With the UK’s Terrorism (Protection of Premises) Act 2025 (also known as Martyn’s Law) progressing towards implementation, Axis OPEN in London brought together a panel of experts with deep, front-line experience across policing, national security and corporate risk.
Joining the discussion were: Tim Molden, Board Director at ASIS International and Head of Security & Licensing for Capital Arches, the UK’s largest McDonald’s franchise; Rachel Webb, Director of Security Strategy at Mitie and former Intelligence Corps; and John Campbell, Co-founder of Campbell Sutherland Crisis Leadership and former Chief Constable of Thames Valley Police. Speaking to Axis Steven Kenny, they offered a realistic perspective on what the legislation means, what’s misunderstood, and what organisations should be doing today.
Q: It’s clear that we need straight talking about Martyn’s Law. Where are we today?
Rachel Webb: For me, this all comes back to good security and good risk management. It’s positive that counter-terrorism is being talked about more widely thanks to Martyn’s Law, but at its heart the legislation is about putting the right mitigations in place to address the full range of threats organisations face. If those mitigations also strengthen your counter-terrorism posture, that’s a win. But we should see this through the broader lens of sensible, proportionate security.
John Campbell: Legislation can feel intimidating, especially when enforcement bodies like the SIA are involved, but in my experience, government and regulators recognise this is a journey, and they want a sensible, practical approach. Too often, people obsess over hardware like cameras and access gates because they have a budget line. But failures in protective security, including the Manchester Arena attack, were primarily people-related, involving missed behaviours, unclear escalation routes, and insufficient training. So my advice is simple: don’t wait, don’t be intimidated, and get advice early.
Tim Molden: For us, the responsibility is huge. My franchise serves around 100,000 customers a day; McDonald’s UK as a whole serves four million. That’s a lot of people relying on us, and we’ve already made the decision that all our venues will meet the standard tier, even if only some are legally in scope, because it’s safest to be consistent. And training is central. We’re looking at enhancing our training now, regardless of what becomes mandatory, because it’s the right thing to do.
Q: We’re seeing organisations claim they can already make you “Martyn’s Law compliant.” How do you handle that when the details aren’t finalised?
Rachel Webb: We’re seeing vendors offering “compliance statements” that simply aren’t possible yet. In that case, I point people to the Home Office’s two-page myth-buster document, because the truth is that there are long-established guidelines for protecting premises. Those won’t change, and Martyn’s Law won’t specify exact products or technologies. It will focus on “reasonable and practicable” steps. The real questions are whether you’re managing access appropriately, whether you understand your threats and their potential impact, and whether you’ve identified realistic mitigations. Those foundations can be built now.
Q: Some in the industry say they’ve been doing this work for a decade, only under different names. Is Martyn’s Law more evolution than revolution?
John Campbell: Exactly. When I was National Police Lead for Protect & Prepare, all of this was already part of the CONTEST strategy. Martyn’s Law isn’t reinventing the wheel, but it is helping to create consistency and raise minimum standards. The two-year implementation window shows the government recognises the scale of change, and organisations should use that time wisely. Appoint a senior responsible officer, review existing protective security, conduct proper risk assessments, and map the gaps. And when people ask for proof of compliance, the correct question is: compliant with what? Martyn’s Law is outcome-focused, not a tick-box exercise.
Q: There are a number of questions surrounding demarcation – your premises vs. public spaces outside, for example. How does that play out?
Tim Molden: It’s a major grey area. In shopping centres it’s clearer, but on high streets the space outside our front doors is used by our customers and the public yet is owned by local authorities. We need to get a genuine partnership working between businesses, police and councils, especially in densely populated and busy areas. It’s not yet clear how the guidance will address shared responsibility, but collaboration will be essential.
Rachel Webb: We’ve seen some public/private partnerships beginning to form. But clarity will improve once the Section 27 guidance is released, covering what counts as a premises or event. The SIA will then consult publicly on how compliance checks will work, which will be the most important stage for industry input. Although April 2027 is widely referenced, I suspect full implementation may be later. Organisations should plan for a phased, evolving process.
Q: Let’s turn to training. What does good training look like?
Tim Molden: Training will be essential, mandated or not. And it will cost more than the headline estimates. Removing staff from operations has a real cost. But broader security awareness offers huge value. It reduces low-level crime, improves customer safety and strengthens counter-terrorism resilience.
Rachel Webb: Exactly. Technology is only effective if the people behind it are trained, confident and prepared. And it’s all staff, not just security teams.
John Campbell: Training must also address human factors like confidence, escalation, situational awareness. Failures in the Manchester Arena attack highlight why that matters.
Q: There are roughly two years to go. To close, what key steps do you each think organisations should perform now?
Tim Molden: Don’t wait. Review your monitoring capabilities, strengthen training, and start risk assessments now.
Rachel Webb: Sign up to ProtectUK, stay close to Home Office updates, and prepare to engage with the 2026 consultation.
John Campbell: Appoint a senior responsible officer, assess your gaps, and accept some uncertainty - treat this as a long-term journey.
Martyn’s Law represents a significant shift, but as our panel speakers make clear, much of what’s required already exists as good security practice.
Intelligent technologies such as people counting, occupancy monitoring, network audio for clear public address and integrated video analytics can help organisations apply those principles in a more consistent and evidence-based way. Starting early, combining smart Axis hardware with well-trained people and a culture of shared responsibility will put organisations in the strongest position, not just to demonstrate compliance but also to better protect the public.
