The UK event security market is entering its most demanding 18 months in a generation. Royal Assent for Martyn's Law — the Terrorism (Protection of Premises) Act 2025 — was granted on 3 April 2025, and the 24-month implementation clock is running. By the time enforcement begins in Spring 2027, every publicly accessible venue or event in the UK with a 200+ capacity will need to show documented counter-terrorism preparations. Venues above 800 capacity will face materially heavier obligations. Security providers who can evidence this compliance as a matter of routine will win the contracts. Those who cannot, will not.
In brief: Martyn's Law has been law for a year and enforcement begins April 2027. The 2026 season is the practical run-up, and venue clients are already asking how compliance will be demonstrated on site. This article sets out what operators should have in place before, during and after every event, and how COREDINATE Guard Tour System delivers the evidence stream in one platform.
The Act is named for Martyn Hett, one of the 22 people killed at the Manchester Arena bombing in May 2017. After a seven-year campaign led by his mother Figen Murray, Martyn's Law places a statutory duty on premises and events with a public capacity of 200 or more to prepare for a terrorist attack. The duty is tiered.
Standard tier applies to premises or events in the 200 to 799 capacity band. These duty holders must register with the SIA and put in place written procedures covering evacuation, invacuation, lockdown and emergency communication. No physical security measures are mandated at this level. Non-compliance attracts a fine of up to £10,000 plus £500 per day.
Enhanced tier applies at 800 capacity and above. These duty holders must do everything the standard tier requires, plus: carry out a formal terrorism risk assessment, implement proportionate physical protective measures (CCTV, bag searches, vehicle barriers where appropriate), submit a written compliance document to the SIA, and appoint a named senior individual responsible for compliance. The enforcement regime is substantial: fines up to £18 million or 5% of worldwide revenue, whichever is higher, plus £50,000 per day for continued breaches, and restriction notices that can prevent an event from taking place.
The SIA is the regulator. One hundred additional posts are being created. Enforcement begins with an advisory posture and moves to active compliance at commencement in Spring 2027.
The legal duty sits with the operator of the premises or event, not the security contractor. In practice, every credible venue client will be pushing requirements down the contract chain. A Martyn's Law-covered event cannot produce its compliance evidence without the records held by its security provider: the risk assessment inputs, the briefing sign-offs, the patrol logs, the incident reports, the licence verification, the stewarding headcounts at each entrance. The security provider's paperwork is the venue's paperwork.
At the Security Event 2026 in Birmingham (28–30 April), the UK Crowd Management Association ran a session titled "Hot Topics in Crowd Management" on exactly this theme. The practical guidance from industry voices is consistent: start the documentation discipline in 2026, before the regulator is looking, because the post-event reporting that an enhanced tier venue will require is materially different from what most security providers currently produce.
A quick scan of Find a Tender and Contracts Finder shows the scale of what is on the market right now. These are genuine, active or recently awarded contracts, and the pattern is striking: councils and festival organisers are locking in multi-year arrangements that stretch well past the Martyn's Law enforcement date.
Above the municipal tier, the 2026 calendar reads like a stress test for the industry: Royal Ascot (16–20 June), Wimbledon (29 June–12 July), the British Grand Prix at Silverstone (2–5 July, c. 500,000 attendance across the weekend), the Bedford River Festival, the Edinburgh Festival Fringe (7–31 August, 2.6m tickets in 2025), Notting Hill Carnival (29–31 August, around two million attendees) and the Premier League opening weekend. Glastonbury is a fallow year in 2026 and returns in 2027, which is useful, because the 2027 edition will be the first major UK festival held entirely under Martyn's Law enforcement.
The industry picture behind these contracts is also tight. In 2022, the BSIA warned that the UK needed roughly 62,000 new security officers and that without them, "some big events may not be able to happen as planned." The SIA reported 432,282 active licence holders in 2024, and from April 2025 introduced mandatory refresher training that its CEO Michelle Russell described as the most significant change to the regulatory regime in twenty years. For the labour market context behind those numbers, see our separate analysis of the UK security workforce shortage.
A Wimbledon fortnight or an Edinburgh Fringe run demands hundreds of licensed officers, deployed in shift patterns that change daily. Parallel to that, most providers are still servicing their regular object-protection contracts. Once that operational load crosses a certain size, spreadsheets stop being sufficient. In a dispute over a post-incident licence check, an Excel file is not evidence either.
