertake work to assess their vulnerabilities and will already have plans for responding to emergencies. It is important that premises and events continue these processes, however they should also ensure that the requirements of the Act are addressed. For qualifying premises and events that do not have existing vulnerability assessment processes, there are free resources available from ProtectUK (risk management basics) and NPSA (protective security risk management). These resources are focused on risk but can be used to support assessment of vulnerabilities too.

7.7 To achieve their purpose of reducing the risk of physical harm in the event of a terrorist attack, public protection procedures should be a set of actions, or a plan, that staff at qualifying premises can take to reduce the risk of harm to people (including staff) if they suspect an act of terrorism is occurring or is about to occur at the premises or in the immediate vicinity. At premises that are unstaffed or unmanned, the responsible person should consider whether and how the public protection procedures could be followed by individuals on the premises. If appropriate, this could include, for example, displaying procedures in communal areas via posters, or including information in an induction.

7.8 The responsible person should have the confidence that procedures can be implemented rapidly and effectively when required. This includes ensuring that staff are aware of the procedures and how to implement them (see paras. 7.51 to 7.62). It is also good practice for even the simplest procedures to be documented. It is not sufficient to have a written procedure that would not be able to be implemented rapidly and effectively (for example, because relevant staff lack awareness or understanding of their roles, or do not have the necessary experience or tools to carry them out).

7.9 When considering public protection procedures, the responsible person should consider if it is feasible to maintain a readily accessible ‘grab bag’ or incident response kit that contains key information to support the response. ^{[footnote 49]} This could include up-to-date emergency contact details, staff lists, floor plans or other critical documents that might assist those co-ordinating the response. The responsible person should consider where such a bag or kit could be safely stored and who would have access to it.

7.10 It is important to remember that, alongside the requirements in the Act, a good security culture can be very effective in ensuring people are protected from harm. A security culture is a set of values, shared by everyone in an organisation, which determine how people are expected to think about and approach security.

7.11 The four public protection procedures in the Act are set out at figure 7.

Figure 7: Public protection procedures

Public protection procedures	Action
Evacuation Section 5(3)(a) of the Act	The process of getting people away from danger by moving them out of the premises or event (or part of the premises or event).
Invacuation Section 5(3)(b) of the Act	The process of moving people away from danger to a place within the premises or event where there is less risk of physical harm being caused to them. This can include bringing people into the premises or event from outside or moving people from one part of the premises to another, where it is safe to do so.
Lockdown Section 5(3)(c) of the Act	The process of securing the premises or event to prevent individuals entering or leaving (for example, to restrict or prevent the movement of an attacker by locking doors, closing shutters or using available barriers).
Communication Section 5(3)(d) of the Act	The process of ensuring information is provided to individuals at the premises or event (for example, alerting people to danger as quickly as possible and providing instructions to remain in place or move away, where it is safe to do so).

Immediate vicinity

7.12 The responsible person must ensure appropriate public protection procedures are in place at the qualifying premises or qualifying event that they have control over (see chapter 6 for more information on control). The Act does not require responsible persons to implement procedures in areas that are beyond their control.

7.13 In developing public protection procedures, the immediate vicinity must also be considered. The term ‘immediate vicinity’ refers to an area close to the premises or event, but there is no fixed distance associated with the term given that all premises and events are unique with different circumstances. The responsible person may not have control over the immediate vicinity of their premises or event, but that area could provide public access to the premises or event that they do control (for example, a public pavement outside a music venue).

7.14 The responsible person must consider the specific nature of the premises or event and the surrounding area and how the procedures may be affected if an attack takes place in the immediate vicinity. Where people are expected to be present within the immediate vicinity in relation to the Schedule 1 use of the premises or event, the responsible person should consider how the procedures can reduce the risk of physical harm to people in those areas, so far as is reasonably practicable to do so. ^{[footnote 50]}

Example 1: A theatre in the enhanced tier hosts a popular play. At the end of the performance, 1,000 individuals exit the main entrance within a few minutes of each other. A crowd gathers in the pedestrianised public square outside the theatre, which is not part of the theatre premises. The responsible person of the theatre determines that the public square should be considered as the immediate vicinity of the theatre, as large crowds within the public square generally only occur on ingress or egress from the theatre premises.

Therefore, the responsible person of the theatre considers the public square within its public protection procedures and measures. The responsible person includes those individuals within the public square in their invacuation and communication plans and ensures that staff working at the entrance are briefed at the beginning of the shift to pay attention to unusual behaviour within the square and to report it appropriately. The responsible person also instructs a member of staff to check the square for suspicious activity and abandoned bags shortly before egress of the crowds. Once individuals have dispersed from the public square, the responsible person of the theatre judges that they no longer have a statutory duty to protect them.

Example 2: A city-wide cycling race is taking place. This event does not take place within premises that already fall in scope of the Act. Instead, it takes place across a mixture of open‑access areas, such as pavements and roads, and areas with entry controls, such as grandstands and the designated starting and finishing areas (all in separate locations).

The event organiser considers each area against the criteria for qualifying events. The organiser determines that the grandstands and the starting and finishing areas fall in scope of the Act, as these areas have measures in place to control entry and each area with entry controls can independently reasonably expect to have 800 or more individuals present at the same time (including staff). The requirements of the Act therefore apply to each area that meets the qualifying event criteria (as set out in para 5.2).

The responsible person for the cycling race determines that the queuing area leading into the grandstands should be considered the immediate vicinity of the grandstand. They also determine that the queuing areas leading into the starting and finishing areas should be considered the immediate vicinity of those areas. As a result, the responsible person includes these queues within the event’s public protection procedures and measures.

Some other areas – such as sections of pavement and sections of road on which participants are racing – are not considered by the responsible person to be in scope of the Act, as they do not have entry checks in place. Furthermore, the responsible person does not consider that they are within the immediate vicinity of areas in scope of the Act (namely the grandstands, starting area and finishing area).

Terrorist attack methods

7.15 The Act does not require separate procedures to be developed for every individual type of attack. It does not mandate different versions of evacuation, invacuation, lockdown and communication procedures for each terrorist attack method. However, certain procedures may be more effective than others depending on the nature of the attack. For example, initiating an evacuation in response to a fire as a weapon attack could be more appropriate than implementing a lockdown.

7.16 To improve wider understanding and awareness of protective security, it is recommended good practice for all staff to be aware of the different types of terrorist attacks. Attack methods that have featured in previous UK terrorist attacks or attack planning include marauding terrorist attack (MTA), vehicle as a weapon (VAW), improvised explosive device (IED), fire as a weapon (FAW) and use of hazardous substances. Attacks can be multi-layered and may involve several methods simultaneously rather than a single, isolated attack type.

7.17 Plans may need to change in real time depending on how the situation develops and advice received from the emergency services. While it is good practice for staff to understand different attack methods, their primary focus when implementing procedures should be identifying where the threat is coming from and what that means for keeping people safe at the premises or event.

7.18 For example, if the threat seems to be inside the premises or event, evacuation may be the best option. If the threat seems to be coming from outside, invacuation and/or lockdown may be more appropriate. It is worth noting that the threat may come from above (for example, from drones) and not necessarily at ground level. As the exact nature of an attack may not be immediately obvious, quick action is likely to be the most effective way of minimising the risk of physical harm to people. It is important to note that considerations may be different for attacks involving hazardous substances, which are sometimes referred to as chemical, biological and radiological (CBR) attacks. You can find further advice on the NPSA website under the Recognise, Assess, Reach (RAR) campaign. ^{[footnote 51]}

7.19. Attack methods will evolve and change over time. Up-to-date information and guidance on attack methods are available from ProtectUK and NPSA. ^{[footnote 52]}

It is important to note that some guidance materials include videos that recreate attack scenarios for educational purposes. This may be distressing or triggering for some viewers and therefore viewer discretion is advised.

Example 1: The responsible person for a bar in the standard tier develops multiple evacuation procedures for different attack methods. During a routine practice of the procedures, staff are unsure which procedure to choose as the attack method is unclear. This uncertainty causes a delay in responding to the incident, putting people at greater risk of physical harm.

Following this practice, the responsible person reviews what happened and the procedures in place. Learning lessons from this, the responsible person replaces the multiple evacuation procedures with one simple evacuation procedure, recognising that quick implementation of procedures is likely to be the most effective way of minimising the harm to people.

The single procedure ensures staff can make decisions about how to suitably evacuate quickly and effectively, dependent on where the threat is coming from. The responsible person ensures that staff receive updated instruction on how to implement the new procedure, and they schedule an exercise to practice this. In this staff instruction, it is made clear that although this plan will likely be appropriate in most cases, they may still need to adapt it in real-time, depending on the scenario that is taking place.

Example 2: Staff in a retail shop in the standard tier have started to hear activity outside and panicked members of the public are rushing to the front doors of the premises. Staff do not know exactly what is happening, but it is clear there may be an incident taking place. In response, the duty manager decides to enact an invacuation procedure followed by a lockdown procedure.

As a result, people gathered nearby outside are brought inside and the shop is secured to keep any threat outside the premises. This includes locking the front and rear doors of the premises and directing all those inside to shelter in internal rooms with lockable doors.

Developing public protection procedures

7.20 The responsible person must consider what is appropriate and reasonably practicable in relation to each public protection procedure.

7.21 ‘Appropriate’ means ensuring procedures are suitable, taking account of the context of the premises or event and avoiding a one-size-fits-all approach. Once the responsible person has considered what is appropriate for their premises, they must then consider to what extent each appropriate procedure can be put in place, so far as is reasonably practicable, to ensure it is proportionate.

7.22 To establish what is reasonably practicable, and therefore proportionate, it is necessary to consider the objectives of the public protection procedures balanced against the cost, time and difficulty involved in implementing them. ^{[footnote 53]} These factors are examples of the things that may be relevant to consider and are neither exhaustive nor conclusive.

7.23 In determining what is reasonably practicable, the responsible person should consider the specific circumstances and nature of the qualifying premises or event, including the resources available to them – for example, financial resources and staffing levels. In practice, this means considering what is proportionate. The responsible person should weigh the overall objective of reducing the risk of physical harm to people in the event of an attack against the cost, time and difficulty. For example, assessment of the cost includes considering whether an action is disproportionate to the effectiveness of the procedure in reducing the risk of physical harm and considering what is financially feasible for the premises or event.

7.24 There may be procedures that are not assessed as appropriate or reasonably practicable. If this is the case, it could be helpful to record the rationale for this in case of any inspection from the SIA. For example, some outdoor qualifying events like a firework display may not be able to implement an invacuation procedure given there are no internal areas.

7.25 There is no statutory requirement in the Act to make any physical alterations or to purchase specific equipment relating to putting public protection procedures in place. However, it may be that in certain circumstances it is reasonably practicable to do so, and this will depend on the context of the qualifying premises or qualifying event. Those responsible for qualifying premises and qualifying events should therefore consider whether certain physical alterations could improve the effectiveness of procedures. Examples of alterations that may be reasonably practicable include changing how doors are locked or altering the location of shutter controls.

Example: The responsible person for a restaurant in the standard tier develops a lockdown procedure. Part of developing this procedure includes identifying existing locks and shutters that can be used to secure the premises and prevent individuals from leaving or entering. The responsible person considers that the existing equipment and safe zones in place are suitable to lock down the premises if required.

7.26 The responsible person must consider how to ensure the public protection procedures are appropriate to the circumstances of the premises or event, and how far it is reasonably practicable to put appropriate procedures in place. This should include an assessment of:

• the nature of the premises, including the location and layout
• what the premises are being used for
• the number of individuals reasonably expected to be present at the same time, from time to time and the types of staff at the premises (for example, security staff, volunteers, employees or others working at the premises)
• how planned actions may be impacted depending on where the attack is coming from (for example, inside or outside the premises)
• different attack methods
• existing equipment, structures or apparatus that may be used when implementing the procedures (for example, areas that can be easily secured, doors, locks or public address systems)

7.27 It could also be important to consider other premises nearby and any procedures that may be in place there.

7.28 As part of the assessment of what procedures are reasonably practicable, the following should be considered:

• The key roles and responsibilities involved in each procedure, including who will decide what actions to take and who has the responsibility or authority to start a procedure.
• How the emergency services will be alerted in the event of a terrorist attack and who will do this, including the information that should be given.
• How the public protection procedures work together, because multiple procedures may need to be used at the same time or in sequence. For example, a communication procedure (such as an announcement made via a public address system) may be used to alert people that a lockdown procedure should be followed.
• How the unfolding situation will be assessed during an attack to ensure that the appropriate procedures continue to be implemented effectively. This could include taking different actions as the situation evolves.
• How staff will be made aware of the procedures, and their role in enacting them, so that they can be ready to put them into practice. For example, an evacuation procedure will not be effective if no one working at the premises understands how to implement it or follow it. This means ensuring that staff at the premises or event receive instruction and/or training as needed to ensure that procedures can be carried out effectively. See paras. 7.51 to 7.62 for considerations on training, learning, instruction and counter-terrorism awareness.
• How procedures will be tested and practiced, to ensure they are fit for purpose and that staff at the premises can implement them effectively. This can also help to consolidate any training, learning or instruction.

7.29 Although not a statutory requirement under section 5 of the Act, in practice, the responsible person should keep under review the procedures that are in place so that they remain up-to-date. This can help ensure that procedures remain appropriate and reasonably practicable over time, taking account of changes to the premises and their operation. A review of procedures should be carried out periodically and could be carried out annually, however this will depend on the circumstances of the premises or event.

7.30 There are some premises that are always treated as standard tier premises even if they can reasonably expect 800 or more individuals to be present at the same time, from time to time, such as places of worship and education settings (except higher education) (see paras. 4.36 to 4.39). While there is no legal requirement for the responsible person of standard tier premises to consider requirements intended solely for enhanced tier premises or qualifying events, it is important to recognise that a large number of individuals being present at these premises may influence the appropriateness of public protection procedures.

