Security Intelligence

Security for the Hospitality Sector: Hotels and High-Risk Venues | CloseProtectionHire

Q: "What does Martyn's Law (Terrorism (Protection of Premises) Act 2024) require of hotels?"

"The Terrorism (Protection of Premises) Act 2024, commonly referred to as Martyn's Law, received Royal Assent on 3 April 2024. It creates two tiers of obligation based on venue capacity. Standard duty applies to venues with a capacity of 200-799 people: these venues must have a terrorism emergency plan and ensure staff are trained to respond to a terrorist attack. Enhanced duty applies to venues with a capacity of 800 or more people (or qualifying events with 800+ attendance): these venues must conduct a risk assessment for terrorism, have a security plan, and appoint a qualified security officer. For hotels, the capacity count includes all guests and staff present at one time. Many mid-size city hotels fall under Enhanced duty. The Security Industry Authority (SIA) is the designated regulator. Implementation guidance is available via the NPSA's ProtectUK platform. Non-compliance carries civil enforcement action and, for enhanced duty sites, potential criminal liability for responsible persons."

Q: "How should hotel staff be trained to respond to an active attack?"

"Hotel staff terrorism response training has two components: individual response (what each member of staff does to protect themselves) and organisational response (what the hotel does as an institution to protect guests and coordinate with emergency services). Individual response is covered by ACT Awareness (NaCTSO, free online ~45 minutes) -- recognition, Run-Hide-Tell, and reporting. Organisational response covers: who is responsible for calling emergency services, who manages the evacuation or lockdown decision, who communicates with guests and how, who provides floor plans to arriving police, and who manages the media and family liaison after an incident. This second layer requires a documented, tested emergency response plan -- not just individual ACT Awareness completion. NaCTSO offers a specific Protect and Prepare programme for larger venues. The ProtectUK platform provides free template plans and guidance for venues at both Standard and Enhanced duty tiers."

Q: "What security measures should hotels have in place to protect guests?"

"Minimum security standards for a city hotel serving business and corporate clients: CCTV coverage of all public areas, entrances, car parks, and back-of-house access points (BS 8418 standard in the UK; 30-day retention minimum for incidents). Access control for guest floors (key card only, no lift access without valid card). Visitor management for non-guest visitors (lobby reception protocol, no unescorted access to guest floors). Staffed front desk at all hours. Security personnel on site for larger properties -- a Security Manager and at least one officer on each shift. Staff trained in de-escalation of confrontational guests. Mail and package screening for large properties (see NPSA guidance). Night audit staff provided with a lone worker check-in protocol and a personal alarm. These are baseline standards -- higher-threat cities (Lagos, Nairobi, Karachi) require a significantly elevated posture."

Q: "What are the specific security risks for hotels in P1 cities?"

"Hotels in P1 high-risk cities face threats that UK and European hotels do not routinely encounter. In Nairobi, the DusitD2 attack (January 2019, 21 killed) demonstrated that international hotel properties are primary targets for Al-Shabaab attacks -- hotels with prominent international branding, accessible ground-floor entrances, and large public areas are higher-risk than properties with hardened access control. In Lagos, armed robbery targeting international hotel guests, particularly at arrival and departure, is documented in OSAC reporting. In Bogota and Mexico City, express kidnapping from hotel premises (following the guest from lobby to vehicle or targeting them during a taxi booking) is a recorded threat category. Hotel security managers in P1 cities should reference OSAC country-specific reports, engage with local police liaison, and ensure their access control and CCTV coverage is designed for the specific threat environment -- not transplanted from a European standard."

Q: "How does a hotel coordinate with a VIP guest's close protection team?"

"When a protected VIP -- a corporate principal with a CP team, a political figure, or a celebrity -- is scheduled to stay at a hotel, the hotel security team should establish contact with the advance CPO at least 48 hours before arrival. The hotel should designate a single point of contact for the protection team (typically the Security Manager or Duty Manager). Specific arrangements the hotel can provide: a dedicated entry/exit route for the VIP that avoids the public lobby, designation of a floor with restricted elevator access, advance inspection of the VIP's room by the CP advance team before the principal's arrival, removal of the VIP's name from public display at reception, control of who has access to the VIP's room key. The CP team should provide the hotel with a point of contact for emergency communication during the VIP's stay, an emergency contact outside the hotel, and advance notice of any unusual arrangements (large group, specific dietary security requirements, expected media interest)."

Hotel security from an industry perspective: staff safety, Martyn's Law compliance, VIP guest protocols, and active threat response planning for hospitality venues. Written for security managers and general managers.