The duty roster in COREDINATE Guard Tour System schedules shifts against holiday, sickness and stored qualifications. Closed shifts flow automatically into time recording, which eliminates handwritten timesheets and the reconciliation work that follows them. For a tender bid, it also produces the single thing a procurement team cannot assemble from Excel: a defensible statement of how many qualified officers the company can actually deploy against a specific event on specific dates.
The site is set up digitally in parallel. NFC tags at fixed checkpoints, or GPS patrols with geofencing on open-air sites where physical tags are impractical (festival fields, car parks, the Silverstone infield, a carnival route). Task management is bound to each checkpoint: when an officer scans a tag, the app shows the specific tasks that apply at that location and that time of day. Verify the fire exit is clear, count the queue, confirm the overnight perimeter. Without a response, the task cannot be closed.
Event briefings, site plans, emergency procedures and the evidence of officer induction all belong in the file manager, released by role: shift leaders see more than entry-gate officers, the client sees only what the contract specifies. Team briefings are scheduled through notifications and require acknowledgement by each recipient. That acknowledgement is the evidence a standard tier venue needs to show its procedures were communicated — exactly the kind of record that Martyn's Law presumes exists.
When the event is live the tempo changes. Everyone in the command chain needs the same situational picture, in real time, not at the end of the shift. COREDINATE Guard Tour System delivers that picture in the portal and the app simultaneously.
The central dashboard consolidates the operational metrics on a configurable widget surface. Each commander builds the view that suits the site: zone patrol status, open incidents, current occupancy, officer whereabouts. Patrol monitoring and GPS location feed into the same picture: which checkpoints are overdue, where officers currently are, who is closest to an emerging incident. If scans are missed, a response is possible before the first radio call.
Incidents are captured through incident logging: photo evidence, voice dictation with automatic transcription, direct from the app. Pickpocket in the beer tent, medical emergency at the east gate, barrier failure at stand 3. Every entry lands in the portal in seconds, with the metadata that makes it legally useful afterwards. The digital incident book holds checkpoint scans, shift markers and every captured event in chronological order. No retroactive typing-up; no paper. Both the venue client and the SIA, if it ever comes to that, receive a record with tamper-evident timestamps rather than a narrative written the following morning.
Crowd flow is captured by the visitor counter in real time: entries, exits, current occupancy. That is the operational evidence Martyn's Law presumes, and the evidence that the Boardmasters festival, after its 2024 crowd crush on Watergate Bay that hospitalised seven people, specifically added for 2025 (along with a 20% increase in crowd management personnel, more entry search lanes and 24/7 campsite coverage). Manual clickers fail under load. Digital counts survive scrutiny.
A lone officer on a perimeter or a gate who stops responding on a 500-acre festival site is not a theoretical risk. It is the scenario every command structure has to account for. The lone worker protection with dead man's switch function prompts the officer at set intervals to confirm they are active. If there is no response, a pre-alarm runs first, then the dead man's alarm. The app automatically opens a voice call to the designated number, shows the alert on the portal map, and provides the last known position. Paired with a current Crosscall device, this satisfies DIN V VDE V0825-11; UK deployments should additionally align with BS 8484, the British standard for lone worker services. For deeper context on this specific function, see our longer piece on the dead man's switch.
"I have secure documentation, and through the GPS I know where my colleague is."
Volker Frisse, Protection One GmbH
Offline resilience is the detail that the specification sheet rarely captures and that matters most on a British festival field at 22:00 on a Saturday. In beer tents, under grandstands, on the back of open-air sites, connectivity drops. COREDINATE Guard Tour System stores locally and synchronises when signal returns. The commander in the control room does not see a gap in the record, they see a continuous log.
A professional event does not end on the last evening. It ends when the client signs off on the security delivery. The Monday morning after is where the account either renews or does not. Increasingly, it is also where the venue's Martyn's Law file gets its critical week-one entries.
The reports module in COREDINATE Guard Tour System produces a PDF with one click, containing every checkpoint scan, every logged incident, every shift record. The manual reconstruction in the back office is gone. Because the source data is tamper-evident after upload, the report is a defensible audit document for the client, the insurer and, if it ever comes to it, the regulator or a coroner.