7.31 In such cases, it may be appropriate for the responsible person of such premises to consider paras. 8.2 to 8.6 which outline additional considerations for evacuation, lockdown and communication public protection procedures (section 5 of the Act) for enhanced tier premises and qualifying events. These paragraphs can also inform decisions about what additional considerations may be appropriate for larger and/or more complex standard tier premises – a category that could include certain places of worship and educational settings.

7.32 Within the standard tier requirements, there is no legal requirement to prepare a document stating the procedures in place and an assessment of how they may be expected to reduce the risk of physical harm if an act of terrorism were to occur. ^{[footnote 54]} However, the responsible person should prepare a document like this to provide a basis for ensuring the procedures can be effectively understood and communicated to staff. It may also be difficult to demonstrate compliance with the Act – for example, in the event of an inspection by the SIA – if the procedures are not documented in some form. Templates will be developed which are optional and indicative, but they will be designed to assist with the documentation of public protection procedures.

Public protection procedure: evacuation (section 5(3)(a) of the Act)

7.33 The purpose of an evacuation procedure is to get people away from danger by moving them out of the premises or event, or a part of the premises or event. In developing an evacuation procedure, the responsible person should consider how plans will vary according to the specific circumstances of their qualifying premises or qualifying event. The below considerations are not exhaustive, but those responsible should also consider:

• the nature of the specific premises or event
• whether the attack is taking place inside or outside the premises
• how people will be directed to follow the evacuation procedure in response to an attack
• how staff at the premises or event will direct people to move away from danger

7.34 Many premises and events will already have procedures for evacuating in case of a fire. However, it needs to be clear which procedures are in place for fire safety, and which are to respond to a terrorist attack. Evacuation procedures for a suspected terrorist attack should reflect the other dangers that an act of terrorism can pose and so plans may differ from fire evacuation plans.

Example: At a standard tier church, the fire evacuation plan directs people to gather at a designated assembly point in an open area, a specific distance away from the premises. In a suspected terrorist attack, that same open assembly point could be a target for a secondary attack. Therefore, the responsible person decides that an evacuation procedure for a suspected terrorist attack should instruct people to disperse in multiple directions, rather than gather in one place.

7.35 Additionally, fire can be used as a weapon in an attack so the activation of a fire alarm should not immediately be assumed to be only a fire. It may not be initially clear that a fire is part of a terrorist attack but, once this has become apparent, any evacuation procedure should take that into account.

7.36 In addition to the considerations at paras. 7.20 to 7.32, when developing an evacuation procedure, the responsible person should consider:

• The possible situations in which an evacuation would be the best course of action in response to an attack, taking account of the location and layout of individual premises. To aid this, the responsible person should consider where the attack might be taking place, whether inside or outside the premises.
• How evacuation plans for terrorist attacks complement, and do not conflict with, the evacuation plans for fire emergencies. This includes how an evacuation procedure for a terrorist attack would be communicated to people. For example, where possible, evacuation plans for terrorist attacks should avoid using the normal fire alarm on the basis that people may respond inappropriately to the threat. Even though the methods are different, evacuation plans for a terrorist attack can be tested and practiced in the same way that a fire evacuation plan would be tested.
• Whether it is safer for people to move away from the premises, the event and the immediate vicinity instead of gathering in a specific place nearby. Dispersal from the premises is likely to be the most appropriate action rather than gathering in one place. This is because a specified gathering point could be exploited by a terrorist during an attack, especially where that point is publicly advertised or can be predicted.
• Whether other procedures listed in this section may need to be used in conjunction with the evacuation procedure to ensure its effectiveness and avoid any conflicts. For example, a lockdown (see paras. 7.41 to 7.45 on lockdown) may be used before an evacuation procedure to ensure members of the public are protected while waiting to be evacuated.

Example: A waiter working in a standard tier restaurant finds a bag when he goes to clear a table. He had already noticed that the previous person at that table had eaten alone, seemed impatient and left quickly after paying with cash. The bag was located behind a large pot plant next to the table. The waiter alerts the duty manager who is concerned about the bag, in conjunction with possible suspicious behaviour, and decides to evacuate the restaurant. The duty manager instructs staff to evacuate everybody from the premises and then calls the police.

7.37 When developing an evacuation procedure, the responsible person for larger or more complex premises or qualifying events should also consider:

• How to ensure a rapid assessment can be made in the event of a terrorist attack on the premises or at the event and how this can be communicated to those present (as per a communication procedure). Reports from security officers and staff, active monitoring of CCTV systems and possibly fire alarm systems may inform this assessment.
• How evacuation plans are co-ordinated if the premises are located within larger premises or are part of a larger complex (for example, a shopping centre). For example, shared exits might get crowded or blocked if everyone tries to use them at once without co-ordination. For further information on co-operation and co‑ordination, see chapter 6.
• Whether it could be appropriate to have plans for other types of evacuation to respond to different types of attack at larger or more complex premises. There are several types of evacuation to consider set out at figure 8.

Figure 8: Types of evacuation procedure ^{[footnote 55]}

Types of evacuation	Summary
Full evacuation	This is the evacuation of the entire premises or event.
Partial (or zonal) evacuation	This is the evacuation of a limited area of the premises or event. This may be suitable for larger premises, or where the premises or event are divided into zones that can be secured.
Phased evacuation	This is where those at the premises or event are evacuated in stages. This is necessary when exit routes have limited capacity.
Directional evacuation	This is where certain evacuation routes are used selectively or adjusted to avoid known threats in certain areas.

7.38 There will be different considerations in relation to evacuation procedures if hazardous substances are used in an attack. It is recommended that those responsible for qualifying premises or qualifying events should familiarise themselves with these considerations in NPSA’s guidance. ^{[footnote 56]}

Example 1: Volunteers in a village hall, which is in scope of the standard tier, notice a strong, unusual smell coming into the reception area and several people report coughing and dizziness. The volunteers do not know the cause, but they suspect there may be a hazardous substance involved. In response, a senior volunteer duty manager initially decides to invoke lockdown procedures, closing internal doors and moving occupants away from entrances and windows while emergency services are contacted.

Following advice from the emergency services that the release may be inside the building, the senior volunteer decides to evacuate, directing people out of the premises via a rear exit to move to a safe assembly point as identified and communicated by the emergency services. The volunteers remain prepared to adjust between evacuation, invacuation or lockdown as further guidance is received from the emergency services.

Example 2: During a live music event at a large and complex concert venue, an individual releases an unknown liquid into the crowd, targeting members of the public. The substance immediately causes a burning sensation and visible injuries to several people.

Security staff recognise the incident as a suspected corrosive substance (or acid) attack and begin emergency procedures. Unaffected members of the public are evacuated away from the contaminated area to reduce further exposure and cross contamination.

Casualties are moved away from the source of the substance, and contaminated outer clothing is removed in line with REMOVE principles (part of Recognise, Assess, React guidance). ^{[footnote 57]} In line with first aid for corrosive injuries, copious amounts of water are applied to flush affected areas continuously until the arrival of the emergency services, while maintaining communication with the control room for further instructions.

Public protection procedure: invacuation (section 5(3)(b) of the Act)

7.39 The purpose of an invacuation procedure is to move people away from danger to a place within the premises or event where there is less risk of physical harm being caused to them. This can include bringing them into the premises or event from outside, in circumstances where it is safe to do so. It can also include moving people within the premises or event to one or more pre‑determined safe spaces within the premises or event. This type of procedure may be the most appropriate way to get people to safety if an attack happens outside the premises or in one part of the premises, or if emergency response communications advise that this is the appropriate course of action.

7.40 In addition to the considerations at paras. 7.20 to 7.32, when developing an invacuation procedure, the responsible person should consider:

• The possible situations in which an invacuation would be the best course of action in response to an attack, taking account of the location and layout of the premises. To aid this, the responsible person should consider where the attack is taking place, whether inside or outside the premises.
• Identifying safer areas with capacity for people to shelter or ways to bring people into the premises and keep them safe. This could include identifying specific safer areas that are at a distance from windows, exterior walls and entry points, or bringing people into the main area of the premises and locking the doors and shutters on entry and exit points.
• How invacuation procedures are co-ordinated to avoid confusion or unintended dangers, particularly where the premises are near to other premises, are located within larger premises, or are part of a larger complex (for example, a shopping centre). If multiple premises plan to use the same safe zones without co-ordination, these could become overcrowded.
• Whether other procedures listed in this section may need to be used in conjunction with the invacuation procedure to ensure its effectiveness and avoid any conflicts. For example, a lockdown procedure (see paras. 7.41 to 7.45 on lockdown) may be used after an invacuation procedure to secure the premises once people have been moved to safe areas.

Example 1: A standard tier high-street café has outdoor seating on the pavement. A few hundred metres up the road, a car crashes into a seating area outside a small shop, narrowly missing several pedestrians. The shop owner notices that the driver and a passenger leap out, each carrying multiple glass bottles containing an unknown substance. The shop owner quickly assesses the situation and locks the front door, ushering the people into the shop to a back room. The shop owner calls the police and also posts a message on an incident reporting chat group for local businesses. A member of staff at the café spots the message and immediately instructs everyone on the pavement to move indoors (and then into a back room), securing the front door.

Example 2: An enhanced tier city centre museum has a special exhibition that is proving unexpectedly popular following media coverage. People have started to queue on the pavement outside awaiting entry. An explosion occurs and a nearby building looks to be damaged. Two volunteers who are engaging with people in the queue quickly assess the situation and decide to contact the emergency services and move everyone in the queue into the museum. Once everyone is inside, they are instructed to move to a pre-determined safer area.

Example 3: A firework display is taking place in a park. The firework display meets the criteria to be a qualifying event. During the event, a suspected attack using a knife occurs. As the display is outdoors and there are no safe internal areas to move people to, invacuation is not appropriate. The responsible person for the event had already considered the appropriate and reasonably practicable procedures for the event and decided that evacuation would likely be the most appropriate response to a threat, given the nature and layout of the event.

Therefore, staff follow planned procedures to guide spectators away from the danger and toward safe exits, using loud hailers to give loud and clear instructions to ensure a swift evacuation. They also contact the emergency services. On reaching the exits, people are instructed to disperse.

Public protection procedure: lockdown (section 5(3)(c) of the Act)

7.41 A lockdown is a procedure used to secure the premises, preventing people from entering or leaving the premises or event to keep people away from danger. A partial lockdown may also be used to secure parts of the premises or event, if an attack is occurring within a different part of the premises or event.

7.42 Lockdown procedures focus on securing points of entry and exit, such as by locking doors, closing shutters or using other available barriers, to prevent access to and exit from all or part of the premises. These actions are to deter and delay attackers but also prevent people from accidentally moving towards areas of danger. This is intended to reduce the number of potential casualties. An evacuation procedure may follow a lockdown procedure when it becomes safe to do so. Additionally, an invacuation procedure may happen before a lockdown procedure.

7.43 There are different types of lockdown procedure to consider. A full lockdown prevents people from entering or exiting the premises or event. A partial lockdown involves only locking certain entry and exit points while keeping others operational, for example, allowing people to escape in a safe direction. NPSA has produced a short animation and lockdown guidance that could assist with understanding the different options. ^{[footnote 58]}

7.44 In addition to the considerations at paras. 7.20 to 7.32, when developing a lockdown procedure, the responsible person should consider:

• The possible situations in which a lockdown would be the best course of action in response to an attack, taking account of the location and layout of the premises. To aid this, the responsible person should consider where the attack is taking place, whether inside or outside the premises.
• Which types of lockdown procedure could be most appropriate at their premises or event, and the circumstances in which they should be used.
• Identifying safe areas with capacity which can be secured, and the process required to secure the areas. For example, some premises may have automated systems to secure entry and exit points, while others follow manual processes. Note that some entry and exit points could have provisions to enable them to be unlocked for the purposes of fire evacuations (in some cases, automatically) and that should be considered.
• The number of individuals that can reasonably be expected at the premises or event at the same time, to determine how best to use the site in the event of an attack.
• Whether there is existing equipment or are existing structures in place that could be used in a lockdown. For example, can doors be easily locked and are windows able to be secured?
• How any lockdown procedures can be co-ordinated to avoid confusion or unintended dangers and help alert neighbouring premises that an attack is underway, particularly where the premises are located within larger premises or a larger complex.
• Whether other procedures listed in this section may need to be used in conjunction with the lockdown procedure to ensure its effectiveness and avoid any conflicts. For example, a lockdown may be preceded by a communication procedure to ensure people present at the premises or event have been moved away from danger before the lockdown is started.

Example 1: An enhanced tier theatre locks the front, side and rear doors to prevent suspected attackers at the front of the building from gaining entry and to prevent people from exiting into the area where the suspected attackers are. They also contact the emergency services. When it is safe to do so, the audience is evacuated through the rear doors which are not accessible from the street where the danger has been identified. The audience is instructed to disperse, taking routes avoiding the location of the attack.

Example 2: A suspected attack is occurring within a school building. Staff contact the emergency services and direct those inside the building to a pre-designated safer area. This has been identified as such because the entry and exit points can be secured from within and there are no windows.

7.45 When developing a lockdown procedure, the responsible person for larger or more complex premises or qualifying events should also consider:

• Whether existing equipment or existing structures could be used in a lockdown. For example, are doors easily locked and windows able to be secured? Can security shutters on external doorways be operated from within the premises? Are there internal fire shutters that could be used to support a zonal lockdown? Can any lifts be disabled?
• As with evacuation, whether there may be different types of lockdown procedure to consider when dealing with larger or more complex premises or events. Figure 9 shows the different types of lockdown procedure.

Figure 9: Types of lockdown procedure ^{[footnote 59]}

Types of lockdown	Summary
One-way lockdown	This lockdown prevents entry but allows people to exit.
Two-way lockdown	This lockdown restricts both entry and exit.
Partial lockdown	This is where only certain doors are locked, such as entrances that are located near an incident taking place, while keeping some other exit routes open. This can be implemented as a one-way or two-way lockdown.
Zonal lockdown	This is where specific pre-designated areas are locked down within the premises. This can be implemented as a one-way or two-way lockdown.

Public protection procedure: communication (section 5(3)(d) of the Act)

7.46 The purpose of a communication procedure is to ensure information is provided to people at the premises or event, alerting them to danger as quickly as possible if an attack is taking place. It ensures people are provided with instructions, where it is safe to do so.

