| 28 April 2026
What the statutory guidance means for healthcare training in building practical, role-specific protective security capability
The publication of statutory guidance under the Terrorism (Protection of Premises) Act 2025 (also known as Martyn’s Law) marks an important shift for organisations responsible for public-facing premises and services, including healthcare providers.
For NHS organisations, private healthcare providers and wider health and social care settings, the guidance provides clarity on how to approach training under the Act, outlining expectations for preparedness, staff capability and operational response.
The conversation is no longer about what the legislation might require, but how to translate it into practical, role-specific protective security training across clinical and non-clinical teams.
While organisations have until April 2027 to prepare, effective preparedness is not a one-off activity. It is ongoing and organisation-wide – spanning awareness, procedures, training and capability.
Why training is critical for healthcare organisations under the Terrorism (Protection of Premises) Act 2025
A key theme running throughout the guidance is that training needs to be appropriate to role and tailored to the operating environment. For healthcare organisations, this is particularly significant.
Hospitals, community care settings and healthcare facilities are not only open, public-facing environments, but operationally complex, high-pressure, and dependent on coordinated response across diverse roles.
The guidance highlights that:
- Staff with specific responsibilities may require different or additional training
- Training should be tailored to premises, procedures and real operating conditions
- Supervisors and those responsible for activating procedures may require advanced, role-specific instruction
- Training should support implementation, not just awareness.
At the same time, all staff should have a baseline understanding that an incident could occur at any time, what to look out for, and how to respond and report concerns.
This creates a clear expectation of a layered approach to learning – from basic awareness through to applied capability.
How the Level 3 Award in Counter-Terrorism Protective Security and Preparedness supports healthcare organisations
The Level 3 Award in Counter-Terrorism Protective Security and Preparedness (CTPSaP) is a key component within this layered approach. Developed by SFJ Awards in collaboration with National Counter-Terrorism Security Office, the qualification provides structured, applied learning for those responsible for protective security and preparedness.
While completion of the CTPSaP qualification alone does not ensure compliance with the Act, it plays a key role in supporting organisations to interpret and implement its requirements effectively.
The legislation introduces the role of the Responsible Person (or Responsible Officer)—those with control of healthcare and other settings in scope, and therefore accountable for meeting the Act’s requirements.
The statutory guidance supports this role by clarifying key terms used throughout:
- Must – legal requirement
- Should – strongly recommended
- Could – optional
Many of these expectations align directly with the capability developed through the qualification:
| Guidance expectation | Requirement type | How the qualification supports healthcare environments |
|---|---|---|
| Ensure appropriate public protection procedures are in place | Must | Unit 1: Introduction to Counter-Terrorism builds understanding of threats, vulnerabilities and protecting public-facing healthcare environments |
| Staff are appropriately trained and understand procedures | Should | Unit 2: Positive Organisational Security Culture supports consistent awareness and behaviour across multidisciplinary healthcare teams |
| Implement protective security measures based on risk | Must / Should | Unit 3: Counter-Terrorism Protective Security develops risk-based thinking relevant to healthcare estates and patient-facing services |
| Ensure effective response capability | Should | Unit 4: Counter-Terrorism Preparedness builds planning and response capability for operational and clinical leaders |
| Document risk and mitigation (Enhanced Tier) | Must | Units 5 & 6: Risk Assessment and Preparedness Planning / Written Recommendations support structured risk assessment and preparedness planning |
| Avoid one-size-fits-all approaches | Should | The qualification emphasises contextual decision-making, enabling learners to apply principles to their specific healthcare settings |
Crucially, the CTPSaP qualification develops the capability to apply these principles in practice, particularly when delivered in a healthcare context.
Skills for Health’s collaboration with Skills for Justice Training supports delivery of the qualification in a way that aligns with the guidance’s recognition that, in some cases, sector-specific training, learning or instruction may be required. By bringing together expertise in justice and protective services with deep sector knowledge of healthcare environments, this approach ensures the qualification supports frontline healthcare settings in strengthening capability, preparedness and operational response.
