Home Office guidance under the spotlight: Terrorism (Protection of Premises) Act 2025

The Home Office has issued long awaited statutory guidance on the interpretation of the Terrorism (Protection of Premises) Act 2025 (the Act). While the guidance provides useful direction, it arguably leaves some key issues unsettled. This article explores some of the key concepts that enhanced tier dutyholders are grappling with, such as:

• the appointment of a senior individual;
• the scope of the duty to implement public protection measures; and
• the meaning of “immediate vicinity”.

 

Appointing a senior individual

Where the responsible person for enhanced tier premises or a qualifying event is a corporate entity rather than an individual, the Act requires the organisation to designate a senior individual with responsibility for ensuring compliance with the statutory requirements. The senior individual must be someone who has responsibility for managing the business or who has control of the business rather than a lower-level employee. The guidance stipulates that it will be for the organisation to assess which member of staff is appropriate and ensure that they are of sufficient seniority to ensure compliance.

Importantly, it is recognised that the senior individual may delegate actions or tasks to others, such as a security manager or contracted security lead and the guidance provides examples of activities that the senior individual may take forward to ensure compliance with the Act’s requirements, such as:

• ensuring that protective security matters remain an ongoing discussion or agenda point at board level;
• receiving regular briefings from relevant individuals from their organisation on threats or vulnerabilities to the premises or event;
• ensuring that relevant information is regularly cascaded to staff, as appropriate to their role and responsibilities;
• implementing or monitoring effectiveness of reporting lines between all those involved in putting procedures and measures in place; and
• reviewing and approving the compliance document, prior to submitting to the SIA.

Whilst this outlines a relatively proactive and engaged role for the senior individual, the guidance fails to provide clarity on how delegation should be structured in practice and what if any competency requirements there are for the senior individual. This leaves organisations and their senior managers exposed to potential compliance risk and underscores the importance of putting in place clear job specifications and reporting arrangements to evidence effective control and supervision of delegated functions.

 

Public protection measures: appropriate and reasonably practicable

In addition to the usual considerations for public protection procedures, those responsible for enhanced tier premises and qualifying events must ensure measures are in place to reduce the vulnerability of the premises or event to acts of terrorism.

The guidance describes (with examples) the four categories of public protection measures: monitoring; movement; physical safety and security; and security of information.

When implementing public protection measures, the responsible person must consider what measures are appropriate and what can be implemented so far as reasonably practicable.

The term “appropriate” is used to encourage a tailored assessment based on the particular vulnerabilities of the premises or event, rather than a one‑size‑fits‑all solution. It is therefore essential that the vulnerability assessment is carried out by a sufficiently competent and experienced individual.

Once appropriate measures have been identified, the responsible person must then consider the extent to which each can be implemented in practice.

The guidance explains that this requires weighing the objective of reducing risk against the cost, time and operational difficulty involved in implementing the measure ie reasonable practicability (a concept that is very familiar to health and safety practitioners). The guidance expressly recognises financial feasibility as a relevant consideration, which will provide reassurance to many dutyholders that they are not expected to incur disproportionate or unreasonable expenditure in pursuit of compliance.

That said, this remains a careful balancing exercise. Responsible persons will need to exercise judgement and be prepared to justify why particular measures were, or were not, adopted if subjected to regulatory scrutiny by the Security Industry Authority (SIA) or in the aftermath of an attack. Careful documentation of decision‑making will therefore be paramount in ensuring compliance.

 

What is meant by “immediate vicinity”?

This is rather loosely defined as “an area close to the premises” with no fixed distance.

By way of illustration, the guidance refers to a cycling race grandstand where queueing areas leading into the venue – including queues serving starting and finishing areas – are determined by the responsible person to fall within the immediate vicinity. These areas must therefore be taken into account when developing public protection procedures and associated measures. On the other hand, the pavements outside the ticketed grandstands and the roads on which participants are racing (that are not considered by the responsible person to be in the immediate vicinity in this instance) do not have entry checks in place and the responsible person therefore assesses that those areas are not in scope of the Act.

It is clear that the Act is not intended to impose open‑ended responsibility for all surrounding public space, but rather to focus attention on entry and exit points and controlled access areas that present foreseeable crowd‑related risks. However, many responsible persons will not have complete or any substantive control over these areas.

Whilst the guidance does recognise this, it goes on to state that the responsible person for enhanced tier premises or a qualifying event must consider what monitoring measures are appropriate to monitor the immediate vicinity of the premises or event to reduce the vulnerability of the premises or event to an attack, or the risk of physical harm being caused to individuals if an act of terrorism were to occur on the premises, at the event or in the immediate vicinity.

The guidance provides examples of “monitoring” measures, summarised as follows:

• Implemented through people:
  • Heightened awareness of staff;
  • Security patrols;
  • Perimeter patrols;
• Implemented through policies and processes:
  • Searches of people, bags and other items;
  • Access control measures;
• Implemented through physical mitigations:
  • Search and screening technologies;
  • CCTV systems with real-time monitoring;
  • Security lighting; and
  • Voice-based alerts and sensors.

In light of this very broad interpretation, it is difficult to reconcile how, on the one hand, a responsible person may not have control over the “immediate vicinity” yet on the other hand, they are expected to implement measures that necessarily require them to have significant control. Whilst in some cases the Act's provisions requiring “cooperation” and “coordination” between parties may provide a route to achieve sufficient means of control over the immediate vicinity, it will be not be the answer in all cases.

 

Consequences of non-compliance

The SIA will be responsible for enforcing the Act, with powers of inspection, powers to issue notices, and impose penalties for non-compliance.

The SIA will have powers to issue notices requiring compliance or imposing restrictions on relevant premises and events. For enhanced duty holders, non-compliance penalties can be quite severe, such as daily penalties up to GBP50,000 and fines of up to GBP18 million or 5% of worldwide revenue of the organisation’s most recent complete accounting period, whichever is higher.

Furthermore, failing to comply with a compliance or restriction notice is a criminal offence and can lead to prosecution of individual senior managers as well as the responsible person, resulting in imprisonment for up to two years and/or an unlimited fine.

These penalties underscore the critical importance of adhering to the measures mandated by the Act.

DLA Piper has a dedicated team of regulatory lawyers who were instructed by a central Core Participant in the Manchester Arena Inquiry – from which the Act has evolved. Our team has a unique insight into the development and enactment of the Act. Should you require any advice in relation to the matters raised in this article, please contact the authors or your regular DLA Piper contact.