7.47 Effective communication with those on the premises or at the event is essential to enable the other procedures to be started quickly, reducing the risk of harm to people. Communication can take many forms, including verbal communication, signage, posters, briefings and audio broadcasts. Communication could include a range of messaging such as to move inside and stay away from windows, to move to a designated safer space or safe exit route, to move to the back of the building to wait for further instructions, or simply to get down, stay quiet and stay hidden. This information should be shared quickly.

7.48 In addition to the considerations at paras. 7.20 to 7.32, when developing a communication procedure, the responsible person should consider:

• What information should be communicated, both to members of the public and to staff at the premises, as this information might differ. Information should be simple and clear to ensure any instructions are easy to understand and should be specific to the actions required to follow the relevant procedure.
• Who will share information when activating a procedure and who needs to be informed at the premises or event, and in the immediate vicinity if appropriate. This includes how staff will communicate with each other and how information will flow between staff and decision-makers.
• How to quickly share information in the way that works best for the premises or event. For example, public address systems, loud hailers/megaphones, closed radio systems and alarms could be used at larger premises or events, and more basic forms of alert such as giving loud, clear verbal commands could be used at smaller premises.
• How to embed communication channels, processes, and roles and responsibilities prior to needing to use them. This could be achieved by documenting procedures, briefing staff and testing the communication procedure to ensure effectiveness and that staff are alert.

Example: A standard tier hotel has a lobby where guests gather to check in and out. A guest reports to the receptionist that they have seen an unattended bag in a corner of the lobby. Separately, a member of staff has reported that they saw an individual acting suspiciously in the same area. The receptionist informs the duty manager who uses a public announcement (PA) system to alert staff to begin the evacuation procedure through the back doors of the hotel, the furthest distance from the lobby. The receptionist calls the police to report the item.

7.49 When developing a communication procedure, the responsible person for larger and more complex premises or qualifying events should also consider:

• Where people may be located when information is communicated and whether information will reach them effectively in those areas.
• How each procedure will be communicated effectively. For example, the instructions communicated for an evacuation procedure should be different to the instructions communicated for a lockdown procedure.
• How the communication procedure could be used without activating another procedure – for example, to encourage general awareness of suspicious activity or to give instructions related to measures like bag checks.

Example: A large, complex sports stadium has a CCTV system and a control room. The CCTV system is continuously monitored by staff who have completed bespoke training on operating CCTV. Additionally, all the staff in the stadium are required to undertake awareness e-learning on how to spot and report suspicious activity.

A staff member on the concourse sees an unattended bag inside the stadium, near a bin at a concession stand. The staff member asks a colleague to alert the control room in person while they ensure the bag is not approached, following their learning on how to be alert to suspicious items and behaviours. The footage is quickly reviewed and a man is seen placing the bag at that location before walking away towards an exit. Based on their training, the control room supervisor assesses that this could be an improvised explosive device (IED).

Using their established communication procedure, the control room supervisor alerts stadium staff who move people away from the suspicious item and keep the area clear until emergency services attend the scene. The control room staff contact the emergency services.

7.50 Good practice guidance on protective security, including public protection procedures, is available on the ProtectUK and NPSA websites. ^{[footnote 60]}

Training, learning, instruction and counter-terrorism awareness

7.51 There is no statutory requirement in the Act for the responsible person, or for staff working at qualifying premises and qualifying events, to carry out specific training, learning or instruction related to counter‑terrorism or the Act’s requirements. However, as part of ensuring that public protection procedures are in place and can be enacted quickly and effectively, those working at the premises with responsibility for carrying them out (as identified by the responsible person) must be made aware of the procedures and their specific role. They also need to be provided with the understanding, experience and tools required to carry them out effectively.

7.52 If staff who are responsible for carrying out the procedures are not informed of those procedures or trained in how those procedures should be implemented, it is likely to be difficult for the responsible person to demonstrate that appropriate and reasonably practicable procedures are in place.

7.53 Staff should be aware of the procedures, how they relate to their role (for example, supervisors compared to general staff) and what they should do in specific scenarios – for example, enact a procedure or follow instructions. Training, learning and instruction can take various forms including, but not limited to, formal training courses, team briefings, annual refresher briefings, induction sessions, shadowing others, supervised practice with specific equipment, e-learning modules or structured training courses.

7.54 The responsible person should also note whether any licences are mandated for staff to carry out their role by other legislation. For further information on SIA licences required under the Private Security Industry Act and information on SIA voluntary schemes which may enhance private security provision, visit Security Industry Authority – GOV.UK. ^{[footnote 61]} The Act does not supersede other legislation and all legislation must be complied with.

7.55 It is not mandatory to pay for third-party training or learning to comply with the Act’s requirements. However, the responsible person may contract relevant training to assist in meeting their obligations under the Act if they deem it necessary, helpful or appropriate.

Example: The responsible person for a village hall in the standard tier ensures public protection procedures related to lockdown are in place, which they deem to be appropriate and reasonably practicable. To ensure all volunteers understand how to implement the lockdown procedures, the responsible person organises internal learning for all the volunteers as part of their onboarding process, whereby a senior volunteer explains the procedure. The procedure is also written down and put on the wall of the staff room, where it is clearly visible.

The responsible person sees a course advertised online which costs thousands of pounds and claims to make attendees compliant with the Act. The responsible person decides that their staff have an appropriate understanding of the lockdown procedure and that this training course will not be necessary in their circumstances.

7.56 Staff with specific responsibilities may require different or additional training, learning or instruction than others working at the premises. The training, learning or instruction provided should be tailored to the premises and the procedures in place, focusing on the specific procedures rather than simply completing a generic module or course. For example, the responsible person may assess that those in supervisory roles would benefit from tailored instruction on their role and their team members’ roles in responding effectively, noting that they are likely to be the person activating a procedure in their role as a manager. There could also be a need for sector-specific training, learning or instruction.

7.57 If any of those working at the premises have prior security training (for example, they have completed training for an SIA licence), additional site-specific training, learning or instruction on the procedures and measures in place at the premises or event is still likely to be necessary for those individuals.

7.58 Creating a document for staff which sets out the relevant procedures, how to follow them and clear roles and responsibilities could be – and in practice probably will be – appropriate. This could be in the form of a briefing, a quick reference guide or a prompt card that could be carried (like a credit-card-sized aide memoire). For enhanced tier premises and qualifying events, there are further training and awareness considerations (see paras. 8.49 to 8.55).

Counter-terrorism awareness

7.59 It is good practice for all staff working at qualifying premises and qualifying events, regardless of their role, to understand that a terrorist attack could occur. The requirement for responsible persons to ensure appropriate procedures and/or measures are in place under sections 5 and/or 6 of the Act should require, so far as it is reasonably practicable, that all members of staff are trained to be alert to suspicious items and behaviours, know how to report concerns and understand the importance of reporting concerns quickly.

7.60 Counter-terrorism awareness could be built and maintained through various methods including site-specific induction training, formal training or e‑learning (with periodic refreshers), regular updates in team or management meetings, start‑of‑shift briefings, and awareness material such as posters or internal communications. Visual reminders, such as posters or actions cards, can reinforce key messages about identifying and reporting suspicious activity. Free resources, such as ACT Awareness e-Learning and action cards setting out the response to certain attack types are available on ProtectUK and could assist with this. ^{[footnote 62]}

7.61 It is not mandatory to pay for third-party training or learning to comply with the Act’s requirements. However, the responsible person may contract relevant training to assist in meeting their obligations under the Act if they deem it necessary, helpful or appropriate.

7.62 Certain roles, such as those which are public facing, may require a deeper understanding of the terrorist threat and suspicious activity to enable a swift and effective response. The responsible person could consider whether additional role-specific training is needed. For further information on available resources to help build and maintain overall counter-terrorism awareness, see supplementary document C. ^{[footnote 63]}

Requirement to co-ordinate (section 8 of the Act)

7.63 Paras. 6.16 to 6.20 provide information on the co-ordination requirement for the responsible persons for standard tier premises, enhanced tier premises and qualifying events. The responsible persons for such premises and events must co‑ordinate with each other, so far as is reasonably practicable, in complying with the Act’s requirements. For a responsible person, the obligations arise where more than one individual, organisation or company is responsible for qualifying premises or a qualifying event, or where qualifying premises form part of other qualifying premises.

Example: Those responsible for shops within a shopping centre and the responsible person for the shopping centre itself co-ordinate public protection procedures for individual premises and the immediate vicinity. They ensure that their duty managers communicate with one another on a regular basis and update each other on any issues or information they may have. They do this by arranging a formal shopping centre tenants’ group meeting, with protective security listed as a standing agenda item, and establishing a real-time communications channel.

The shops are of differing sizes and design. Some have large, lockable storerooms and some do not. They all have emergency exits leading to the same area at the back of the shopping centre and some have other emergency exits. The responsible persons for the premises co‑ordinate to ensure that their procedures would not conflict with each other, should they need to be activated in response to an attack. For example, they co-ordinate to ensure that any shared evacuation routes would have capacity to allow the evacuation of multiple premises at the same time.

Notifying the regulator (section 9 of the Act)

7.64 Those responsible for qualifying premises or qualifying events must notify the SIA when they become responsible and when they cease to be responsible. There will be specific timeframes for notifying the SIA and specified information that must be provided. The Secretary of State will set out the requirements in terms of timescales and information by way of regulations enacted in accordance with section 9(3) and section 9(6) of the Act.

Chapter 7 – summary

• All premises and events in scope must ensure appropriate public protection procedures are in place, so far as is reasonably practicable.
• The four public protection procedures in the Act are evacuation, invacuation, lockdown and communication.
• Evacuation is the process of getting people away from danger by moving them out of the premises or event, or a part of the premises or event.
• Invacuation is the process of moving people away from danger to a place within the premises or event where there is less risk of physical harm being caused to them.
• Lockdown is the process of securing the premises or event to prevent individuals entering or leaving.
• Communication is the process of ensuring information is provided to individuals at the premises or event, alerting people to danger and providing instructions, where safe to do so.
• As part of ensuring that public protection procedures are in place, and that they can be enacted quickly and effectively, staff with responsibility for carrying out procedures should be adequately informed of the relevant procedures and, where appropriate, receive training, learning or instruction on how to implement them.
• Those responsible for qualifying premises and events must co-ordinate with each other, so far as is reasonably practicable. This is the case if premises or events have more than one responsible person, or if one qualifying premises are within another qualifying premises.
• Those responsible for qualifying premises or qualifying events must notify the SIA when they become responsible and when they cease to be responsible.

Chapter 8:  Additional requirements for enhanced tier premises and qualifying events

8.1 Those responsible for enhanced tier premises or qualifying events must ensure the requirements set out in chapter 7 are met. This chapter details the additional legal requirements in the Act for enhanced tier premises and qualifying events. As with previous chapters, the word ‘must’ is used to indicate a legal requirement in the Act, ‘should’ is used to indicate something that is not an express requirement, but is strongly recommended or encouraged good practice, and ‘could’ is used for something that is not a legal requirement, but is an optional suggestion or example.

The responsible person for enhanced tier premises and qualifying events must additionally:

• ensure appropriate public protection measures are in place (section 6 of the Act), so far as is reasonably practicable
• document the procedures that are in place, and measures that are in place, or are planned to be put in place, and an assessment of how they are expected to reduce the risk of physical harm to individuals and/or reduce the vulnerability of the premises or event (section 7 of the Act)
• if the responsible person is an organisation or company, and not a single individual, designate a senior individual with responsibility for ensuring compliance (section 10 of the Act)
• for individuals and organisations that have control of premises but are not the responsible person, co-operate with the responsible person as required (section 8 of the Act)

Additional considerations for evacuation, lockdown and communication public protection procedures (section 5 of the Act)

8.2 As for standard tier premises, public protection procedures for enhanced tier premises and qualifying events will be a set of actions, or a plan, that staff at qualifying premises or qualifying events can take to reduce the risk of harm to people (including staff) if they suspect an act of terrorism is occurring or about to occur at the premises, the event or in the immediate vicinity. The purpose of public protection procedures is to reduce the risk of physical harm in the event of a terrorist attack.

8.3 Given the larger and/or more complex nature of enhanced tier premises and qualifying events, the public protection procedures may themselves be more complex. Procedures must be appropriate to the scale and nature of the premises or qualifying event and aligned with the public protection measures in place (see public protection measures at paras. 8.7 to 8.48). Therefore, there are some additional points that the responsible person should consider at larger or more complex premises. These are clearly noted within the considerations in chapter 7.

8.4 Larger premises are more likely to have mechanisms in place that can give relevant staff greater situational awareness regarding location and attack method. This could be achieved, for example, through having more staff in attendance able to monitor for suspicious activity, or through CCTV systems that are actively monitored in a control room. This greater situational awareness can prove valuable in determining the most appropriate public protection procedures to implement in a particular situation as quickly as possible.

8.5 Although it is strongly recommended, the Act does not require public protection procedures in place under section 5 of the Act to be kept under review. By contrast, the responsible person for enhanced tier premises must keep under review the public protection measures which they have in place for the purpose of complying with section 6 of the Act. In practice, the responsible person for enhanced tier premises or qualifying events should also keep under review the procedures which they have in place with a view to complying with section 5 of the Act.

8.6 The responsible person should review both procedures and measures so that they remain up-to-date. This can help ensure that procedures and measures remain appropriate and reasonably practicable over time, taking account of changes to the premises or event, and their operations. A review should be carried out periodically and could be carried out annually, however this will depend on the circumstances of the premises or event.

Public protection measures (section 6 of the Act)

8.7 Public protection procedures are actions, planned in advance, that can be implemented by relevant individuals to keep people safe in the event of a suspected or actual terrorist attack. Public protection measures are different in that they also seek to reduce the vulnerability of premises or events to a terrorist attack as an additional way of reducing the risk of physical harm caused by an attack. They may take the form of processes, actions carried out by people or physical mitigations.

