The Compliance Stack: Every Legal Obligation Your Venue Already Has (and the New One Coming)

Martyn's Law is getting all the attention right now. That is understandable. It is new legislation that carries real penalties, and most venue operators have never had to consider terrorism preparedness before.

But here is the thing that nobody writing about Martyn's Law seems willing to say: for the majority of hospitality venues, it is not their biggest compliance risk. Not even close.

The biggest risk is the compliance you already have and are probably not managing well.

Martyn's Law is arriving on top of a stack of existing legal obligations that most venues handle with a combination of ring binders, spreadsheets, someone's memory, and a general hope that inspectors do not turn up on a bad day. Fire safety. Food hygiene. Health and safety. RIDDOR. Licensing. Allergens. COSHH. Employment law. Data protection. Equality. The list does not stop.

There are approximately 176,685 hospitality businesses in the UK as of March 2025, according to the Office for National Statistics. 99.6% of them are small or medium-sized enterprises. Most lack a compliance officer, a risk manager, or even a filing system that would withstand an unannounced inspection.

This article maps the full compliance landscape for a UK hospitality venue. Not to overwhelm you, but to make a point: if you are still managing all of this on paper, across different folders, with different people responsible for different bits, you are not managing it. You are hoping.

The Stack at a Glance

Every hospitality venue in the UK operates under multiple overlapping regulatory frameworks. They are enforced by different bodies, inspected on different schedules, and carry different penalties. But they all have one thing in common: they require you to prove what you did, when you did it, and that your staff knew what they were supposed to do.

Here is what you are already responsible for.

Fire Safety — A documented and regularly reviewed fire risk assessment, maintained detection and alarm systems, clear escape routes, and staff trained in emergency procedures. Enforced by your local fire and rescue authority, who can turn up unannounced and issue a prohibition notice that closes your venue on the spot. Unlimited fines and up to two years' imprisonment for serious breaches.

Food Safety and Hygiene — Registration as a food business, a HACCP-based food safety management system, temperature monitoring, cleaning schedules, and trained staff. Environmental health officers can close your kitchen or your entire premises with an emergency prohibition notice. Fines of up to £20,000 per offence at magistrates' court. Unlimited fines and up to two years' imprisonment at Crown Court.

Allergen Information — Information on 14 specific allergens is available for every dish. Full ingredient labelling on pre-packed food under Natasha's Law. This is a criminal offence if you get it wrong, and allergen failures have directly caused deaths in UK hospitality venues.

Health and Safety — Risk assessments for all work activities, a written policy if you employ five or more people, and documented training, instruction, and supervision. Enforced by the HSE and local authorities. Fines are calculated based on turnover and culpability. Up to two years' imprisonment for breaches that cause death.

RIDDOR (Incident Reporting) — Reporting of deaths, specified injuries, occupational diseases, and dangerous occurrences to the HSE within 10 days. Records kept for at least three years. Hospitality has some of the worst reporting rates of any sector; an HSE study found only 30% of reportable injuries were actually reported. Failure to report is a criminal offence.

Licensing — A Premises Licence, a Designated Premises Supervisor, and compliance with every condition on your licence. Conditions cover hours, noise, CCTV, capacity, door supervision, and more. Every condition is legally binding. Licence reviews can result in reduced hours, additional conditions, suspension, or revocation. Selling alcohol without a licence carries an unlimited fine and up to six months' imprisonment.

COSHH (Hazardous Substances) — Identification and risk assessment of every hazardous substance on your premises, from cleaning chemicals to cellar gases. Safety data sheets are accessible to staff. Control measures documented. Same penalties as health and safety breaches.

Employment Law — Contracts, minimum wage compliance, working time limits, right-to-work checks, and fair allocation of tips under the Employment (Allocation of Tips) Act 2023. HMRC can issue penalties of up to 200% of arrears for underpayment of the minimum wage. The tips legislation has been in force since October 2024.

Data Protection — Lawful basis for processing personal data, privacy notices, data security, and breach notification procedures. Applies to employee records, booking data, CCTV footage, mailing lists, and wi-fi logins. The ICO can issue fines of up to £17.5 million or 4% of annual global turnover.

Equality and Accessibility — Reasonable adjustments to ensure people with disabilities can access your services. An anticipatory duty, meaning you should not wait for someone to ask. Compensation awards for discrimination have no upper limit.

That is ten regulatory frameworks, enforced by at least six different bodies, before Martyn's Law adds an eleventh.

And Now: Martyn's Law

On top of everything above, the Terrorism (Protection of Premises) Act 2025 received Royal Assent on 3 April 2025. Venues with a capacity of 200 or more people must comply within 24 months.

