The Act requires persons who control certain publicly accessible premises or ticketed events to put in place and maintain measures and procedures intended to reduce both the vulnerability of the place or event to an attack and the risk of physical harm to people if an attack occurs. The duty distinguishes between 'standard' and 'enhanced' responsibilities depending on use and crowd size, and it imposes documentation, notification and co‑operation duties on those responsible.
The Security Industry Authority (SIA) gains a statutory enforcement role for these duties, including investigatory powers, compliance and restriction notices, monetary penalties and criminal offences for non‑compliance or false information. Separately, the Act lets the Secretary of State restrict public disclosure of certain floor plans held on licensing registers where that information could facilitate an act of terrorism — and creates a process to replace old public plans with redacted or compliant versions.
At a Glance
What It Does
The bill obliges those with control of qualifying premises or qualifying events to put in place public protection procedures (evacuation, movement, entry control, information) and, for larger sites and all qualifying events, to assess and implement additional protection measures (monitoring, movement control, physical and information security). It gives the SIA powers to investigate compliance, issue compliance and restriction notices, levy civil penalties (including percentage‑of‑revenue limits), and pursue criminal offences for persistent or serious breaches.
Who It Affects
The duties apply to venues and events whose primary uses are listed in Schedule 1 — retail, hospitality, cultural sites, transport hubs, sports grounds, hospitals, education institutions and more — and to the organisations that control them (from commercial operators to public bodies). Licensing authorities and holders of premises plans are affected by the new limits on public disclosure of certain layout plans.
Why It Matters
The Act expands the SIA’s remit from private‑security regulation into preventive premises security, creating a single civil‑enforcement route for venue security standards while also imposing potentially large financial penalties tied to an organisation’s global revenue. It also shifts how licensing registers handle floor plans, trading public transparency for operational secrecy where the Secretary of State judges it justified.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act builds a risk‑based regulatory framework around physical venues and ticketed events. It defines ‘qualifying premises’ by use (Schedule 1) and crowd size, and treats some places as enhanced duty premises with more demanding obligations.
For qualifying events the test focuses on ticketed or otherwise controlled access and an anticipated crowd above a high threshold. A handful of premises and events are carved out — for example certain parliamentary or devolved administration premises, open parks without crowd control and places covered by separate transport security regimes.
For all qualifying premises the person with control must ensure, so far as is reasonably practicable, that public protection procedures exist and are followed: these are straightforward operational steps for staff and contractors to evacuate, move people to safer locations, prevent entry or egress, and provide on‑site information if an incident arises. Enhanced duty premises and qualifying events must go further: assess and keep under review a package of public protection measures addressing monitoring and surveillance, crowd movements, physical building security and the integrity of information about the premises.
Where the responsible party is a corporate body it must nominate an individual accountable for compliance.The SIA becomes the central regulator for these duties. It must prepare guidance (subject to Secretary of State approval) and may use information‑gathering notices, inspect premises (with 72 hours’ notice for routine inspections), and apply for warrants where urgent access is necessary or notice has been frustrated.
The SIA can issue compliance notices requiring corrective steps, and restriction notices that limit or prevent the use of premises or the holding of events for up to six months (with limited extensions). Those notices carry appeal rights to the tribunal; some notices can be stayed pending appeal only at the tribunal’s discretion.Civil enforcement is backed by a three‑part monetary regime and criminal offences.
The SIA may issue penalty notices with non‑compliance and, for continuing breaches, daily penalties. For standard duty premises the Act caps a baseline fine; for enhanced duty premises and qualifying events the maximum penalty is set by reference to qualifying worldwide revenue (or a large fixed figure), and daily fines for serious continuing breaches can be substantial.
Separate criminal offences cover failure to comply with restriction or compliance notices and providing false information to the SIA; corporate liability provisions allow proceedings against officers where appropriate. Parallel changes restrict publication of certain licensing plans: regulations can require modified plans be placed on public registers and permit limited disclosure to other public authorities while preventing wider public access.
The Five Things You Need to Know
Qualifying premises are defined by Schedule 1 uses and a minimum crowd threshold of 200 people present at the same time; premises become enhanced duty premises where 800 or more may be present (the Secretary of State can change these figures by regulations within statutory bounds).
The Security Industry Authority is given new statutory functions to assess compliance, inspect premises, issue compliance and restriction notices, and impose civil penalty notices — and must submit its guidance to the Secretary of State for approval before publication.
Persons responsible for enhanced duty premises or qualifying events must prepare and keep up to date a written document describing procedures and measures, assess their expected risk‑reducing effect, and provide a copy to the SIA 'as soon as is reasonably practicable' and within 30 days of any revision.
Civil penalties for contraventions include fixed caps for some categories and for enhanced duty premises or qualifying events the maximum non‑compliance penalty is the greater of £18 million or 5% of the person’s qualifying worldwide revenue for the most recent accounting period; daily penalties for continuing breaches can reach £50,000 for enhanced duty premises or qualifying events.