8.8 For enhanced tier premises and qualifying events, the responsible person must ensure that appropriate public protection measures are in place, so far as is reasonably practicable. The responsible person must assess and keep under review the public protection measures to ensure they are appropriate to reduce the vulnerability of the premises or event to acts of terrorism, and to reduce the risk of physical harm caused by an attack.

8.9 It is important to remember that, alongside the requirements in the Act, a good security culture can be very effective in ensuring people are protected from harm. A security culture is a set of values, shared by everyone in an organisation, which determine how people are expected to think about and approach security.

8.10 Public protection measures are measures relating to the types set out in figure 10.

Figure 10: Public protection measures

Public protection measures are those in relation to:	Description
Monitoring	Measures relating to the monitoring of the premises or event, and the immediate vicinity. Monitoring measures are intended to enable the detection and identification of suspicious activities and items that may be indicators of a terrorist attack.
Movement	Measures relating to the movement of individuals into, out of and within the premises or event. Movement measures are intended to control, prohibit, restrict or reduce the movement of people into, out of and within premises and events.
Physical safety and security	Measures relating to the physical safety and security of the premises, or the premises at which the event is to be held. These measures are intended to strengthen the physical safety and security of premises and events to mitigate the potential impacts of attacks and/or deter or hinder attackers.
Security of information	Measures for the security of information are intended to ensure that information about the premises, their operation, design, usage or internal workings are not widely available and accessible to those who may use it for planning a terrorist attack.

8.11 Measures may be implemented through:

• people: for example, members of staff who are briefed, instructed or trained to implement the measures
• policies or processes: these are principles setting out the expectation for the measures, for example, a bag search process is underpinned by policies on the size of bags permitted and prohibited items
• physical mitigations: these will impact on the infrastructure of the premises or event and reduce their vulnerability to a terrorist attack, for example, hostile vehicle mitigation measures or CCTV systems

8.12 The implementation of the public protection measures through people, policies and/or physical mitigations needs to be tailored to each qualifying premises or qualifying event, avoiding a one-size-fits-all approach.

Terrorist attack methods

8.13 Enhanced tier premises and qualifying events must ensure measures are in place to reduce the vulnerability of the premises or event to acts of terrorism. Vulnerabilities, as per the glossary at chapter 3, are weaknesses that may be exploited by an attacker to achieve an impact, such as harm to people or the organisation. When assessing vulnerabilities, the responsible person must consider the vulnerability of their premises or event and should consider their vulnerability to specific attack methods listed below at figure 11. ^{[footnote 64]}

8.14 It is important to note that methods of attack have changed over time and will continue to evolve beyond this guidance. Up-to-date information and guidance on attack methods, and public protection procedures and measures, are available from ProtectUK and NPSA. ^{[footnote 65]} The responsible person for qualifying premises and qualifying events should review this information from time to time to ensure they have the most up-to-date understanding.

It is important to note that some guidance materials include videos that recreate attack scenarios for educational purposes. These may be distressing or triggering for some viewers and viewer discretion is advised.

8.15 It is important to be aware that terrorist attacks can take many different forms. The exact nature of an attack may not be clear, particularly in its initial stages. Attacks can vary in motivation, purpose, complexity and sophistication. An attack may involve one or more attack methods, involve a single individual or a group, involve one or more attacks occurring simultaneously or in close succession, and may affect specific types of premises, a certain event or a wider area. Individuals at premises and events may not know if the incident taking place is a terrorist attack.

8.16 Therefore, in addition to the usual considerations for public protection procedures, such as the specific nature of the premises and the surrounding area, the responsible person for enhanced tier premises or a qualifying event should also pre‑emptively focus on the methods associated with terrorist attacks when considering the vulnerability of their premises or event to an attack. Ultimately, those responsible for qualifying premises and events should ensure that measures and procedures are, so far as is reasonably practicable, appropriate for a wide range of attack scenarios at their premises or event.

8.17 Figure 11 highlights the methods of terrorist attack that responsible persons for enhanced tier premises and qualifying events should consider in relation to public protection measures. These have all featured in previous UK terrorist attacks or attack planning. Similar to para. 7.15 for procedures, the Act does not require measures to be developed and put in place for each individual type of attack. Nonetheless, the responsible person should consider how different terrorist attack methods might impact premises or events and the people present there when developing their measures.

Figure 11: Methods of terrorist attack

Method of attack	Description of possible incident
Marauding terrorist attack (MTA)	This is where one or more attackers move through a location aiming to find and kill (or injure) as many people as possible. Attackers may use bladed weapons, blunt force objects, firearms or other weapons to attack people. Attacks can be fast moving and violent and may also incorporate the other attack methods below. At their simplest, they can be low complexity, low cost and require little planning or skill, and may be perceived as less likely to be detected in the planning phase.
Vehicle as a weapon (VAW)	This is where a vehicle is used to cause harm to individuals or damage to property, buildings or infrastructure. VAW attacks are low complexity, low cost, require little planning or skill, and may be perceived as less likely to be detected in the planning phase.
Improvised explosive device (IED)	Explosive devices can come in many forms. They can differ in how they are delivered, their size and the damage they could cause. They can injure people and/or damage property through a combination of blast pressure and shrapnel (from the device itself and/or nearby objects). Devices might be carried or placed somewhere by a person (sometimes known as a person-borne IED), transported in a vehicle (sometimes known as a vehicle-borne IED), delivered by drones, or arrive through the post or other delivery. They can be set off in different ways, including by the attacker (in person or remotely) or using other means such as a timer.
Fire as a weapon (FAW)	This is where fire is deliberately used with the intent to cause harm. This type of attack may cause harm to people, property or both. Fire or flammable materials can also be used to distract people, to create visual effect, to trigger a fire evacuation, or to disrupt or slow down the emergency service response. It is important to note that it is unlikely to be immediately obvious that an attack involving fire is a terrorist attack – it could easily be mistaken for another kind of fire. The responsible person should consider this when developing the procedures and measures. They should also consider all other legislation, including fire safety, alongside the Act to ensure the respective procedures do not conflict.
Hazardous substances	Some attacks might use toxic, corrosive or flammable chemicals, or biological or radioactive materials. While many of these materials are used legally for domestic, industrial and commercial reasons, access to them is carefully controlled. The harm caused by such an attack depends on what substances or material is used and how it is used. Terrorist attacks using hazardous substances are rare but can be devastating. These types of attacks are often referred to as CBR attacks – short for chemical, biological and radiological.

Developing public protection measures

8.18 The responsible person must consider what is appropriate and reasonably practicable in relation to each public protection measure. ‘Appropriate’ means ensuring measures are suitable for the premises or event in relation to the vulnerability of the premises or event to an attack.

8.19 Once the responsible person has considered what is appropriate for their premises or event, they must then consider to what extent each appropriate measure can be put in place, so far as is reasonably practicable. As set out at paras. 7.20 to 7.32, when determining what is reasonably practicable for public protection procedures, the responsible person should consider their circumstances, including the nature of the premises or event and the resources available to them. In practice, considering whether something is reasonably practicable is about considering what is proportionate. This is the same when considering what is reasonably practicable for public protection measures. It is not about doing something or nothing, it is important to consider the scale of intervention in developing procedures and measures, based on what is appropriate and reasonably practicable, and also reviewing this over time.

8.20 To establish what is reasonably practicable, it is necessary to consider the objectives of public protection measures, balanced against the cost, time and difficulty involved in implementing them .^{[footnote 66]} This may require consideration of the likely effectiveness of any particular procedure or measure weighed against the burden of its implementation (in terms of cost and feasibility). The responsible person must take account of the overall objectives of public protection measures. These are to reduce the vulnerability of the premises or event to an act of terrorism, and to reduce the risk of physical harm to people if an attack occurs, balanced against the cost, time and effort required. The responsible person for enhanced tier premises or qualifying events will also need to document their rationale for their considerations. See paras. 8.56 to 8.67 for further details.

Example 1: The responsible person for an enhanced tier nightclub has determined that an appropriate public protection measure for the movement of individuals should involve CCTV. The responsible person already has CCTV covering the premises that is actively monitored when the premises are open to the public. However, there is one blind spot of particular concern as that area is identified as a vulnerability. The responsible person considers that effective coverage can be achieved by ensuring the blind spot is included in the schedule of random patrols as a temporary measure, pending a planned upgrade of the CCTV system later in the year. The rationale for this decision is recorded as part of the process of documenting compliance.

Example 2: The responsible person for an enhanced tier hotel has assessed their measures for the physical security of their premises and determines that it may be appropriate to use blast-resistant glazing on windows and doors, reducing the risk of physical harm to individuals in the event of an attack using an improvised explosive device (IED). However, this is not considered reasonably practicable due to budgetary constraints making it prohibitively expensive. Instead, the responsible person in this instance suggests upgrading the glass as part of a planned wider refurbishment of the hotel, making it more cost effective. The rationale for this decision is recorded as part of the process of documenting compliance alongside mitigations that will be taken in the meantime.

Example 3: A community-owned rugby union club has an average attendance of 500 members of the public plus 15 staff members on match days. However, historic data shows that they have exceeded 800 individuals present at any one time on several occasions when they have played their local rivals. Therefore, the premises are in the enhanced tier.

The rugby club has limited income and has little to spend on public protection measures. The responsible person assesses that the current entry queue at ticket booths could be vulnerable to a vehicle as a weapon attack due to the straight approach road through the car park.

The club considers how to mitigate this vulnerability. They could introduce protective bollards between the road and the queue. However, these measures would cost many thousands of pounds to introduce and would require the club to take out a substantial loan. The responsible person does not view this as reasonably practicable but still recognises that this vulnerability should be mitigated against.

The stadium has a rear entrance on an open terrace that is accessed by a service road. Vehicle access to the service road can be prevented by use of a single removable bollard that is installed on match days. The responsible person chooses to use the alternative entrance for match days, as it mitigates the vulnerability at minimal cost.

8.21 Many of those responsible for qualifying premises and events will already undertake work to assess their vulnerabilities and will already have plans for responding to emergencies. It is important that these processes continue, however they should also ensure that the requirements of the Act are addressed. For those that do not have existing risk or vulnerability assessment processes, there are free resources available from ProtectUK (risk management basics and risk management process) and NPSA (protective security risk management) that may assist in thinking about this. ^{[footnote 67]}

8.22 The responsible person should also consider how their measures interact and do not conflict with existing guidance relevant to their sector, such as the Green Guide or the Purple Guide (further information about which can be found at supplementary document C). ^{[footnote 68]} For example, security measures must not impede the safe entry or exit of attendees at the premises or event, or create additional hazards and vulnerabilities.

8.23 The Act does not place express legal requirements on local authorities to ensure measures are in place in relation to land next to qualifying premises and qualifying events under the control of other responsible persons. However, local authorities in control or partial control of qualifying premises or qualifying events (in the circumstances contemplated in section 8(5) of the Act) must, so far as is reasonably practicable, co-operate (in accordance with duty set out in section 8(6) of the Act), to enhance protective security. ^{[footnote 69]}

8.24 Staff should be appropriately trained to understand the procedures and measures in place. If no one working at qualifying premises or qualifying events knows how to carry out the relevant measures, the measures are not properly in place and the requirement has not been complied with. For example, searches of individuals could be underpinned by policies in terms of what items are prohibited and who is to be searched, as well as procedures for how searches are to be conducted, which equipment to use, the response if a prohibited item is found, and taking account of necessary adjustments for those with protected characteristics. Further information can be found at paras. 8.49 to 8.55.

Example: An events organisation has hired a warehouse to host an art fair. The art fair meets the criteria to be a qualifying event. As part of the qualifying event’s public protection measures related to movement, the events organisation introduces a process to conduct searches of individuals and bags on entry to the warehouse.

A percentage of individuals are selected for screening on a random basis. The screening process generally takes place in full view of other members of the public and staff, to ensure the process is efficient and swift. The events organisation considers their duties under the Equality Act 2010. They realise that some individuals require a longer or modified search process (for example, because the individual is wearing heavy clothing or has a disability), and that some individuals may prefer a more private screening process, based on their protected characteristics or other reasons.

The events organisation develops an equally effective, but more appropriate, search process for those who request it for such reasons by introducing private search booths.

8.25 In addition to the information at paras. 8.18 to 8.24, the responsible person must consider the appropriateness of the public protection measure and the extent to which introducing the measure could be considered reasonably practicable. This is an obligation under section 6 of the Act. For the purpose of fulfilling this obligation, the responsible person should consider the following when developing public protection measures:

• An assessment of:
  • the nature of the premises or event, such as the location, layout, status (for example, specific considerations around listed buildings, heritage assets) and the business, operating model or financial model
  • what the premises are being used for, or the type of event taking place
  • the number of individuals likely to be present at any one time, the types of staff at the premises or event, and the experience of staff
  • the types of acts of terrorism that could occur at the premises or event, or in the immediate vicinity (see figure 11 for methods of terrorist attack) and how this may impact the measures in place
  • other premises nearby and any measures they may also have
  • how their measures will interact with existing legislation such as health and safety and fire regulations

• The design and implementation of public protection measures, including:

  • the key roles and responsibilities involved in implementing each measure
  • existing equipment or apparatus that may be used (for example, doors, locks, CCTV installed for other purposes) and available resources, including staffing, subject to an assessment of what is reasonably practicable
  • how staff at the premises or event will be made aware of the measures, including theirs and others’ roles and responsibilities, and how staff will be provided with sufficient instruction, training and/or supervision (see paras. 8.49 to 8.55 on training, learning, instruction and awareness)
  • how the public protection measures work collectively (not just individually) to reduce vulnerability and protect those at qualifying premises or events (for example, there is little point in arranging search and screening of bags at a main entrance, if additional entrances or exits elsewhere at the premises are open and can be accessed without bag checks in place). Additionally, some public protection measures naturally overlap in their purpose (for example, perimeter patrols around premises can be both a measure relating to the movement of people and a measure relating to the monitoring of premises)
  • how the public protection measures work together with the public protection procedures to ensure that they do not clash with each other (for instance, ensuring that relevant movement measures are considered when planning an evacuation, invacuation or lockdown procedure)
  • how policies or processes can be adapted if any relevant equipment is out of use or if the relevant level of staffing required to implement a measure is unavailable; the responsible person could also consider contingency steps if there are staffing issues (for example, ensuring there is a manual process that can be used if electronic search equipment fails, or ensuring other staff members are ready and trained to step into security roles if required)

8.26 The responsible person must keep public protection measures under review and should have a plan in place for how to keep these measures under review. It is recommended that the responsible person could consider:

• How the measures can be tested and practiced ensuring they are fit for purpose and staff can implement or operate them effectively.
• How public protection measures will remain up to date and whether they need to be reassessed at various times, depending on material changes to the premises or other factors. This could include changes in the responsible person’s assessment of their procedures or measures and the extent to which they still reduce the risk of physical harm that could be caused to individuals in the event of a terrorist attack, or changes to the premises or event’s vulnerability to a terrorist attack.