For Standard Tier venues (200-799 capacity), the requirements are procedural: a terrorism preparedness plan covering evacuation, invacuation, lockdown, and communication procedures. Staff training on those procedures. No expensive equipment. No physical alterations. No specialist consultants required.

The Government has been clear that compliance should be simple and proportionate. And in isolation, it is.

But it is not arriving in isolation. It is arriving on top of everything else.

If you are already struggling to keep fire safety training records up to date, adding terrorism preparedness training to the pile does not simplify your life. If your incident reporting is already inconsistent, adding a new incident category to track will not make things easier. If your staff already receive induction training that covers food hygiene, fire procedures, health and safety, and licensing obligations, adding another module is one more thing to schedule, deliver, record, and evidence.

The challenge is not any single obligation. The challenge is managing them consistently amid staff turnover, seasonal changes, and the daily demands of running a busy venue.

For our detailed guides on Martyn's Law, see Martyn's Law: A Plain English Guide and Standard Tier: A Step-by-Step Compliance Guide

The Real Problem: How Venues Actually Manage This Today

Talk to any pub landlord, restaurant manager, or hotel operator, and you will hear variations of the same story.

Fire safety records are in a folder behind the bar. Food hygiene logs are in the kitchen. Employment contracts are in an office drawer. COSHH data sheets are in the cleaning cupboard. Training records are in someone's email. Licensing conditions are on the wall. CCTV policies are in a filing cabinet. Or possibly on a laptop. Or possibly nowhere.

Different obligations are managed by different people, using different systems, on different schedules. The head chef handles food safety. The duty manager handles fire drills. The owner handles licensing. HR (if it exists) handles employment law. The accountant handles tip allocation. Nobody handles RIDDOR because nobody knows it exists.

This fragmentation creates three specific problems.

Nothing is connected. Fire safety, Martyn's Law, food hygiene, and health and safety training are separate obligations delivered by different people at different times. But to the staff member receiving them, they are all "the training I got when I started." If you cannot produce a single, coherent record of what each employee was trained on and when, you have a gap that any inspector can see.

Staff turnover destroys compliance. The hospitality sector lost 124,376 payrolled employees between May 2024 and May 2025, a 5.6% drop. In an industry where staff turnover is constant, the person who knew where everything was filed left months ago. The new person was told about the important stuff, but never saw the documentation. Records drift out of date. Procedures change informally. What is written down no longer matches what actually happens.

You cannot prove what you have done. Every one of these obligations shares the same fundamental requirement: evidence. Not that you did the right thing, but that you can prove you did the right thing, to an inspector you have never met, on a day you were not expecting them. Paper systems, spreadsheets, and email threads are not evidence systems. They are retrieval challenges.

What Good Looks Like

Compliance is not about doing more. It is about managing what you already have to do in a way that actually works.

A well-managed venue does not have ten separate compliance systems. It has one place where:

• Every policy is stored, version-controlled, and accessible to staff
• Every training session is recorded with evidence of who attended and what was covered
• Every checklist and inspection is logged with timestamps, not filled in retrospectively
• Every incident is reported, categorised, and followed up on
• Every staff member can see exactly what is expected of them and confirm they understand it
• Every change — a new regulation, a new staff member, a new procedure triggers an update that flows through the entire system

This is not aspirational. It is what inspectors across fire safety, food hygiene, health and safety, and licensing all expect to see. Martyn's Law will expect the same thing. The Security Industry Authority, which will regulate compliance with Martyn's Law, will expect documented procedures, evidence of training, and accessible records.

The venues that will find Martyn's Law easy to comply with are the ones that already have their existing obligations under control. The venues that will struggle are those already struggling with other challenges.

Where to Start

If you have read this far and recognise your own venue in the fragmented picture above, do not try to fix everything at once. Start with three things.

Audit what you have. Take one afternoon and walk through every obligation listed in this article. For each one, answer three questions: Do we have a current, written procedure? Can we produce training records for all current staff? Could we show evidence of compliance to an inspector today? The gaps will become obvious quickly.

Pick the highest risk. Fire safety and food hygiene carry the most immediate enforcement consequences. If your fire risk assessment has not been reviewed in the last 12 months, or your food hygiene records would not survive an unannounced inspection, those are your priorities. Martyn's Law enforcement does not begin until April 2027. Your fire authority and environmental health team can turn up tomorrow.