Equally useful operationally is the optional client access. The venue client receives a restricted portal view, configured through the rights management per client. Bedford Borough Council sees exactly the scans and incidents relating to the River Festival site. A theatre client sees only its evening performances. This ends the sequence of follow-up calls, status emails and ad-hoc report bundles that currently consume disproportionate operational time — and delivers the transparency that tender documents now routinely request.
For incidents that extend beyond the event itself — a damage claim, an insurance notification, a Manchester Arena-style inquiry — the ticket system turns an incident record into a managed case, routes sub-tasks to the right people, and keeps everything documented and auditable. The open Manchester Arena Inquiry monitored recommendations MR7 and MR8 (consultation closed March 2026) are specifically about SIA oversight of security businesses and licensing of in-house CCTV operators. The detail of what the regulator will eventually require is not yet settled, but the direction is: more documentation, more traceability, tighter supply-chain scrutiny.
In the EKFB National Rail facility management project, COREDINATE Guard Tour System is running on 150 sites with approximately 10,000 patrols per month, the technical load of a whole festival season, in sustained operation.
One useful exercise in early 2026 is to sort the client book by Martyn's Law tier. A council running a Christmas lights switch-on for an expected 400 attendees is a standard tier client. The same council's summer events programme with a 2,000-person main stage is an enhanced tier client. A theatre with 600 capacity is standard tier. A Premier League stadium is enhanced tier. A conference venue with movable walls is enhanced tier at any capacity above 800, even if individual events run below.
The strategic implication is straightforward. Enhanced tier clients will need far more evidence from their security provider than standard tier clients, and will start asking for it during procurement, not after the event. Providers who come to tender with existing documented systems — real scans, real incident records, real client portals — have a material advantage over those who promise to build the capability on account. For smaller and mid-sized security providers, the enhanced tier market is an opening into territory previously dominated by the national players. COREDINATE Guard Tour System scales both directions: the same platform runs a single theatre or a 150-site facility-management operation.
The 2026 season is the practical preparation year. By the time Martyn's Law enforcement begins in Spring 2027, venue clients will already be reflecting their compliance anxieties in procurement scoring. The providers who enter that tendering environment with operational evidence (licensed rosters, documented briefings, digital patrol and incident records, tamper-evident reports) will carry a structural advantage. The providers still running on spreadsheets and WhatsApp groups will be arguing with clients about what happened on the night and what can be proved.
COREDINATE Guard Tour System is built to carry all three event phases (before, during and after) in a single platform, in production use at enterprise scale with customers including BioNTech and Klüh Security. Security providers who get set up during 2026 are not just compliant by 2027, they enter the tender wave with a better answer than their competitors on the questions that will decide who wins.
The Terrorism (Protection of Premises) Act 2025 — known as Martyn's Law — received Royal Assent on 3 April 2025. The Act is not yet in force. A 24-month implementation period applies, which means enforcement is expected to begin in April 2027. Any publicly accessible premises or event with a capacity of 200 or more will need to meet the Act's standard tier obligations, and venues at 800+ capacity will face enhanced tier duties including written risk assessments, formal procedures and a named senior compliance individual.
The legal duty sits with the premises or event operator, not the security contractor. In practice, however, venue clients will push documentation, training and evidence requirements down the supply chain. Security providers should have: auditable rosters linked to SIA licence checks, documented risk assessments and briefings per event, real-time incident logging with photo and timestamp evidence, patrol and stewarding data tied to specific checkpoints, and post-event compliance reports that match the format required by the SIA and the venue's safety advisory group.
Compliance evidence is only credible if it is tamper-evident and produced as a byproduct of the operation, not written up afterwards. That means NFC or GPS checkpoint scans with fixed timestamps, digital incident capture with photo and voice notes from the phone used on site, rosters that automatically feed timesheets, and reports that bundle scans, incidents, attendance and licence data in one PDF. COREDINATE Guard Tour System produces this evidence stream automatically so the post-event handover to a Martyn's Law-covered venue is a one-click export rather than a three-day admin job.
COREDINATE Guard Tour System: rosters, digital patrol log, visitor counts and real-time command in one platform. 14-day free trial, no contract.
Order free trial set →Visitor counter | Talk to sales
Or call us: +49 (0) 9842 80491-20