8.27 The measures that are in place across all four types of measure should be considered and implemented as a whole system, based on what is appropriate and reasonably practicable.

8.28 Templates will be developed which are optional and indicative. They will be designed to assist with the documentation of public protection measures. There is no legal requirement to use these specific templates.

8.29 To be effective, those with responsibilities relevant to the operation of measures should have appropriate instruction or training and receive appropriate supervision to ensure that the measures are implemented effectively. Training and instruction should be tailored to the specific premises or event and the measures in place. Training needs and evidence of delivery of training and instruction should be documented. See paras. 8.49 to 8.55 for further information on training in relation to public protection measures.

Public protection measures in relation to monitoring the premises or event (section 6(3)(a) of the Act)

8.30 Monitoring measures are intended to enable relevant staff to identify, observe and report (or act on) suspicious activity and items that could be indicators of a terrorist attack, or suspicious behaviour if someone is preparing for an attack. Knowing what to report, who to report it to and how quickly to report it are essential parts of effective monitoring measures.

8.31 The key to this measure is alertness and clear reporting processes. Being aware of suspicious activity and alert to suspicious items helps to identify those with hostile intent, or people and items that could pose a security risk. Technology can be used to enable this (for example, CCTV). Where technology is used, staff should be trained to use it competently and effectively.

Example: A country house and its gardens are open to the public when they have purchased a ticket or membership. The country house also hosts an annual Christmas market. Historic ticket sale records show that the number of individuals present on the premises at the same time rarely rises above 400, including staff.

However, during the month of the annual Christmas market, the number of individuals present on the premises (including staff and stallholders) exceeds 799 individuals at any one time on more than one occasion. As this can be reasonably expected and the 800 threshold is expected to be met on more than one occasion – in this instance, on an annual basis for the Christmas market – the premises are in the enhanced tier.

Therefore, the responsible person must ensure that appropriate public protection procedures and public protection measures are in place, so far as is reasonably practicable. The responsible person reviews the public protection measures of the premises and notes that monitoring measures could be improved. However, parts of the premises are listed (this means legally protected due to the historic importance of the building) and cannot accommodate physical changes, such as the installation of CCTV cameras.

The responsible person therefore considers that such changes are not reasonably practicable. Instead, they consider alternative mitigation measures, such as ensuring a good level of staffing and pre-shift briefings for staff to remind them to pay attention to suspicious activity and how to report it.

8.32 The term ‘immediate vicinity’ means an area close to the premises, but there is no fixed distance associated with the term given that all premises and events are unique with different circumstances. For more information, see the glossary at chapter 3 and paras. 7.12 to 7.14. The responsible person for enhanced tier premises or a qualifying event must consider what monitoring measures are appropriate to monitor the immediate vicinity of the premises or event to reduce the vulnerability of the premises or event to an attack, or the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity.

Example: Before shows at an enhanced tier music venue, visitors queue in a clearly marked area around the side of the building while waiting to be granted access to the premises. This area is within the immediate vicinity of the venue. The responsible person considers how their public protection measures can reduce the vulnerability of this area to an attack.

In addition to other public protection measures, they implement monitoring measures. These comprise CCTV coverage of the area, which is monitored in a security control room by CCTV operators, as well as staff on the ground who are in radio contact with the security control room. All staff have been trained to spot suspicious behaviour or items, to report them, and to enact the relevant public protection procedures if required.

8.33 The table at figure 12 provides examples of the types of monitoring measures that could be appropriate to different premises and events. These are suggested measures for consideration. This list is not exhaustive, and some measures may not be suitable for all contexts.

Figure 12: Non-exhaustive list of examples for public protection measures in relation to monitoring

Examples of monitoring measures implemented through people

Public protection measures: monitoring	Description
Heightened awareness of staff	Security staff and other customer-facing staff with sufficient awareness (achieved through briefing, for example) to identify suspicious activity, items and vehicles. This can provide a basic, yet valuable, level of security in all areas at all times and can also be focused on areas of particular concern and vulnerability. For example, additional security personnel with radio contact with the security control room, if appropriate, could be deployed outside the premises at peak arrival and departure times to monitor for suspicious items and deter suspicious activity. Procedures could be exercised regularly through testing and drills to raise staff awareness.
Security patrols	Security staff may examine areas of the premises or event, such as entry and exit points. This may include checks on other measures in place. These should normally avoid being predictable. However, checks at specific times, such as immediately prior to people arriving and leaving, could also be appropriate.
Perimeter patrols	Security staff may examine the premises or event boundary, for example, checking that gates, doors and windows remain secure, as well as checking for suspicious items and activity.

Examples of monitoring measures implemented through policies and processes

Public protection measures: monitoring	Description
Searches of people	Security staff could carry out physical checks of individuals. This could involve a manual search (often known as a pat-down) and/or using electronic equipment (see physical mitigations below). Such checks should be carried out in accordance with policies on who and what should be searched and the items prohibited at the premises or event. It is worth noting that, while there is no legal basis to search people or their possessions, premises can make consent to such searches a condition of entry.
Searches of bags and other items (for example, pushchairs, mobility aids)	Security staff may carry out checks on the contents of items. Such checks should be carried out in accordance with policies on what should be searched and the items prohibited at the premises or event.
Access control measures including accreditation badges and access passes (electronic or otherwise)	Premises or events may have a policy to permit only authorised individuals into certain areas, allowing for monitoring of the individuals present. A variety of options are available, including visual and electronic checks of credentials (for example, passes) and manual or automated control of access. This measure could also be considered as a measure for controlling the movement of people (see paras. 8.34 to 8.38). This demonstrates how measures can be multi-purpose and cover several different public protection measures at the same time.

Examples of monitoring measures implemented through physical mitigations

Public protection measures: monitoring	Description
Search and screening technologies designed for high-footfall premises and events	These devices should be used by trained staff to search people and/or items, in accordance with policies on what should be searched and the items prohibited at the premises or event. This measure could also be considered as a measure for controlling the movement of people (see paras. 8.34 to 8.38). This demonstrates how measures can be multi-purpose and cover several different public protection measures at the same time.
CCTV systems with real-time monitoring by security control rooms	CCTV cameras may be used to monitor the premises or event and capture video footage. For larger premises and events, a security control room may provide a central hub for monitoring CCTV and initiating and co-ordinating the response to a terrorist attack.
Security lighting	Technology such as security lighting can assist in-person and CCTV-based monitoring activity, while also acting as a deterrent to those with hostile intent and a reassurance for the general public.
Voice-based alerts and sensors	Voice-based alerts can warn individuals present. A wide variety of intrusion detection sensors on fences, gates, doors or windows, as well as automated analytics of CCTV feeds, could be used to alert security control room staff to potential intruders.

Example 1: Front of house staff at a theatre welcome people entering the premises and proactively observe the foyer and queuing areas outside, monitoring for suspicious activity, items or vehicles. The staff have undergone awareness training on vigilance to help them look out for suspicious behaviours during interactions with visitors and how to report them.

Example 2: There is a CCTV network in place at a large shopping centre, supplemented by security staff conducting patrols to monitor visitors to the centre. CCTV feeds are monitored by a security control room for a variety of operational purposes, including countering terrorism.

Public protection measures in relation to controlling movement of people (section 6(3)(b) of the Act)

8.34 Movement measures are intended to control, prohibit, restrict or reduce the movement of people into, out of and within qualifying premises and qualifying events. Ensuring that access controls are in place at all or part of the premises or event is likely to be a fundamental part of most security regimes. At many locations, a perimeter will be obvious due to existing external walls, fences or boundaries, with public access points limited to certain doors, gates or vehicle entrances.

8.35 The Act refers to movement into, out of and within the premises – phrasing that implies some interaction with the surrounding area. It is important to note the holistic nature of the measures: while each measure has distinct requirements, in practice they interact and overlap to create a coherent overall security picture. As such, the immediate vicinity may be relevant to understanding the context of movement, without implying additional legal obligations as part of the movement measure.

8.36 It is important to be aware of other legislation to avoid any conflict, for example, fire safety, health and safety.

8.37 Managing and controlling access can be as simple as counting visitors in and out and/or checking tickets, passes, IDs or registrations. The use of passes to stop unauthorised individuals from accessing certain premises or areas of premises, and the use of screening, are also examples of measures in relation to monitoring (see paras. 8.30 to 8.33), which demonstrates how these measures frequently interact and cross-over with one another. Those responsible for larger premises and events may need to consider more sophisticated measures for movement, outlined below, given they will expect larger numbers of people to be present.

Example: An events organiser hires an area of a local authority park to hold a large antiques market. They erect a perimeter fence around this area and sell tickets, which must be shown on entry to gain access to the market. The organisation expects there will be a maximum of 1,000 individuals (including staff) on the site at any one time, at some point. As the park is not already in scope of the Act as qualifying premises, the events organiser is the responsible person.

The responsible person is aware of their responsibility to ensure that appropriate and reasonably practicable public protection procedures and measures are in place, including for controlling the movement of people. They identify that searching every individual on entry to the event is not reasonably practicable as it could create a significant queue outside of the event area, creating a target for an attack. However, they decide that random screening would act as a deterrent.

They use a random selection button that lights up in red or green based on a programmed percentage as people pass through. If the red light flashes, the security guard will focus their search on that randomly selected individual following the policy on prohibited items. While they screen the individual, they could also screen items and bags carried by the individual. In addition, the responsible person ensures that all staff are briefed before each shift to note and report any suspicious behaviour, which may lead to further targeted screening.

8.38 The table at figure 13 provides examples of the types of movement measures that could be appropriate to different premises and events. While training, learning or instruction is not a statutory requirement of the Act, it should be considered appropriate and reasonably practicable to have some form of relevant training, or instruction to implement these measures effectively. These are suggested measures. This list is not exhaustive, and some measures may not be suitable for all contexts.

Figure 13: Non-exhaustive list of examples for public protection measures in relation to movement

Examples of movement measures implemented through policies or processes

Public protection measures: movement	Description
Screening	For example, searches of individuals. Staff could also take such an opportunity to screen bags and items carried during such screening. These are also examples of monitoring measures (see paras. 8.30 to 8.33).
Restrictions on movement of people and visitors	Premises or events could prohibit access to specific areas or restrict access to those with a valid pass or ticket. Policies could also be in place setting out specific periods when visitors can access premises or events, and to ensure visitors are escorted if necessary.
Policies to manage crowds	Premises or events could put in place policies to limit the number of people allowed to enter or exit at any given time to stop crowds forming, to avoid creating a target for an attack.
Traffic or pedestrian control	Directing vehicles and people for supervision and safety purposes.
Prohibited or restricted access points	Designating the boundaries of accessible and non‑accessible areas.

Examples of movement measures implemented through physical mitigations

Public protection measures: movement	Description
Locks, shutters, screens and barriers	Physical equipment or structures which can assist in restricting or controlling the movement of people, such as locks, shutters, screens or barriers. These could be relevant to securing the premises out of hours, securing non-public or ‘back of house’ areas, or securing the premises (or parts of the premises) in the event of a lockdown procedure.

Example 1: The responsible person for an enhanced tier museum assesses that the premises could have a specific vulnerability to a vehicle as a weapon attack because it is in a busy city near to other well-known attractions, and on a road where speed can be built up quickly.

For this reason, the museum designates a specific area on their land where visitors can queue. This area is away from the road and there is no vehicle access. In addition, visitors are given timed tickets to help manage the number of individuals expected to be entering and exiting the premises at any one time.

Example 2: A music venue has several security safeguards in place, with physical measures built into the design with screening arches. The access points are well lit. Events are ticketed, with different entrances and entry times specified on tickets to reduce the potential for large crowds to form.

Crowds are actively managed by staff, who are also trained to be alert to suspicious behaviours, and they are in radio contact with the security control room. The event has a policy of searches of individuals and bags, with the consent of the person included as a condition of entry.

Public protection measures in relation to physical safety and security (section 6(3)(c) of the Act)

8.39 These measures relate to the physical safety and security of enhanced tier premises and qualifying events to reduce the vulnerability of the premises or to reduce the risk of harm to individuals. They can do so by mitigating the potential impacts of attacks and/or deterring or hindering attackers.

8.40 Those responsible for enhanced tier premises and qualifying events should consider how existing structures and other features could contribute to achieving those aims, and what supplementary or alternative measures could also be appropriate and reasonably practicable.

8.41 The table at figure 14 provides examples of the types of measures in relation to strengthening physical safety and security that could be appropriate to different premises and events. These are suggested measures. This list is not exhaustive, and some measures may not be suitable for all contexts.