Stop relying on paper. This is not a sales pitch. It is a practical observation. Paper-based compliance systems fail because they depend on individual discipline, cannot be audited remotely, do not trigger reminders, and disappear when people leave. Whether you use purpose-built software or a well-structured shared drive, records must be digital, timestamped, and accessible to multiple users.

Coming Up Next

This article maps the landscape. The next articles in this series go deeper into specific areas:

• Staff Training Records: What Inspectors Actually Ask For — How to build a training evidence system that covers fire safety, food hygiene, health and safety, and Martyn's Law in one place
• Incident Reporting for Hospitality Venues — RIDDOR obligations, near-miss recording, and why most venues only start documenting incidents after something goes wrong
• Fire Safety and Martyn's Law: The Overlap Nobody Is Talking About — You already have evacuation procedures. Here is what you need to add

If you want to stay ahead of Martyn's Law while getting your existing compliance in order, join our waiting list or download our free Martyn's Law compliance checklist to start building your evidence base today.

Detailed Reference: What Inspectors Check and What Goes Wrong

The summaries above give you the picture. This section provides details for each obligation—what inspectors are looking for, common failure patterns, and the specific legislation. Bookmark this section and come back to it when you need to check a specific area.

Fire Safety — In Detail

Legislation: Regulatory Reform (Fire Safety) Order 2005; Fire Safety (England) Regulations 2022

Enforced by: Local fire and rescue authorities

What inspectors actually check: They do not just ask whether you have a fire risk assessment. They ask when it was last reviewed, who reviewed it, what has changed since the last review, and whether your staff can explain the evacuation procedure without reading from a poster. They check fire door logs. They check that extinguishers have been serviced. They check training records. The 2022 regulations added requirements for fire door inspections and information sharing with residents in multi-occupied buildings, affecting hotels and venues in mixed-use developments.

What goes wrong: Venues do the assessment once and file it. Staff turnover means new employees never receive fire training, and no one updates the records. Fire doors get propped open. Escape routes get blocked by deliveries. The risk assessment says one thing, but the premises look different.

Source: Regulatory Reform (Fire Safety) Order 2005; Fire Safety (England) Regulations 2022

Food Safety and Hygiene — In Detail

Legislation: Food Safety Act 1990; Food Safety and Hygiene (England) Regulations 2013; Regulation (EC) No 852/2004 (retained EU law)

Enforced by: Local authority environmental health officers

What inspectors actually check: Fridge and freezer temperature logs. Cleaning records. Evidence of staff training. Whether your documented procedures match what is actually happening in the kitchen. They look at your Food Hygiene Rating and can downgrade you on the spot.

What goes wrong: Temperature logs get filled in retrospectively or not at all. Cleaning schedules exist on paper, but nobody follows them consistently. Staff join and leave without completing food hygiene training. Menu changes happen without updating allergen information. The Saturday night chef follows different procedures to the Tuesday lunch chef. Nobody notices until the inspector does.

Source: Food Safety Act 1990; Food Standards Agency guidance

Allergen Information — In Detail

Legislation: Food Information Regulations 2014; Food Information (Amendment) (England) Regulations 2019 (Natasha's Law)

Enforced by: Local authority trading standards and environmental health

What inspectors actually check: Allergen matrices for every menu item. Whether special boards have allergen information. Whether staff can confidently answer questions about allergens. Whether supplier changes are reflected in allergen records. Whether pre-packed items have full ingredient labelling.

What goes wrong: Allergen matrices get created once and never updated when suppliers change ingredients. Special boards have no allergen information. Staff cannot confidently answer allergen questions because they have not been trained or the information is not accessible. A supplier changes a product formulation, but no one updates the records.

Source: Food Information Regulations 2014; FSA allergen guidance

Health and Safety — In Detail

Legislation: Health and Safety at Work etc. Act 1974; Management of Health and Safety at Work Regulations 1999

Enforced by: Health and Safety Executive (HSE) and local authorities

What inspectors actually check: Whether risk assessments are specific to the venue or generic templates. Whether they have been reviewed since conditions changed. Training records. Accident books. Whether near-miss incidents are being recorded. First aid provision and records.

What goes wrong: Risk assessments are generic templates downloaded from the internet rather than being specific to the venue. They are completed once and never revisited. Near-miss incidents go unrecorded. Staff training is informal and undocumented. When someone slips on a wet kitchen floor, there is no evidence of what precautions were in place.

Source: Health and Safety at Work etc. Act 1974; HSE guidance for hospitality

RIDDOR — In Detail

Legislation: Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013

Enforced by: HSE

What must be reported: Deaths, specified injuries (certain fractures, amputations, serious burns, loss of consciousness), injuries to non-workers who are taken to the hospital as a result of a work-related accident, occupational diseases, and dangerous occurrences. Reports must be submitted within 10 days via the HSE online system.