4 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

The security brief for a hotel security manager is different from the security brief for a hotel guest. A guest needs to know which floor to avoid, which exit to use in an emergency, and how to reach the CP team if needed. A hotel security manager needs to know how to protect 300 guests in a complex building across a twelve-hour shift, with minimal information about who they are, what their risk profiles are, and whether anyone is targeting them.

This guide is written for hotel security professionals, general managers with security responsibilities, and corporate security managers who need to understand the security standards they should expect when placing executives in hotels. It covers Martyn’s Law obligations, staff training, VIP coordination, P1 city threat profiles, and the transition-point vulnerabilities that account for most hotel security incidents.

Martyn’s Law: statutory obligations for hotel premises

The Terrorism (Protection of Premises) Act 2024 received Royal Assent on 3 April 2024 and applies to England and Wales. Scotland and Northern Ireland are consulting on equivalent legislation.

The Act creates two tiers of obligation based on venue capacity:

Standard duty (200-799 capacity): Venues must have a terrorism emergency plan and must ensure that staff receive terrorism awareness training adequate to respond to a terrorist attack. This is the minimum – ACT Awareness completion for all guest-facing staff is the practical implementation.

Enhanced duty (800+ capacity): Venues must conduct a terrorism risk assessment, develop and maintain a security plan, appoint a qualified security officer, and notify the SIA of their status. For hotels, the 800-person capacity threshold includes guests, staff, and any event attendees present at one time. A mid-size conference hotel with 400 rooms, a restaurant, and a conference suite can easily meet this threshold.

The Security Industry Authority (SIA) is the regulator. Non-compliance with enhanced duty provisions carries criminal liability for responsible persons. Implementation guidance, sector-specific tools, and template documents are available free at the NPSA’s ProtectUK platform (protectuk.police.uk).

For hotels that have not yet reviewed their obligations under the Act, the first step is a capacity audit to determine which duty tier applies, followed by a gap analysis against the Act’s requirements for that tier.

Guest and staff safety framework

The baseline security architecture for a city hotel operating in a normal-risk UK/European environment:

CCTV. Full coverage of public areas, all entrances and exits, car parks, and back-of-house access routes. UK standard is BS 8418 for CCTV and monitoring centres, with minimum 30-day footage retention for incident investigation. Camera placement should eliminate blind spots at all transition points.

Access control. Key card access to guest floors. No lift access to guest floors without a valid room key. Back-of-house areas closed to guests. Loading dock and service entrances controlled and monitored.

Visitor management. Non-guests arriving at reception are identified, their purpose recorded, and they are either met by a hotel contact or escorted. Unescorted access to guest floors is not permitted.

Staffing. A Security Manager on site for mid-size and larger properties. At least one security officer on each shift. All security staff trained to ACT Awareness standard minimum. Night audit staff provided with a lone worker check-in protocol and a personal alarm.

Mail and package screening. For larger properties, a documented mail and package intake protocol (NPSA guidance for suspicious packages applies). Unexpected deliveries are not accepted without verification.

Staff terrorism response training

ACT Awareness – the NaCTSO online course – gives individual staff members the Run-Hide-Tell framework. It is the correct starting point, but it is not an institutional response plan.

A hotel’s organisational terrorism response requires documentation of who does what during an incident:

Who calls emergency services, and from where? (Mobile, not the hotel PA system if a device is suspected.)

Who makes the lockdown vs evacuation decision? (This requires a clear, pre-agreed protocol – the wrong decision costs lives.)

Who communicates with guests and how? (PA system, floor-by-floor door-knock by security staff, in-room phone calls – each has limitations.)

Who provides floor plans to arriving police? (Pre-prepared laminated floor plans at the front desk, available for immediate handover to the first officer through the door.)

Who manages media and family enquiries after an incident? (A designated contact number, not the main reception line.)

These protocols should be documented, communicated to all staff, and tested in a tabletop exercise annually. NaCTSO’s Protect and Prepare programme provides structured support for larger venues. The ProtectUK platform has free template plans for both Standard and Enhanced duty sites.

VIP guest security coordination

When a protected principal is scheduled to stay – a CEO with a CP team, a government minister, a celebrity – coordination between the hotel security team and the principal’s protection operation is a security function, not a hospitality one.

The advance CPO should contact the hotel Security Manager at least 48 hours before the principal’s arrival. The hotel should designate a single security point of contact for the duration of the VIP’s stay.

