Martyn’s Law: How will it Transform Venue Cyber Security?

The sports and entertainment industry isn't just about what happens on the pitch or stage – it's about protecting the people, infrastructure and data that make those moments possible. As experts in sports team, venue, and stadium cyber security, we're trusted by teams and venues across the UK and globally to keep their operations secure, and their staff and attendees safe.

With sports grounds increasingly being used as multi-use venues - and modern stadiums utilising complex technological interconnected systems - the threat landscape has widened, and the cyber risk has been heightened.

The introduction of Martyn’s law will have key implications on your organisation’s cyber security strategy.

Martyn’s Law: What to Expect

Cyber threats continue to evolve, however, organisations must realise it’s not just digital threats that they must be aware of…

The Terrorism (Protection of Premises) Act 2025, also known as Martyn’s Law, received Royal Assent last Thursday, 3 April 2025. The act will improve protective security and organisational preparedness across the UK by requiring that those responsible for certain premises and events consider how they would respond to a terrorist attack.

Whilst there are different requirements as the size of the venue scales, any public venue (where there is at least one building) that has a capacity of 200 people or more will have to adhere to the new law.

These venues can include:

The core focus of the act is physical site security and protection against potential terrorist attacks, however, cyber security feeds into many aspects of the act’s requirements - meaning it’s important for organisations to be aware of their overall security posture, including cyber, when establishing which of these controls apply to them.

How Can Your Organisation Achieve Compliance?

Physical Security Policy:

The majority of cyber security governance accreditations, such as IASME or ISO 27001, expect organisations to hold a physical security policy that details access to premises, physical controls that are in place and how these are fed into the business risk register/assessment.

This is going to be a key component that organisations will need to put together to meet compliance with Martyn’s Law. By knowing your current areas of weakness, and where the biggest risks to the organisation lies, you can prepare physical security controls and processes to mitigate these issues.

Physical Red Teaming:

Typically undertaken by experienced penetration testing teams, red teaming is a way for organisations to respond to a genuine cyber attack in a controlled manner. Sometimes this is conducted digitally with actions such as phishing simulations, however, red team exercises are also physically conducted.

With these tests, penetration testing teams look at the physical nature of security by trying to bypass physical controls - assessing the extent to which the organisation would be impacted by this.

This methodology is a great way to get an external, non-biased assessment of your physical controls.

Incident Response Simulations:

Whilst some companies may produce an incident response policy or playbook, organisations with a more mature cyber security posture conduct simulations to test, validate and improve their current processes. This creates a structured approach to incident response and allows organisations to assess where any weaknesses lie in processes.

Being prepared for an incident and knowing the process of incident response inside out ensure that an organisation is in a better position to recover effectively and efficiently should an attack occur.

Don’t Overlook the Digital Security…

Physical security is the key to Martyn’s Law, but physical controls and access points can be targeted and disabled within the interconnected digital ecosystem that most organisations now operate in.

By taking into account multiple cyber security services, it’s possible to mitigate major impacts within physical locations:

• Penetration Testing can assess ticketing portals to ensure there are no vulnerabilities that can give unauthorised users the ability to print tickets.  

• Vulnerability Scanning can analyse the internal infrastructure for potential threats that could potentially be exploited.   

• A strong governance alignment can help a company fully understand all of its processes (both physical and digital) to make improvements.  

• Supply chain management can help ensure additional checks are incorporated for suppliers with key access to the location.  

• Phishing simulations can test users to identify their first line of defence capabilities.  

The introduction of Martyn’s Law will place heavy importance on physical locations to ensure they are doing as much as possible to mitigate risk. However, whilst the focus is primarily on the physical aspect of security, it’s important to remember that digital systems and applications are so intertwined with physical systems, that fully reviewing your cyber security, both digital and physical, is an essential step in building a comprehensive and complete cyber security strategy.

The Next Step: PureCyber Governance Consultancy

How Can PureCyber Help?

The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR) Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.

Get in touch or book a call for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.

Email: info@purecyber.com

Call: 0800 368 9397

Sources:

.GOV - Home Office: Martyn’s Law (2025) Factsheet