Regulations under section 34 let the Secretary of State restrict public disclosure of licensing plans deemed useful to a person committing or preparing an act of terrorism, and create a process (with a specified fee) for replacing older public plans in licensing registers with compliant, redacted versions.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Scope, definitions and on‑site duties
This cluster sets out which premises and events fall within the regime (Schedule 1 uses plus numeric thresholds), distinguishes enhanced from standard duties, and identifies who is ‘responsible’ for compliance. It establishes the core obligations: public protection procedures for all qualifying premises and additional public protection measures for enhanced duty premises and qualifying events. The practical implications are that venue operators must audit uses, map control responsibilities, and where corporate entities run venues, designate a named individual with accountability.
SIA functions, investigatory powers and civil enforcement
These provisions transfer enforcement to the Security Industry Authority and expand its remit to include inspection and investigatory powers (information notices, entry with 72 hours’ notice, and warrant routes). The SIA can issue compliance notices requiring remedial action and restriction notices that can limit or suspend venue use or an event for a specified period; both notice types must be preceded by an opportunity to make representations except in urgent cases. The Act also prescribes the form, appeal rights and tribunal review standards for notices and penalty decisions, drawing on civil administrative mechanisms rather than criminal licensing processes.
Monetary penalties and payment mechanics
The Act creates a two‑tier monetary regime: non‑compliance penalties with statutory maximums (including a category tied to worldwide revenue for the largest contraventions) and optional daily penalties for continuing breaches arising from failure to comply with compliance or restriction notices. It specifies minimum notice periods for payment and sets out procedures for variation, appeal, and recovery (High Court enforcement routes and registration of judgments). The SIA must publish guidance on how qualifying worldwide revenue is to be calculated.
Criminal offences and corporate liability
Failure to comply with a compliance notice (for enhanced duty premises) or with any restriction notice is a criminal offence with summary and indictable penalties; giving false or misleading information to the SIA is also criminalised. The regime includes well‑worn corporate liability clauses allowing proceedings against officers where offences occur with consent, connivance or due to neglect, so corporate governance and record keeping will be legally material in prosecutions.
Licensing registers and limited disclosure of plans
This part amends the Licensing Act 2003 and the Licensing (Scotland) Act 2005 to make compliance with new regulations the condition for including layout plans in public licensing registers. The Secretary of State may frame regulations limiting disclosure of plans judged likely to be useful to someone preparing an act of terrorism, set fees for replacement applications, and prescribe which public authorities may receive non‑public plans — creating a structured process for redaction and restricted access to sensitive layout information.
This bill is one of many.
Codify tracks hundreds of bills on Justice across all five countries.
Explore Justice in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Members of the public attending large venues and events — they gain mandated planning and on‑site procedures intended to reduce harm and improve incident response.
- Security Industry Authority and emergency planners — receive statutory authority to set and enforce standards, plus a formal route to gather venue intelligence and coordinate prevention work.
- Police, fire and local resilience partners — benefit from clearer obligations on venue operators, formal information‑sharing channels and SIA oversight that can reduce operational ambiguity during planning and response.
- Insurers and risk managers — obtain a clearer regulatory baseline against which to price and condition cover; documented procedures may reduce uncertainty in claims and underwriting assessments.
Who Bears the Cost
- Venue operators and event organisers of qualifying premises/events — they must fund risk assessments, new physical and information security measures, staff training, written documentation and possibly operational changes to control access and circulation.
- The Security Industry Authority — must absorb or secure resources to carry out inspections, publish approved guidance, manage notices and penalty regimes, and maintain review processes; those functions are operationally intensive.
- Local licensing authorities and licensing boards — will face administrative load replacing non‑compliant plans, processing paid applications for redacted plans, and handling restricted disclosure requests.
- Tribunals and courts — increased appeal rights and enforcement actions (penalty notices, criminal prosecutions, warrant endorsements and recovery proceedings) will generate caseload and resource implications for administrative and criminal justice bodies.
Key Issues
The Core Tension
The central dilemma is balancing a credible, enforcement‑backed regime that reduces venue vulnerability and improves public safety against the burdens of regulatory uncertainty, operational cost and constrained transparency — especially where restricting disclosure of plans reduces public accountability and where deterrent penalties must be large enough to influence behaviour without being disproportionate or unworkable for organisations to assess and insure against.
The Act leaves significant detail to delegated regulations and SIA guidance, which means practical compliance will depend on how thresholds, documentation content and the form of restricted plans are specified. The statutory tests use 'reasonably practicable' as the operative standard for many duties; that familiar but elastic phrase transfers a lot of judgment to operators, auditors and ultimately the SIA and tribunals, creating uncertainty about the baseline level of effort required to avoid enforcement.
Information handling is a knotty implementation challenge. The Act both empowers sharing of restricted plans with public bodies and expressly preserves data protection and Investigatory Powers Act limits; operational guidance will have to reconcile those duties while keeping sensitive material secure.
The penalty architecture combines fixed‑sum caps, percentage revenue measures and daily fines, which raises difficult proportionality and measurement questions — especially for multi‑jurisdictional or complex corporate groups where 'qualifying worldwide revenue' is contested. Finally, the SIA’s new inspection and warrant powers bring it into operational space occupied by police, transport and statutory safety regimes; effective delivery will require carefully designed protocols to avoid duplication, mission creep or legal friction.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.