Figure 14: Non-exhaustive list of examples for public protection measures in relation to physical safety and security

Public protection measures: physical safety and security	Description
Stand-off zones [footnote 70]	Designing and using the built environment around the premises or event to maximise security, for example, increasing the distance of vehicles from the premises where possible, pedestrianising busy arrival or departure routes and using hostile vehicle mitigation measures to protect people from vehicle as a weapon attacks.
Parking restrictions with effective enforcement	This can be put in place to ensure abandoned vehicles are appropriately managed.
Vehicle security barriers	This can provide a hard stop to the encroachment and/or penetration of a vehicle-borne attack. This can be scalable depending on what is considered appropriate and reasonably practicable at qualifying premises or qualifying events. For example, a barrier can include hostile vehicle mitigation (HVM), bollards, street furniture, fences, walls, gates, blockers, bunds (a barrier or embankment), berms (a raised area of land) and planters. Further information about HVM and the above can be found on the NPSA website. [footnote 71]
Protective or security glazing (including blast‑resistant facades, glass and/or doors, safety glass and anti-shatter film)	Glass, particularly in windows and facades, can shatter, causing very significant injuries in the event of an improvised explosive device (IED) or vehicle as a weapon attack. A variety of different types of glazing exist, intended to address different safety hazards and security threats. Application of anti-shatter film can be an appropriate and effective mitigation, particularly where the vulnerability to larger, vehicle-borne IEDs can be effectively mitigated through creating stand-off distance. [footnote 72]
Vehicle checks or screening	The searching and screening of vehicles can be used to check vehicles and their contents to reduce the risk of weapons, or dangerous or suspicious items, being brought into the premises or event. Alternatively, the responsible person could decide to prohibit or strictly control vehicle access, given the time-consuming and labour-intensive nature of vehicle checks.

Example 1: At an enhanced tier hospital, staff entrances are fitted with automated access control systems, with staff required to use their pass and enter a PIN to gain entry. Fire exits are alarmed, with alarms monitored by a central control room. Access to wards is by staff pass or doorbell entry for visitors, who are required to provide details of who they are visiting. The wider hospital site is designed so that public car parks are some distance from the buildings. The main entrance is protected by hostile vehicle mitigation measures. Drop-off and pick-up points are located close to the main entrance, but parking restrictions are strictly enforced by attendants.

Example 2: An enhanced tier multi-level pub is situated within a large shopping centre complex. There is no access to the pub by vehicles and therefore the responsible person assesses that measures to mitigate a vehicle as a weapon attack would not be appropriate. In contrast, a retail shop located on the exterior of the shopping centre considers that mitigating against that same threat is appropriate.

The degree to which they implement physical security measures is determined by what they assess to be reasonably practicable. For example, the responsible person for the shop considers it appropriate to put bollards outside, however it is deemed not reasonably practicable at this time. Instead, they implement a plan to install them in phases over the next few years.

Example 3: The responsible person for an enhanced tier cinema, located next to a pedestrianised high street, considers the potential vulnerability of the premises to an improvised explosive device (IED) detonated outside. The responsible person determines that it is appropriate to enhance their physical security to mitigate against this.

They consider anti-shatter film which would be designed to reduce the risk of physical harm from flying glass or shrapnel to individuals within the premises. However, they suggest it is not reasonably practicable to install anti-shatter film on the windows based on a combination of reasons. Firstly, for cost reasons and secondly, they note that the anti-shatter film would be unlikely to be effective at fully mitigating the effects of a larger IED.

Nonetheless, they have some control over the external environment. The responsible person considers it reasonably practicable to create a stand-off zone using street furniture. This is designed to increase the distance between the premises and any potential IED, reducing the impact of a blast.

Public protection measures in relation to the security of information (section 6(3)(d) of the Act)

8.42 Security of information measures are necessary to keep information secure and out of reach of those with hostile intent who may be looking for information to assist in the planning, preparation or execution of acts of terrorism. ^{[footnote 73]}

8.43 Measures for the security of information are required to ensure that information about the premises including the operation, design, usage or internal workings are not widely available and accessible to those who want to cause harm. Sharing relevant information with staff, third parties or the public may be helpful and necessary, but providing excessive details could create vulnerabilities. ^{[footnote 74]}

8.44 Briefing staff is important when developing measures for the security of information, to ensure staff can recognise suspicious activity so they can detect, deter and delay information being obtained and used for hostile purposes. As part of developing a positive security culture for the qualifying premises or event, insider threat could be considered, especially in recruitment and vetting procedures.

8.45 It could be considered appropriate to perform an audit of publicly accessible and security-relevant information both within and outside the control of the responsible person. This includes information shared via online pages, social media, local planning portals, apps, maps and other forms of internal and external communications within the control of the responsible person. Information that could assist those with hostile intent should be removed, restricted, redacted or adjusted, depending on the vulnerability posed.

8.46 Particular attention should be paid to material originally developed for internal purposes, for example, a plan of the premises intended for internal facilities management purposes, as that might include details of CCTV cameras and other security measures. The responsible person could then assess vulnerabilities arising from such information outside of their control and take appropriate and reasonably practicable steps to reduce vulnerabilities to an acceptable level. An example of this could be monitoring social media for comments about the security operation and taking steps to investigate and address any shortcomings identified.

8.47 A security-minded approach to corporate communications could be considered to project the message that the premises have a high level of security and are therefore a more difficult target. Signage could be used, both to inform visitors and those with hostile intent that there are systems and processes for security in place and to act as a deterrent.

8.48 The table at figure 15 provides examples of the types of measures in relation to the security of information that could be appropriate to different premises and events. These are suggested measures. This list is not exhaustive, and some measures may not be suitable for all contexts. The examples highlight some options of how to protect sensitive information relating to the premises or event.

Figure 15: Non-exhaustive list of examples for public protection measures in relation to the security of information

Public protection measures: security of information	Description
Security-minded approach to corporate communications	An approach designed to disrupt those with hostile intent during the reconnaissance or planning stage of an attack and to make them believe that, if they were to choose this specific location as a place to attack, they will almost certainly fail. Mentioning security measures without providing specific details can reassure the public, while deterring those with hostile intent.
Corporate communications	Regularly auditing corporate websites and other official communications could ensure that sensitive information and security details, such as floor plans and staff names, are not being shared or accessed unnecessarily, or shared more widely than is appropriate. This includes paper documents, and ensuring they are stored securely, or destroyed securely, when not in use or no longer required. Part of this will include building an effective security culture so that staff understand why this is important.
Social media policies	Having clear policies around social media usage for staff at the premises or event could help prevent the sharing of sensitive information.
Data protection policies	Policies could outline how data is collected, stored, processed and shared. There could be guidelines for data access, retention and disposal. Data protection policies should be reviewed to ensure they are up‑to‑date and communicated to staff at the premises.
Secure databases	Policies could include encryption and firewalls, as well as regularly updating software, to ensure details of public protection procedures and measures cannot be accessed by unauthorised users.
Effective policies for managing IT access (including on-boarding and off-boarding staff)	Ensuring staff only have the IT access that they need and reviewing access when staff change roles. This includes cancelling access when they leave employment.
Managing security aspects of supply chains	Establishing clear policies that ensure suppliers, contractors and/or their sub-contractors protect security-sensitive information of the premises or event.
Password protected / restricted areas on company IT	This could include the use of strong, unique passwords or multi-factor authentication and encouraging staff to regularly update passwords.
Licensing and planning applications	Ensuring that premises and events do not unnecessarily disclose security sensitive information publicly. [footnote 75] Further information on licensing considerations can be found in section 34 of the Act. [footnote 76]

Example 1: Though based on more detailed site plans, maps for visitors at an enhanced tier theme park are limited to basic information for public areas. Information on staff areas and their uses, and locations of cameras, are not included in the maps and they are not publicly accessible through other means, such as on the internet.

Example 2: An enhanced tier restaurant in a city centre is undergoing renovations. Plans for these renovations are restricted to limited people. Tradespeople are only informed of the areas they need to work on, and they do not have access to full site plans that may detail security measures. Access to any online plans is carefully controlled, with access limited to the information required by the specific role and terminated as soon as access is no longer required. When the planning application was submitted, information on security features was only included in documents and plans to the extent necessary.

Example 3: A high-profile concert is being held in a park. The responsible person for the qualifying event hires security guards for the event. Their daily briefing includes a reminder of various counter-terrorism security matters, including the importance of not posting information about the event, or that they are working at it, online or on social media.

Training, learning, instruction and counter-terrorism awareness

8.49 Paras. 7.51 to 7.62 cover the considerations for training, learning, instruction and awareness in relation to public protection procedures at qualifying premises and qualifying events, and general counter-terrorism awareness for all staff. There is no statutory requirement in the Act for the responsible person or for staff working at qualifying premises or qualifying events to carry out specific training or learning.

8.50 However, effective implementation of public protection measures will depend on appropriate training, learning or instruction. If no one working at qualifying premises or qualifying events knows how to carry out the relevant measures, the measures will not be properly in place, and the requirement will not have been complied with. If staff who are responsible for implementing public protection measures are not informed of those measures or trained in how those measures should be implemented (should the need arise), it is likely in practice to be difficult for the responsible person to demonstrate that appropriate and reasonably practicable measures are in place.

8.51 Measures will be delivered through people (for example, spotting suspicious activity), processes (for example, bag searches) and physical measures (for example, CCTV systems and hostile vehicle mitigation measures) which means that all those whose work contributes to these measures should know how to carry out their tasks. It will be essential that those working to implement measures know how to use any relevant equipment, that they are aware of any policies related to the use of measures and that they have the right training or instruction to deliver the measures effectively and safely. For example, the responsible person could direct those working with CCTV to a training scheme for CCTV operators that includes effective response to terrorist incidents, such as NPSA’s See, Check and Notify (SCaN) training, subject to availability.^{[footnote 77]}

8.52 Implementing public protection measures may involve the use of physical equipment, for example, barrier systems or search and screening technology. Those working with such equipment should be trained in operating it effectively and what to do if a threat is identified while using the equipment. People should also be told what to do if equipment breaks or fails, or cannot be used as intended – for example, using manual search processes if search or screening technology fails.

8.53 The responsible person should keep a record of training, learning or instruction that staff have undertaken or received to help the responsible person assure themselves that those involved in delivering or implementing procedures or measures are competent to do so. This is considered a necessary element of the document of compliance (see paras. 8.56 to 8.67). Procedures and measures should also be reviewed, tested and practiced regularly, which will help in familiarising staff with their roles and responsibilities.

8.54 The responsible person should also note whether any licences are mandated for staff to carry out their role by other legislation. For example, CCTV operators and door guards require SIA licences. For further information on SIA licences required under the Private Security Industry Act, and information on SIA voluntary schemes which may enhance private security provision, visit Security Industry Authority – GOV.UK. ^{[footnote 78]} The Act does not supersede other legislation and all legislation must be complied with.

8.55 Beyond complying with the Act’s requirements, for further information on good practice, visit ProtectUK, NPSA or see supplementary document C. ^{[footnote 79]}, ^{[footnote 80]}

Documenting compliance (section 7 of the Act)

8.56 The responsible person for enhanced tier premises or qualifying events must document their compliance with the Act. The SIA will publish specific guidance on this.

8.57 Section 7(2) of the Act sets out that the responsible person for enhanced tier premises or qualifying events must record the following information in a document and submit it to the SIA:

• A statement setting out the public protection procedures that are in place (section 7(1)(a) of the Act).
• A statement setting out the public protection measures that are in place or will be put in place (section 7(1)(c) of the Act).
• An assessment as to how the public protection procedures and measures are expected to reduce the risk of physical harm, were a terrorist attack to occur, as well as an assessment of how the public protection measures are expected to reduce the vulnerabilities to a terrorist attack (section 7(1)(b) and section 7(1)(d) of the Act).

8.58 In relation to public protection measures, the responsible person must document measures that it proposes to put in place if it is considered not reasonably practicable to put them in place immediately. For example, this could be due to a planned refurbishment taking place in which procedures or measures would need to be altered or tailored to the new layout of the premises.

8.59 The responsible person should outline the plans for these measures to be put in place, the reason for deferring the implementation or installation of the measures, and the mitigations in place in the meantime to reduce the vulnerability of the premises or event to an attack. Further guidance will clarify the information required to be submitted to the SIA.

8.60 This document must be kept up to date and must be provided to the SIA as soon as reasonably practicable after it is prepared for the first time (as per section 7(2)(a) of the Act) and within 30 days of any revision (as per section 7(2)(b) of the Act).

Statements

8.61 The document must contain statements that set out the public protection procedures in place and public protection measures in place, or that will be in place. The statements should include information that relates to each individual procedure and measure, their associated policies, how and when they will be used, and who can make relevant decisions in relation to the procedures or measures were an attack to occur.

8.62 Any individual can make the statement, provided they are informed and capable. However, if a third party is chosen to complete them, they should have relevant experience and competence that can be evidenced. The responsible person remains legally accountable and cannot delegate responsibility, even if they are assisted by a third party.

Assessments

8.63 The document must contain an assessment as to how individual public protection procedures are expected to reduce the risk of physical harm to people, and how individual public protection measures are expected to reduce the risk of harm to people and/or the vulnerability of the premises or event to an attack. Where the procedures and measures in place differ materially from those that would usually be considered appropriate for the type of premises or event (for example, by reference to relevant guidance), the responsible person should explain why this is.

8.64 As with statements above, the Act does not mandate a specific format for assessments. Any individual can make the assessment, provided they are informed and capable. However, if a third party is chosen to complete them, they should have relevant experience and competence that can be evidenced. The responsible person remains legally accountable and cannot delegate responsibility, even if they are assisted by a third party.

8.65 There are free resources available on ProtectUK (risk management basics and risk management process) and NPSA (protective security risk management) that may assist in thinking about risk and vulnerability assessment processes. ^{[footnote 81]}

Assurance and review

8.66 The compliance document must be maintained and reviewed to ensure that procedures and measures remain appropriate and reasonably practicable for the premises or event. Appropriate review points could include:

• on a periodic basis
• when there is a significant change to the premises or event including the operations, functions or when there is a change to the Schedule 1 uses
• when there is a significant change (increase or decrease) in the number of people reasonably expected to be present
• when there is a significant change to the structure or layout of the premises, event or the immediate vicinity

8.67 The information contained in the document should be held securely, balancing the need to enable effective implementation and to minimise vulnerability to those with malicious intent being able to access information that could help plan or carry out an attack.

Requirements to co-ordinate and co-operate (section 8 of the Act)

8.68 Chapter 6 provides further information on co-ordination and co-operation. It is possible for parties other than the responsible person to have control of enhanced tier premises or qualifying events to some extent. Such individuals, organisations or companies must co-operate with the responsible person in complying with the Act’s requirements, so far as is reasonably practicable. For example, this would be required if another individual, organisation or company has control of the land on which the responsible person is holding a qualifying event, or a building owner has leased their qualifying premises to a separate operator.