What goes wrong: Venues do not realise an injury is reportable. Staff do not tell management. Management does not know the reporting threshold. Incidents are handled informally, and no one files a report. The absence of an incident history makes it very difficult to demonstrate proactive safety management when something serious happens.

Source: RIDDOR 2013; HSE RIDDOR guidance

Licensing — In Detail

Legislation: Licensing Act 2003

Enforced by: Local authority licensing committees; police

What inspectors and responsible authorities check: Whether the venue is operating within its licence conditions. Hours of operation. CCTV retention periods. Age verification practices. Noise levels. Capacity compliance. Whether the DPS is current and holds a valid Personal Licence.

What goes wrong: Staff do not know the licence conditions. Music plays past the permitted hours. CCTV footage is not retained for the required period. Age verification is inconsistent. Temporary Event Notices are submitted late or exceed their limits. A new manager takes over but is unaware of the specific conditions. Licensing reviews can be triggered by complaints from residents, police reports, or evidence from any relevant authority.

Source: Licensing Act 2003; Home Office guidance

COSHH — In Detail

Legislation: Control of Substances Hazardous to Health Regulations 2002

Enforced by: HSE and local authorities

What it covers in hospitality: Cleaning chemicals, sanitisers, pest control products, cellar gases (CO2, nitrogen), and any other substances that could harm health through inhalation, skin contact, or ingestion.

What goes wrong: Cleaning products are changed, but no one updates the COSHH assessments. Safety data sheets are filed somewhere, but staff have never seen them. Products are stored incorrectly or decanted into unmarked containers. New staff are shown the cleaning cupboard but not given formal training.

Source: COSHH Regulations 2002; HSE COSHH guidance

Employment Law — In Detail

Legislation: Employment Rights Act 1996; National Minimum Wage Act 1998; Working Time Regulations 1998; Equality Act 2010; Employment (Allocation of Tips) Act 2023

Enforced by: Employment tribunals; HMRC (minimum wage); Equality and Human Rights Commission

What goes wrong: Right-to-work checks get missed for agency staff or casual workers. Tips policies are informal and undocumented. Working time records are incomplete. Minimum wage calculations do not account for unpaid overtime or deductions that bring hourly pay below the threshold. Contracts lag behind the reality of working arrangements.

Source: Employment Rights Act 1996; Employment (Allocation of Tips) Act 2023

Data Protection — In Detail

Legislation: UK General Data Protection Regulation (UK GDPR); Data Protection Act 2018

Enforced by: Information Commissioner's Office (ICO)

What it covers in hospitality: Employee data, customer booking information, CCTV footage, mailing lists, loyalty schemes, wi-fi login data, and any other personal data you hold.

What goes wrong: CCTV retention policies are vague or non-existent. Customer data from booking systems is kept indefinitely. Staff have access to personal data without training. Data breach procedures are not documented. Email marketing is sent without proper consent. Wi-fi login data is collected and shared with third parties without transparency.

Source: UK GDPR; ICO guidance for organisations

Equality and Accessibility — In Detail

Legislation: Equality Act 2010

Enforced by: Equality and Human Rights Commission; civil courts

What it actually requires: Reasonable adjustments to ensure people with disabilities can access your services. This is an anticipatory duty, meaning you should not wait for someone to ask. It goes beyond physical access to include providing accessible menus, installing hearing loops, staff training to assist customers with diverse needs, and accessible booking processes. Protection from discrimination for customers and staff based on all protected characteristics.

What goes wrong: Venues assume compliance means having a wheelchair ramp and an accessible toilet. The broader requirements around service delivery, communication, and staff behaviour are not addressed.

Source: Equality Act 2010; EHRC guidance for service providers

Sources and Further Reading

1. Office for National Statistics — Business demography, UK: 2025 — 176,685 hospitality businesses in the UK as of March 2025
2. House of Commons Library — Hospitality: statistics and policy — 99.6% of hospitality businesses are SMEs
3. CGA by NIQ — Hospitality Market Monitor, September 2025 — 99,296 licensed venues; 11 closures per week
4. Terrorism (Protection of Premises) Act 2025 — legislation.gov.uk

Chris Brown is the founder of VenueLinQ, a compliance platform built to help hospitality venues manage their full regulatory obligations in one place. He writes about compliance, technology, and the practical reality of running a safe venue. that carries real penalties, and most venue operators have never had to consider