Standard coordination elements:

Designated arrival and departure route that avoids the public lobby where possible
Floor access restricted to pre-identified individuals (key card control or manual management)
VIP room advance inspection by the CP team before the principal’s arrival
Principal’s name removed from public-facing displays (reception screen, room booking board)
Pre-agreed emergency communication method between CP team and hotel security

The hotel’s concierge and guest relations team should not be the coordination point for these arrangements. When security requirements are routed through hospitality staff, they are typically interpreted as requests rather than operational requirements and are partially fulfilled or overridden by competing hospitality priorities.

P1 city hotel security context

International hotel brands operating in P1 cities implement a global security standard as a minimum. That standard is designed for normal-risk markets. The local threat environment in Lagos, Nairobi, Bogota, Mexico City, and Karachi requires measures above and beyond the global baseline.

In Nairobi, the DusitD2 attack (January 2019, al-Shabaab, 21 killed) targeted an international hotel complex with a mixed commercial and leisure profile. The attack methodology – vehicle bomb at the perimeter followed by a gunman assault through the public areas – exploits the open-access model that international hotels use to attract local and business clientele. Vehicle access control, perimeter hardening, and armed response capability are security requirements in Nairobi, not optional enhancements.

In Lagos, OSAC reports document armed robbery targeting arriving international guests, particularly at the kerbside arrival moment. Secure vehicle access into a controlled drop-off area (not the open public street), uniformed security at the entrance, and car park control are minimum requirements.

In Bogota and Mexico City, express kidnapping operations that begin with the targeting of hotel guests (observed in the lobby, followed to the vehicle) require hotels to manage their lobby as an intelligence environment – security personnel should be trained to identify surveillance behaviour in addition to responding to overt incidents.

For the guest-facing perspective on hotel security in high-risk cities, see our hotel security for business travellers guide. For the corporate security manager’s framework for selecting and using hotels in P1 cities, see our pre-travel risk assessment guide. For hotels and hospitality venues that operate late-night licensed premises – bars, nightclubs, and entertainment venues with SIA Door Supervisor requirements, Licensing Act 2003 licence conditions, and Martyn’s Law obligations – see our security for alcohol and nightlife venues guide.

Sources

Terrorism (Protection of Premises) Act 2024, UK Parliament, Royal Assent 3 April 2024. NPSA: ProtectUK Platform – Venue Security Guidance and Template Plans, National Protective Security Authority, 2024. NaCTSO: Protect and Prepare Programme, National Counter Terrorism Security Office, 2024. OSAC: Nigeria Security Report 2024, Kenya Security Report 2024, Colombia Security Report 2024. Control Risks: Hotel and Hospitality Sector Security Briefing 2025. SIA: Licensing and Enforcement Updates, Security Industry Authority, 2024. GardaWorld: Hospitality Sector Security Standard Review 2024. ASIS International: Protection of Assets – Hospitality Chapter, 2024.

Summary

Key takeaways

Martyn's Law creates a statutory terrorism preparedness obligation for most city hotels

The Terrorism (Protection of Premises) Act 2024 is not theoretical -- it creates enforceable obligations for venue operators from April 2024, with compliance timelines for each duty tier set by secondary legislation. For hotels, the question is not whether the Act applies but which duty tier they fall into. Security managers who have not reviewed their property against the Act's requirements should do so now. The NPSA ProtectUK platform provides free guidance, template plans, and sector-specific tools.

ACT Awareness is the floor, not the ceiling, of staff terrorism preparedness

ACT Awareness gives staff the individual response framework. It does not give the hotel an organisational response capability. A hotel that has completed ACT Awareness training for all staff but has no tested emergency response plan, no designated emergency responder, and no protocol for communicating with guests during a lockdown has met the minimum individual training standard but has not built an institutional response capability. The two are not the same.

VIP coordination is a security function, not a hospitality function

Hotels with significant corporate and VIP traffic should have a documented protocol for VIP security coordination that sits with the Security Manager, not with the guest relations or concierge team. The decision about which room, which access route, and what access control measures apply to a protected VIP is a security decision. When it is delegated to hospitality staff without security training, the outcome is typically that the VIP's presence is announced at reception, their floor is identified on the lift display, and their protection team's advance requirements are treated as hospitality requests.

Hotel security in P1 cities requires city-specific threat assessment, not transplanted standards

A hotel security standard developed for a European city hotel does not account for the threat profile in Lagos, Nairobi, or Bogota. The access control design, the guard deployment model, the vehicle access management, and the staff communications protocol all need to reflect the actual threat environment. An international hotel brand's global security standard is a minimum -- the local security assessment determines what additional measures are required above that standard.