Designating a senior individual (section 10 of the Act)

8.69 Where the responsible person for enhanced tier premises or a qualifying event is an organisation rather than an individual, the responsible person must designate a senior individual.

8.70 The senior individual is someone who has responsibility for managing the affairs of the responsible person or relevant body, or has control of the responsible person or relevant body. A lower-level employee who has limited responsibilities and influence is unlikely to be a senior individual in the sense required by section 10 of the Act. It will be for each individual company or organisation to decide which member of staff is appropriate to be the senior individual and that they are of sufficient seniority and have appropriate influence to ensure compliance with the Act.

8.71 The main function of the senior individual is to ensure that, so far as it is in their power, the responsible person complies with the Act’s requirements. The senior individual can delegate actions to others, such as a security manager. However, they cannot delegate their overall responsibility for ensuring compliance and should have overall responsibility on behalf of the responsible person.

8.72 Non-exhaustive examples of activities that the senior individual may take forward to ensure compliance with the Act’s requirements include:

• ensuring that protective security matters remain an ongoing discussion or agenda point at board level
• receiving regular briefings from relevant individuals from their organisation on threats or vulnerabilities to the premises or event
• ensuring that relevant information is regularly cascaded to staff, as appropriate to their role and responsibilities
• implementing or monitoring effectiveness of reporting lines between all those involved in putting procedures and measures in place
• reviewing and approving the compliance document, prior to submitting to the SIA

8.73 There may be instances where the responsible person operates several qualifying premises or events and appoints the same senior individual for each premises or event. If it is feasible, this may offer certain benefits such as consistency or standardisation of the requirements. However, public protection procedures and measures must still be tailored to individual sites and not put in place generically across the variety of premises or events within their area of oversight.

Liability of the senior individual

8.74 The senior individual is not personally liable for a responsible person’s failure to meet the requirements outlined in this chapter for the purposes of receiving a penalty notice (see paras. 9.12 to 9.13). However, if a company or other organisation has committed a criminal offence under the Act, senior personnel (such as people in senior management positions, including the senior individual) may also be prosecuted for the offence if it can be proved that the offence was committed with their consent or connivance, or occurred because of their neglect. See chapter 9 for further information on offences and penalties.

Chapter 8 – summary

• In addition to the requirements for all qualifying premises and events, those responsible for enhanced tier premises and qualifying events must ensure appropriate public protection measures are in place, so far as is reasonably practicable.
• The four public protection measures are in relation to monitoring, movement, physical safety and security, and security of information.
• Measures in relation to monitoring are used to monitor the premises or event, and the immediate vicinity, enabling the detection of suspicious activities and items.
• Measures in relation to movement are used for controlling, prohibiting, restricting or reducing the movement of people.
• Measures in relation to physical safety and security mitigate the potential impacts of attacks or deter/hinder attackers.
• Measures in relation to the security of information ensure that information about the premises or event, including the operation, design, usage or internal workings is not widely available to those who do not need to access it or could use it in the preparation of an attack.
• As part of ensuring that public protection measures are in place, and that they can be used effectively, staff should have relevant instruction and/or training.
• Those responsible for qualifying premises and events must co-ordinate with each other in certain circumstances.
• Those responsible for qualifying premises or qualifying events must notify the SIA when they become responsible and when they cease to be responsible.
• The responsible person for enhanced tier premises or a qualifying event must document their compliance and submit it to the SIA.
• Where the responsible person for enhanced tier premises or a qualifying event is an organisation rather than an individual, the responsible person must designate a senior individual.

Chapter 9:  Compliance with legal requirements

9.1 The SIA is the regulator for the Act. The SIA is a Home Office arm’s length body established by the Private Security Industry Act 2001 (PSIA) as the regulator of the private security industry. Unless otherwise stated, this statutory guidance refers only to the SIA’s remit in relation to the Act.

9.2 Section 12 of the Act requires the SIA to publish guidance on how it proposes to exercise its functions under the Act, in particular its investigatory powers.

SIA’s inspection powers under the Act

9.3 The SIA has powers to authorise individuals to inspect premises and events, and to obtain information. It uses these powers to determine whether responsible persons are complying with the requirements of the Act. The SIA’s guidance on how it exercises its functions will include more detail on this, but the following paragraphs provide a summary.

Powers to access premises and events to conduct inspections (Schedule 3, para. 2(1)(b))

9.4 If an authorised inspector wants to visit premises to make enquiries as to how the qualifying premises or event are complying with the Act, the inspector will usually have to give at least 72 hours’ notice, in writing, to inspect and observe activities. To exercise this power the inspector must have reasonable grounds to believe that the premises are qualifying premises or that a qualifying event is taking place on the premises. If the inspector is prevented from accessing the premises or event, the inspector requires access urgently, or giving notice to enter the premises would defeat the object of entry, the inspector can apply for a warrant to gain access to the premises without notice. An inspector can also apply for a warrant to enter premises which are not subject to the legislation, if they need to do so as part of an investigation into possible non-compliance on other premises.

9.5 With or without a warrant, during inspections, an authorised inspector has the power to:

• inspect the premises or event
• observe activities taking place
• view and inspect physical or electronic documents on the premises
• inspect any equipment on the premises
• require anyone on the premises to provide an explanation of any document relevant to the Act, or to state where a document can be found
• take copies of any document relevant to the Act
• take measurements, photographs or recordings
• require any person on the premises to assist with the inspection

9.6 An authorised inspector can have the following additional powers granted with a warrant for use during inspections:

• entry by force, if necessary
• seizing documents, equipment or other items either as evidence of an offence, or to prevent evidence being concealed, lost altered or destroyed

9.7 An authorised inspector can also be accompanied by other individuals to assist with the inspection (for example, a technical expert to advise on specific security measures). An inspector must produce evidence of identity and authority, if requested.

Powers to gather information (Schedule 3 to the Act, para. 3)

9.8 An authorised inspector can issue a notice for the purpose of assessing compliance. The notice may require information relating to security at the premises or event, or require a relevant individual to attend an interview. Further information on this will be included in the SIA’s guidance.

Addressing non-compliance

9.9 The Act gives the SIA powers to issue various civil notices and penalties to address non-compliance. The SIA’s guidance will provide further detail on these notices, and rights of appeal, but the paragraphs below provide a summary of the available notices and penalties under the Act. The SIA’s guidance will also provide information on how any penalties are calculated.

Compliance notices

9.10 If the SIA has reasonable grounds to believe that a responsible person has failed, or is failing, to comply with a requirement under the legislation, it can issue a compliance notice. A compliance notice can also be issued to a person whom the SIA has reasonable grounds to believe has failed, or is failing, to meet a requirement to co-operate with a responsible person, so far as is reasonably practicable. See chapters 7 and 8 for further information on requirements and paras. 6.21 to 6.22 on co-operation. A compliance notice requires the recipient to comply with a specified requirement within the period set out in the notice. It also may require the recipient to provide evidence to the SIA that the person is complying with, or has complied with, the notice.

Restriction notices

9.11 The SIA can give a restriction notice to the responsible persons of enhanced tier premises or qualifying events. This can be done if the SIA has reasonable grounds to believe that the responsible person is failing, or has failed, to ensure appropriate public protection procedures or public protection measures are in place, and the restrictions required by the notice are necessary to reduce the risk of physical harm to the public arising from acts of terrorism on the premises, at the event or in the immediate vicinity. A restriction notice requires the responsible person to comply with specified prohibitions or restrictions relating to the use of the premises or the hosting of a qualifying event.

Penalty notices

9.12 The SIA can issue a financial penalty (a penalty notice) if it is satisfied it is more likely than not that a person has failed, or is failing, to meet any of the relevant requirements under the Act. Those requirements are:

• ensuring appropriate and reasonably practicable public protection procedures are in place (section 5 of the Act)
• ensuring appropriate and reasonably practicable public protection measures are in place (section 6 of the Act – applies to enhanced tier premises and qualifying events only)
• documenting compliance (section 7 of the Act – applies to enhanced tier premises and qualifying events only)
• co-ordinating and co-operating (section 8 of the Act)
• notifying the SIA when a person becomes responsible or ceases to be responsible for qualifying premises or a qualifying event (section 9 of the Act)
• designating a senior individual where the responsible person is not an individual (section 10 of the Act – applies to enhanced tier premises and qualifying events only)
• complying with compliance notices (section 13 of the Act), restriction notices (section 14 of the Act) and the SIA’s information-gathering powers (Schedule 3 para. 3 of the Act)

9.13 A penalty notice requires a person to pay a non-compliance penalty of a specified amount by a specified date, and it may also require a person to pay daily penalties.

Non-compliance penalty

9.14 If a person fails to comply with a notice that requires them to attend an interview, the maximum amount of a non-compliance penalty is £5,000. The maximum amount of a non‑compliance penalty for any other contravention in relation to standard tier premises is £10,000.

9.15 The maximum amount of a non-compliance penalty for any other contravention in relation to enhanced tier premises or qualifying events is either £18 million or 5% of the person’s qualifying worldwide revenue for the most recent accounting period (whichever is higher).

Daily penalties

9.16 If a penalty notice is given for contravention of a compliance notice or a restriction notice, the penalty notice may also require the person to pay daily penalties, for each day on which the contravention continues after the deadline for payment of the non-compliance penalty. The maximum amount of a daily penalty for standard tier premises is £500. The maximum amount of a daily penalty for enhanced tier premises and qualifying events is £50,000.

Criminal offences under the Act

9.17 In the most serious cases of non-compliance, where it is proportionate and in the public interest, the SIA may refer those responsible for prosecution. The criminal offences created by the Act and the maximum penalties available to the courts on conviction are outlined in figure 16.

9.18 In the event of a criminal conviction for one of these offences, it will be for the courts to determine an appropriate penalty in accordance with sentencing guidelines. Further information about the approach to criminal prosecutions will be included in SIA’s section 12 guidance.

Figure 16: Criminal offences created by the Act and the maximum penalties

Criminal offence	Maximum penalty
Section 24: Failing to comply with a compliance notice issued in relation to enhanced tier premises or qualifying events. It will be a defence for anyone charged with an offence to show they took all reasonable steps to comply with the notice. Non-compliance with a compliance notice issued in relation to standard tier premises is not a criminal offence.	England and Wales: On summary conviction in a magistrates’ court, an unlimited fine and/or a term of imprisonment not exceeding the maximum term in a magistrates’ court or, on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years. Scotland: On summary conviction, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding 12 months or, on conviction on indictment, an unlimited fine and/or a term of imprisonment not exceeding two years. Northern Ireland: On summary conviction in a magistrates’ court, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding six months or, on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years.
Section 24: Failing to comply with a restriction notice. It will be a defence for anyone charged with an offence to show they took all reasonable steps to comply with the notice.	England and Wales: On summary conviction in a magistrates’ court, an unlimited fine and/or a term of imprisonment not exceeding the maximum term in a magistrates’ court, or, on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years. Scotland: On summary conviction, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding 12 months, or on conviction on indictment, an unlimited fine and/or a term of imprisonment not exceeding two years. Northern Ireland: On summary conviction in a magistrates’ court, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding 6 months, or on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years.
Section 25: Providing false or misleading information to the SIA, in compliance or purported compliance with a requirement imposed under part 1 of the Act where the person either knows that the information they are providing is false or misleading or is reckless as to whether it is. This offence is applicable to anyone, not only the responsible person, who provides information in the context referred to above.	England and Wales: On summary conviction in a magistrates’ court, an unlimited fine and/or a term of imprisonment not exceeding the maximum term or, on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years. Scotland: On summary conviction, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding 12 months or, on conviction on indictment, an unlimited fine and/or a term of imprisonment not exceeding two years. Northern Ireland: On summary conviction in a magistrates’ court, a fine not exceeding the statutory maximum and/or a term of imprisonment not exceeding 6 months or, on conviction on indictment in the Crown Court, an unlimited fine and/or a term of imprisonment not exceeding two years.
Schedule 3, para. 10: Failing to comply with an information notice issued under Schedule 3 para. 3 It will be a defence for anyone charged with an offence to show they took all reasonable steps to comply with the notice. This offence is applicable to anyone given a notice under Schedule 3, para. 3, not only the responsible person.	The offence is summary only. England and Wales: An unlimited fine. Scotland and Northern Ireland: A fine not exceeding level 5 on the standard scale.
Schedule 3, para. 11: Intentionally obstructing an authorised inspector from exercising their powers. This offence is applicable to anyone, not only the responsible person.	The offence is summary only. England and Wales: An unlimited fine and/or a term of imprisonment not exceeding the maximum term for summary offences. Scotland: A fine not exceeding level 5 on the standard scale and/or a term of imprisonment not exceeding 12 months. Northern Ireland: A fine not exceeding level 5 and/or a term of imprisonment not exceeding 6 months.
Schedule 3, para. 12: Intentionally pretending to be an authorised inspector.	The offence is summary only. England and Wales: An unlimited fine. Scotland and Northern Ireland: A fine not exceeding level 5 on the standard scale.

Senior manager liability

9.19 If a company or other organisation has committed a criminal offence by failing to comply with a compliance, restriction or information notice, senior personnel (including the senior individual) involved in the management or control of the organisation could also be prosecuted for the offence. An offence could have been committed if it can be proved that the offence was committed with their consent or connivance, or because of their neglect.

9.20 Where an organisation has committed an offence of providing false or misleading information to the SIA, obstructing an authorised inspector, or pretending to be an authorised inspector, such individuals could also be prosecuted for the offence. An offence could have been committed if it can be proved the offence was committed with their consent or connivance.

Civil compensation claims

9.21 The Act does not provide for a person to bring a compensation claim against a responsible person for qualifying premises or a qualifying event for lack of compliance with a statutory requirement under the Act. This does not affect any existing rights of action or complaints that people who suffer loss or damage may have, such as negligence claims, that exist outside of the Act. A court may consider requirements of the Act when determining these matters.

