DG Advisory explains that enhanced tier requires integrated control rooms and trained operators by April 2027 deadline.
Martyn’s Law gives museums, galleries, and heritage attractions a legal deadline on counter-terrorism preparedness. Chris Dreyfus-Gibson of DG Advisory explains what directors need to know and do.
The name may sound familiar, but what does it mean for you? Martyn’s Law – the Terrorism (Protection of Premises) Act 2025 – was shaped by the campaign of Figen Murray OBE following the death of her son Martyn Hett in the Manchester Arena attack of 2017. It received Royal Assent in April 2025. The statutory guidance was published this month. And compliance becomes a legal requirement from around April 2027.
For those working in museums, galleries, libraries, and heritage attractions, this legislation matters. Counter-terrorism preparedness has always been important – many institutions have invested significantly in visitor safety. But Martyn’s Law changes the terms. Having appropriate procedures and measures in place is no longer a question of good practice or organisational appetite. It is a legal requirement, with a regulator, inspection powers, and substantial financial penalties for those who fall short. The standard the Act sets is specific, and the gap with where many cultural institutions currently stand is wider than most directors yet realise.
Does your institution fall in scope?
Museums, galleries, and libraries are explicitly named in the Act as qualifying uses. If your institution can reasonably expect 200 or more people on site at any one time – including staff – you are in scope at the standard tier. At 800 or more, you move into the enhanced tier, which carries significantly greater obligations.
The threshold question requires careful thought. The statutory guidance uses a gallery as its own example: an institution with a safe occupancy of 850, where typical peak attendance sits comfortably below 800, would normally be assessed as standard tier. But if a blockbuster exhibition generates unexpected media attention and footfall spikes, the institution may find itself in enhanced tier territory. Occupancy assessments need to be made carefully and kept under review.
Events add another layer. A major exhibition opening, a late-night culture event, an outdoor summer festival, or an external venue hire that reaches 800 or more ticketed attendees triggers the enhanced tier obligations for its duration, regardless of the institution’s usual tier status. For many museums and galleries, qualifying events will be a more frequent consideration than enhanced tier premises status – and the obligations are identical.
What the enhanced tier actually requires
Every institution in scope must have four public protection procedures in place – evacuation, invacuation, lockdown, and communication – designed specifically for a terrorist attack scenario, not repurposed from fire safety plans. Enhanced tier institutions must go further, implementing active measures across monitoring, movement of people, physical security, and the protection of sensitive information. All of this must be documented in a compliance document submitted to the SIA and kept up to date.
A named board-level individual must be designated with personal accountability for ensuring compliance. This is not a responsibility which can be delegated. It is a named person, and in the event of serious non-compliance, it is a person who could face criminal prosecution.
The financial consequences of non-compliance are significant: penalties of up to £18 million or 5% of worldwide qualifying revenue, with daily penalties of £50,000 for continued non-compliance following a compliance notice.
The control room question
The statutory guidance is explicit that for enhanced tier premises, the security control room is the hub for monitoring, co-ordinating the response, and activating procedures in a terrorist attack. This is the benchmark the SIA will apply when it inspects, and is where many cultural institutions have work to do.
Cultural institutions present a specific challenge in this regard. Most were not designed with a modern security control room function in mind. CCTV systems were installed for deterrence or loss prevention, not for real-time threat assessment across a complex multi-floor building with courtyards, external gardens, and a constant flow of visitors who have no prior familiarity with the space. Many systems are disconnected – cameras not integrated with access control or alarms – creating a fractured picture rather than the coherent operational awareness the Act requires.
Staff training is the other pressure point, especially where security provisions have been outsourced. Having a licensed CCTV operator in the control room satisfies the licensing requirement. It is unlikely to satisfy the Martyn’s Law obligations. Operators must be capable of recognising suspicious activity across five defined attack categories, activating and communicating procedures under pressure, and maintaining accurate incident logs – and must have received site-specific training. A single CCTV training course does not cover this.
What you should do now
The compliance deadline of April 2027 is sufficient for institutions that act promptly.
The most useful first step is understanding where you stand – and the most efficient way to do that is a structured, independent audit of your control room capability.
DG Advisory works with cultural institutions and other organisations to do exactly that. Our Control Room Maturity Audit is built specifically for this purpose. It evaluates your current position across CCTV coverage, system integration, operator competence, procedure documentation, and information security – producing an evidence-based gap report and a prioritised action plan that gives your leadership team a clear picture of where you are and where to make improvements.
Our accredited Level 2 Control Room Operator Programme builds the practical competencies that genuinely matter in a security incident: threat recognition, situational awareness, procedure activation under pressure, and clear communication with staff and emergency services – producing operators who can perform when it counts.
The SIA, as the appointed regulator, will be the sole arbiter of compliance once the Act commences. What DG Advisory provides is the operational foundation – and the documented evidence – that gives your institution the best possible basis for meeting that standard.
To discuss what Martyn’s Law means for your institution, contact Chris Dreyfus-Gibson at [email protected]. You can download our whitepaper on Martyn’s Law and control rooms by visiting www.dgadvisoryglobal.com.