The transition between public and private space is the highest-risk moment in a hotel

Most hotel security incidents -- robbery, sexual assault, targeted attack -- occur at the transition points: arrival and departure at the main entrance, movement between lobby and lift, car park access. These are the moments when guests are identifiable, their status is visible (business luggage, expensive clothing, arriving from the airport), and the hotel's security posture is at its most permeable. Access control, staffing, and CCTV coverage should be heaviest at these points, not in guest corridors where incidents are less frequent.

FAQ

Frequently Asked Questions

The Terrorism (Protection of Premises) Act 2024, commonly referred to as Martyn’s Law, received Royal Assent on 3 April 2024. It creates two tiers of obligation based on venue capacity. Standard duty applies to venues with a capacity of 200-799 people: these venues must have a terrorism emergency plan and ensure staff are trained to respond to a terrorist attack. Enhanced duty applies to venues with a capacity of 800 or more people (or qualifying events with 800+ attendance): these venues must conduct a risk assessment for terrorism, have a security plan, and appoint a qualified security officer. For hotels, the capacity count includes all guests and staff present at one time. Many mid-size city hotels fall under Enhanced duty. The Security Industry Authority (SIA) is the designated regulator. Implementation guidance is available via the NPSA’s ProtectUK platform. Non-compliance carries civil enforcement action and, for enhanced duty sites, potential criminal liability for responsible persons.

Hotel staff terrorism response training has two components: individual response (what each member of staff does to protect themselves) and organisational response (what the hotel does as an institution to protect guests and coordinate with emergency services). Individual response is covered by ACT Awareness (NaCTSO, free online ~45 minutes) – recognition, Run-Hide-Tell, and reporting. Organisational response covers: who is responsible for calling emergency services, who manages the evacuation or lockdown decision, who communicates with guests and how, who provides floor plans to arriving police, and who manages the media and family liaison after an incident. This second layer requires a documented, tested emergency response plan – not just individual ACT Awareness completion. NaCTSO offers a specific Protect and Prepare programme for larger venues. The ProtectUK platform provides free template plans and guidance for venues at both Standard and Enhanced duty tiers.

Minimum security standards for a city hotel serving business and corporate clients: CCTV coverage of all public areas, entrances, car parks, and back-of-house access points (BS 8418 standard in the UK; 30-day retention minimum for incidents). Access control for guest floors (key card only, no lift access without valid card). Visitor management for non-guest visitors (lobby reception protocol, no unescorted access to guest floors). Staffed front desk at all hours. Security personnel on site for larger properties – a Security Manager and at least one officer on each shift. Staff trained in de-escalation of confrontational guests. Mail and package screening for large properties (see NPSA guidance). Night audit staff provided with a lone worker check-in protocol and a personal alarm. These are baseline standards – higher-threat cities (Lagos, Nairobi, Karachi) require a significantly elevated posture.

Hotels in P1 high-risk cities face threats that UK and European hotels do not routinely encounter. In Nairobi, the DusitD2 attack (January 2019, 21 killed) demonstrated that international hotel properties are primary targets for Al-Shabaab attacks – hotels with prominent international branding, accessible ground-floor entrances, and large public areas are higher-risk than properties with hardened access control. In Lagos, armed robbery targeting international hotel guests, particularly at arrival and departure, is documented in OSAC reporting. In Bogota and Mexico City, express kidnapping from hotel premises (following the guest from lobby to vehicle or targeting them during a taxi booking) is a recorded threat category. Hotel security managers in P1 cities should reference OSAC country-specific reports, engage with local police liaison, and ensure their access control and CCTV coverage is designed for the specific threat environment – not transplanted from a European standard.

When a protected VIP – a corporate principal with a CP team, a political figure, or a celebrity – is scheduled to stay at a hotel, the hotel security team should establish contact with the advance CPO at least 48 hours before arrival. The hotel should designate a single point of contact for the protection team (typically the Security Manager or Duty Manager). Specific arrangements the hotel can provide: a dedicated entry/exit route for the VIP that avoids the public lobby, designation of a floor with restricted elevator access, advance inspection of the VIP’s room by the CP advance team before the principal’s arrival, removal of the VIP’s name from public display at reception, control of who has access to the VIP’s room key. The CP team should provide the hotel with a point of contact for emergency communication during the VIP’s stay, an emergency contact outside the hotel, and advance notice of any unusual arrangements (large group, specific dietary security requirements, expected media interest).

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.