Chapter 9 – summary

• The SIA is the regulator for the Act. The SIA is a Home Office arm’s length body established by the Private Security Industry Act 2001.
• The SIA will publish guidance under section 12 of the Act on how it proposes to exercise its functions under the Act, particularly its investigatory powers.
• The Act gives the SIA powers to access premises and events to conduct inspections and the power to gather information.
• The Act gives the SIA powers to issue various civil notices and penalties to address non-compliance. This includes compliance notices, restriction notices and penalty notices.
• Some criminal offences are created by the Act and, in the most serious cases of non‑compliance where it is proportionate and in the public interest, the SIA may refer those responsible for prosecution.
• If a company or organisation has committed a criminal offence, senior personnel involved in the management or control of the organisation may be prosecuted for the offence.
• The Act does not provide for a person to bring a compensation claim against a responsible person for lack of compliance with a statutory requirement under the Act.

Enquiries

Any enquiries regarding this publication should be sent to us at:
MartynsLaw@homeoffice.gov.uk

Copyright

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

Footnotes

1. Terrorism (Protection of Premises) Act 2025, Table of contents, available at: www.legislation.gov.uk/ukpga/2025/10/contents ↩

2.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

3.  GOV.UK, ‘Counter-terrorism strategy (CONTEST) 2023’, 18 July 2023, available at: www.gov.uk/government/publications/counter-terrorism-strategy-contest-2023 ↩

4.  MI5, ‘Terrorism threat levels’, available at: www.mi5.gov.uk/threats-and-advice/terrorism-threat-levels ↩

5.  GOV.UK, ‘Counter-terrorism strategy (CONTEST) 2023’, 18 July 2023, available at: www.gov.uk/government/publications/counter-terrorism-strategy-contest-2023, page 4. ↩

6.  Future Protect Research, June 2019. 550 organisations surveyed. ↩

7.  International Review of Psychiatry, ‘Mediating the social and psychological impacts of terrorist attacks: The role of risk perception and risk communication’, Volume 19, Issue 3, 2007, available at: www.tandfonline.com/doi/abs/10.1080/09540260701349373 ↩

8.  Chief Coroner, ‘Inquests arising from the deaths in the London Bridge and Borough Market terror attack’, available at: www.judiciary.uk/wp-content/uploads/2019/11/London-Bridge-Borough-Market-Terror-Attack-2019-0332.pdf ↩

9.  GOV.UK, ‘Manchester Arena Inquiry Volume 1: Security for the Arena’, 17 June 2021, available at: www.gov.uk/government/publications/manchester-arena-inquiry-volume-1-security-for-the-arena ↩

10.  GOV.UK, ‘Government response document’, 2 May 2023, available at: www.gov.uk/government/consultations/protect-duty/outcome/government-response-document GOV.UK, ‘Martyn’s Law: standard tier consultation’, 1 November 2024, available at: www.gov.uk/government/consultations/martyns-law-standard-tier-consultation ↩

11.  ProtectUK, ‘Countering vehicle as a weapon: Best practice guidance for goods vehicle operators and drivers, Section 2 – People, security culture and behaviours’, 10 December 2021, available at: www.protectuk.police.uk/section-2-people-security-culture-and-behaviours ↩

12.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

13.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

14. ProtectUK, www.protectuk.police.uk/ ↩

15.  NPSA, www.npsa.gov.uk/ ↩

16.   The objective of public protection procedures is to reduce the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event (section 5(2)). The objectives of public protection measures are to reduce the vulnerability of the premises or event to acts of terrorism and to reduce the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event (section 6(2)). ↩

17. GOV.UK, SIA, www.gov.uk/government/organisations/security-industry-authority ↩

18.  Terrorism (Protection of Premises) Act 2025, Schedule 1, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/1 ↩

19.  Terrorism (Protection of Premises) Act 2025, Schedule 2, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/2 ↩

20.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

21.  This decision tree is also available at: www.protectuk.police.uk/martyns-law/resources ↩

22.  A site without a building accessible to the public could still host qualifying events. See paras. 5.6 to 5.10 for more information. ↩

23.   Para. 18 of Schedule 1 to the Act sets out that, in determining for the purposes of this schedule whether premises are used by visiting members of the public, it is irrelevant that access to the premises may be limited (at all times or particular times) to members of the public who (a) have paid to access the premises; (b) have tickets or passes allowing access; or (c) are members or guests of a club, association or similar body. ↩

24.  Terrorism (Protection of Premises) Act 2025, Schedule 1, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/1 ↩

25.  See supplementary document A for example methods to calculate the reasonable expectation of individuals present. See supplementary documents ↩

26.  Under the law of England, Wales and Scotland, sports grounds are defined in section 17(1) of the Safety of Sports Grounds Act 1975 as “any place where sports or other competitive activities take place in the open air and where accommodation has been provided for spectators, consisting of artificial structures or of natural features or of a combination of both”. In Northern Ireland, sports grounds are defined by Article 2(2) of the Safety of Sports Grounds (Northern Ireland) Order 2006 as “any place where — (a) sports or other competitive activities take place in the open air (or would take place in the open air but for the closing of any retractable roof); and (b) accommodation has been provided for spectators, consisting of artificial structures or of natural structures artificially modified for the purpose.” ↩

27.  See para. 4.12 on premises that are primarily outdoors but include one or more buildings on site. ↩

28.  Terrorism (Protection of Premises) Act 2025, Schedule 2, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/2 ↩

29.   As defined by section 91(3) of the Further and Higher Education Act 1992. For the avoidance of confusion, further education refers to any study after secondary education that is not part of higher education. ↩

30.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

31.  Terrorism (Protection of Premises) Act 2025, Schedule 3, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/3 ↩

32.  See supplementary document A for methods for calculating the number of individuals present. Supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

33.  See supplementary document A for methods for calculating the number of individuals present. Supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

34.  Terrorism (Protection of Premises) Act 2025, Schedule 2, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/2 ↩

35.   A sports ground can be in scope where it: in relation to England and Wales and Scotland, has the meaning given by section 17(1) of the Safety of Sports Grounds Act 1975; and in relation to Northern Ireland, has the meaning given by Article 2(2) of the Safety of Sports Grounds (Northern Ireland) Order 2006 (S.I. 2006/313 (N.I. 2)). There are circumstances where these premises could be in scope as hosting qualifying events. See chapter 5 for qualifying events criteria. ↩

36.  Schedule 2, para. 3(3). ↩

37.  Terrorism (Protection of Premises) Act 2025, Schedule 3, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/3 ↩

38.   This is the effect of para. 9(2) of Schedule 1. ↩

39.  This is the effect of paras. 13(3), 14(3)(b) and para. 15(2)(b) of Schedule 1 in respect of each category of premises. ↩

40.  Terrorism (Protection of Premises) Act 2025, Schedule 1, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/1 ↩

41.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

42.  This decision tree is also available at: www.protectuk.police.uk/martyns-law/resources ↩

43.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

44.   Staff refers to all those working at the premises or event, whether as employees, contractors, volunteers or otherwise. Staff could be full time, part time, shift workers or follow other working patterns. ↩

45.  Terrorism (Protection of Premises) Act 2025, Schedule 2, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/2 ↩

46.  Terrorism (Protection of Premises) Act 2025, Schedule 1, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/1 ↩

47. The objective of public protection procedures is to reduce the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event (section 5(2)). The objectives of public protection measures are to reduce the vulnerability of the premises or event to acts of terrorism and to reduce the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event (section 6(2)). ↩

48.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

49.  The crisis response kit checklist on ProtectUK could be useful as an example of what such a kit could contain: ‘Venues and Public Spaces (VaPS) guidance, Crisis response kit checklist’, available at: www.protectuk.police.uk/crisis-response-kit-checklist ↩

50.  Terrorism (Protection of Premises) Act 2025, Schedule 1, available at: www.legislation.gov.uk/ukpga/2025/10/schedule/1 ↩

51.  NPSA, ‘Recognise, Assess, React (RAR) for Chemical, Biological and Radiological (CBR) Incidents’, 14 August 2024, available at: www.npsa.gov.uk/security-campaigns/recognise-assess-react-rar-chemical-biological-and-radiological-cbr-incidents ↩

52.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

53.  The objective of the Act for all premises and events in scope as per section 1(1)(a) of the Act is to take steps to reduce the risk of physical harm to individuals arising from acts of terrorism. An additional objective placed on enhanced tier premises and qualifying events only, as per section 1(1)(b) of the Act, is to take steps to reduce their vulnerability to acts of terrorism. ↩

54.  By contrast, in respect of the enhanced tier requirements, there is a statutory requirement under section 7 to prepare a document stating the public protection procedures and measures and assessing how those procedures can achieve the relevant objectives. ↩

55.  NPSA, ‘Evacuation, Invacuation and Lockdown Guidance’, 14 May 2025, available at: www.npsa.gov.uk/emergency-incident-management/incident-management/evacuation-invacuation-and-lockdown-guidance ↩

56.  NPSA, ‘Recognise, Assess, React (RAR) for Chemical, Biological and Radiological (CBR) Incidents’, 14 August 2024, available at: www.npsa.gov.uk/security-campaigns/recognise-assess-react-rar-chemical-biological-and-radiological-cbr-incidents ↩

57.  NPSA, ‘Recognise, Assess, React (RAR) for Chemical, Biological and Radiological (CBR) Incidents’, 14 August 2024, available at: www.npsa.gov.uk/security-campaigns/recognise-assess-react-rar-chemical-biological-and-radiological-cbr-incidents ↩

58.  NPSA, ‘Short Animation - Lockdown at sites’, 11 August 2025, available at: www.npsa.gov.uk/emergency-incident-management/marauding-terrorist-attacks-mta#short-animation-lockdown-at-sites-26401 ↩

59.  NPSA, ‘Evacuation, Invacuation and Lockdown Guidance’, 14 May 2025, available at: www.npsa.gov.uk/emergency-incident-management/incident-management/evacuation-invacuation-and-lockdown-guidance ↩

60.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

61.  GOV.UK, SIA, www.gov.uk/government/organisations/security-industry-authority ↩

62.  ProtectUK, ‘ACT Awareness e-Learning’, 22 January 2026, available at: www.protectuk.police.uk/group/84; ProtectUK, ‘Action Cards’, 12 December 2023, available at: www.protectuk.police.uk/advice-and-guidance/response/action-cards ↩

63.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

64.  The objective of the Act for all premises and events in scope as per section 1(1)(a) of the Act is to take steps to reduce the risk of physical harm to individuals arising from acts of terrorism. An additional objective placed on enhanced tier premises and qualifying events only, as per section 1(1)(b) of the Act, is to take steps to reduce their vulnerability to acts of terrorism. ↩

65.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

66.  The objectives of public protection measures are to reduce the vulnerability of the premises or event to acts of terrorism and to reduce the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity of the premises or event (section 6(2) of the Act). ↩

67. ProtectUK, www.protectuk.police.uk/risk-management-basics www.protectuk.police.uk/threat-risk/security-risk-management/risk-management-process-0; NPSA, ‘Protective Security Risk Management’, 30 January 2023, available at: www.npsa.gov.uk/security-best-practices/protective-security-risk-management-psrm; To note: NPSA’s protective security risk management is a widely applicable framework and is presented in terms of protection of assets. In the context of the Act, qualifying premises and qualifying events will principally be focused on the protection of people. ↩

68.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

69.   Use of premises for the provision by a public authority of facilities or services to visiting members of the public is a qualifying Schedule 1 use in its own right (see para. 17 of Schedule 1). ↩

70.  NPSA, ‘Protection from Blast’, 30 August 2024, available at: www.npsa.gov.uk/building-protection/building-infrastructure/protection-blast-0 ↩

71.  NPSA, ‘Hostile Vehicle Mitigation (HVM)’, 15 September 2025, available at: www.npsa.gov.uk/specialised-guidance/hostile-vehicle-mitigation-hvm ↩

72.  A stand-off distance is a protected buffer space around a building that keeps threats – particularly vehicles – far enough away to reduce potential harm or damage and slow down or deter a potential attacker. ↩

73.  Part 2, section 34(1) of the Act amends the Licensing Act 2003 and the Licensing (Scotland) Act 2005 “to make provision about the inclusion of plans in public registers kept under those Acts and about the disclosure of certain plans not included in those registers”. ↩

74.  Part 2, section 34(3) of the Act amends the Licensing Act 2003 and the Licensing (Scotland) Act 2005 “to include provision for the purpose of restricting the disclosure of information that the Secretary of State considers is likely to be useful to a person committing or preparing an act of terrorism”. ↩

75.  NPSA, ‘Security considerations in the planning process’, 17 December 2025, available at: www.npsa.gov.uk/security-best-practices/build-it-secure/security-considerations-planning-process ↩

76.  Part 2, section 34(1) of the Act amends the Licensing Act 2003 and the Licensing (Scotland) Act 2005 “to make provision about the inclusion of plans in public registers kept under those Acts and about the disclosure of certain plans not included in those registers”. Part 2, section 34(3) of the Act amends the Licensing Act 2003 and the Licensing (Scotland) Act 2005 “to include provision for the purpose of restricting the disclosure of information that the Secretary of State considers is likely to be useful to a person committing or preparing an act of terrorism”. ↩

77.  NPSA, ‘See, Check and Notify (SCaN)’, 24 February 2026, available at: www.npsa.gov.uk/see-check-and-notify-scan ↩

78. GOV.UK, SIA, www.gov.uk/government/organisations/security-industry-authority ↩

79.  ProtectUK, www.protectuk.police.uk/; NPSA, www.npsa.gov.uk/ ↩

80.  Non-statutory supplementary documents available at: www.gov.uk/government/collections/terrorism-protection-of-premises-bill-2024 ↩

81. ProtectUK, ‘ProtectUK Risk Management Guidance, Risk Management Basics’, 19 March 2024, available at: www.protectuk.police.uk/risk-management-basics;          ProtectUK, www.protectuk.police.uk/threat-risk/security-risk-management/risk-management-process-0; NPSA, ‘Protective Security Risk Management’, 30 January 2023, available at: www.npsa.gov.uk/security-best-practices/protective-security-risk-management-psrm ↩