Beyond terrorism: why protective security training matters for healthcare
While the legislation is focused on terrorism, its principles extend beyond this to support wider public safety and the development of a positive security culture—reinforcing that this is not a niche concern, but one relevant to all public-facing organisations.
Incidents that threaten public and patient safety are not always formally classified as terrorism, but they often require the same level of preparedness, awareness and response capability.
It is easy to assume that such risks are rare. However, the evidence tells a different story. Information from the Home Office impact assessment highlights that public spaces have been a potential target for many years.
Since March 2017, the UK has experienced 15 terrorist attacks and disrupted a further 39 plots. The UK’s National Risk Register categorises attacks on public places among the highest likelihood risks facing the country, underscoring that no sector is exempt from this threat.
The financial impact alone is significant. The Home Office estimated the direct cost of attacks in the UK in 2017 at £196.4 million (2021 prices) – equivalent to approximately £246.4 million in 2026. While this figure relates to a specific set of incidents rather than an average, it highlights a consistent reality: terrorist attacks carry substantial financial consequences.
But financial cost only tells part of the story. There are, of course, profound and lasting impacts on patients, staff, visitors and the wider communities that healthcare organisations serve.
Altogether, this reinforces a critical point: protective security training for healthcare is not just about compliance – it is about real-world preparedness and service continuity.
Why role-specific and environment-specific training matters under the Terrorism (Protection of Premises) Act 2025
A key implication of the statutory guidance is not just whether organisations provide training, but how that training is delivered.
The guidance is explicit: training should be appropriate to role, tailored to environment, and relevant to real procedures. In healthcare, this means recognising differences between:
- Clinical and non-clinical roles
- Frontline staff, supervisors and senior leaders
- Acute, community and specialist care settings
The Level 3 Award in Counter-Terrorism Protective Security and Preparedness supports these nuances by developing practical, context-driven capability, rather than generic knowledge.
From awareness to capability: a layered approach to healthcare security training
The statutory guidance points towards a clear model for protective security training and preparedness in healthcare:
- Baseline awareness for all staff
- Role-specific instruction for those with responsibilities
- Applied capability for those leading or implementing procedures
The Level 3 Award in Counter-Terrorism Protective Security and Preparedness is central to this third layer, helping organisations build the capability needed to move beyond awareness and into confident application.
Alongside this, Threat Awareness eLearning for healthcare staff can support consistent baseline understanding across the workforce, with learning tailored to sector-specific context.
Acting now: practical next steps for organisational readiness
With statutory guidance now published, healthcare organisations have both clarity and responsibility. April 2027 may feel distant, but building capability across complex organisations takes time.
Organisations should begin by asking:
- What level of threat awareness training do all staff require?
- Which roles need advanced protective security training?
- How do procedures translate into real-world response across clinical environments?
From here, the focus shifts from compliance to capability, and from theory to preparedness.
Final thought: from compliance to capability in healthcare security
The Terrorism (Protection of Premises) Act 2025 is not about eliminating risk. It is about ensuring organisations are prepared to respond effectively. For healthcare organisations, this means protecting patients, staff and services in environments where safety is critical.
The Level 3 Award in Counter-Terrorism Protective Security and Preparedness is not a compliance tool, but it is a powerful way to build the knowledge, skills and applied capability needed to meet these expectations.
FAQs: Terrorism (Protection of Premises) Act 2025 (Martyn’s Law) training for healthcare
Is CTPSaP training required for compliance with the Terrorism (Protection of Premises) Act 2025?
No. The qualification supports capability development but does not in itself ensure compliance with the Act.
What training do healthcare staff need under the Act?
The guidance suggests a layered approach, including baseline awareness for all staff and more advanced, role-specific training for those with responsibilities.
Who is the Responsible Person in healthcare settings?
The individual or organisation with control of the premises or services, responsible for meeting the Act’s requirements.
What is the difference between Skills for Health’s threat awareness eLearning and CTPSaP training?
The online threat awareness course provides foundational understanding, while the Level 3 CTPSaP qualification focuses on applied protective security and preparedness capability.