Public sector security in 2026 sits at the intersection of more obligations, more scrutiny, and more complexity than at any previous point. The Procurement Act has reshaped how contracts are awarded. Chinese camera equipment has created a live compliance liability for most councils and NHS trusts. Martyn's Law is now on the clock. This guide covers the complete picture: the legislative framework, the technology, procurement routes, realistic budgets, and the Responsible Person checklist that protects you when the auditors arrive.
A private business that installs a CCTV system makes a commercial decision. A local authority, NHS trust, or government body that installs the same system is making a public decision. That distinction matters in ways that are not always obvious but affect almost every aspect of how security procurement should be approached.
Public sector security decisions must be defensible — capable of withstanding challenge from auditors, scrutiny committees, Freedom of Information requests, and judicial review. The basis on which a system was specified, the process by which a supplier was chosen, and the value for money the contract represents are all potentially subject to examination in ways that would never apply to a private organisation. A security purchase that cannot be explained and justified through a documented process is a liability regardless of how effective the system is technically.
They must be proportionate to risk and to public funds. The Section 151 officer's duty to ensure the lawful, proper and economic use of public money creates a framework that security investment must sit within. A technically excellent system at three times the price of an adequate alternative is not a good public sector procurement, however well the sales presentation went. The comparison must be total cost of ownership over the contract lifetime, not headline installation price.
They must navigate procurement rules that do not apply to private buyers. Above certain financial thresholds, contracts must be advertised publicly and awarded through a competitive process. Below those thresholds, documented justification for direct award is still required. Framework agreements exist to simplify this — but only if the organisation is eligible to use them and the supplier is on them.
And they must manage complexity at scale that most private organisations never face. A local authority may have hundreds of buildings on its estate. An NHS trust may run clinical, administrative, and residential facilities simultaneously. The security challenge is not a single site but an interconnected estate where decisions about monitoring, access, and incident response have to work consistently across very different building types, occupancy patterns, and risk profiles.
This guide addresses all of those dimensions. It is written for the people who carry the Responsible Person designation — facilities managers, estates directors, procurement officers, and the senior officers who sign off on what they recommend.
Public sector security sits within a layered legislative framework. No single law governs everything, and the interactions between them create obligations that are not always obvious from reading each one in isolation. Understanding the framework is the prerequisite for making good decisions within it.
The Procurement Act 2023 came into force on 24 February 2025, replacing the Public Contracts Regulations 2015 and establishing a single legal framework for the award of public contracts across England, Wales and Northern Ireland. It is the most significant reform of UK public procurement in a generation and it directly affects how every public sector organisation contracts for security services and systems.
For security procurement specifically, three changes matter most. First, the Act strengthens the duty on contracting authorities to consider whether barriers to SME participation can be removed. A facilities manager specifying a security contract that effectively excludes local and regional suppliers by setting unnecessarily high turnover thresholds or requiring national coverage when regional would suffice is now on weaker legal ground than they were under PCR 2015. Second, from 1 April 2026, all suppliers awarded below-threshold public sector contracts must register on the Central Digital Platform and obtain a unique supplier identifier. Any security supplier bidding for your work who is not registered is a risk. Third, the Act embeds social value considerations into the procurement lifecycle, not just the bid stage. Security contracts that include community benefit, local employment, or sustainability commitments are now expected to deliver and evidence them across the contract term.
The practical implication for estates teams is that procurement documentation for security contracts needs to be more thorough, not less, than under the old regime. The Act increases transparency, which means the audit trail matters more than ever.
Contracting authorities must have regard to the National Procurement Policy Statement, which includes targets for SME spend. Central government departments must set a three-year SME spend target from April 2025 and a two-year VCFSE spend target from April 2026. Local authorities and NHS bodies are expected to follow the same direction. When procuring security systems, consider whether your specification, threshold, and framework choice genuinely allow SME participation or whether they inadvertently exclude the suppliers most likely to provide local knowledge, faster response, and more flexible contract terms.
The Terrorism (Protection of Premises) Act 2025 received Royal Assent on 3 April 2025. The 24-month implementation period means the SIA begins enforcement in April 2027. Most public sector premises that can reasonably expect 200 or more people on site at any one time are within scope. Council buildings with public-facing services, NHS facilities with waiting rooms and outpatient departments, and leisure centres, libraries, and civic venues all fall into Standard Tier as a minimum. Larger venues with expected attendance of 800 or more fall into Enhanced Tier with additional obligations.
The Act's primary requirement is procedural rather than physical: documented public protection procedures covering evacuation, invacuation, lockdown, and communication. But as with schools, the physical infrastructure is what makes those procedures executable. An evacuation procedure that cannot be communicated site-wide instantly, or a lockdown that requires staff to manually secure dozens of doors, is a procedure that will fail under the pressure of a real incident. For detailed guidance on what Martyn's Law specifically requires and the April 2027 deadline, see the Martyn's Law guide for public sector organisations.
The RR(FS)O 2005 remains the primary fire safety legislation for non-domestic premises. The Responsible Person — typically the employer, building owner, or the person in control of the premises — must ensure a current fire risk assessment, a fire detection and alarm system that reflects its findings, and documented fire safety arrangements. These obligations have not changed. What has changed is the documentation standard.
Section 156 of the Building Safety Act 2022, which came into force in October 2023, amended the RR(FS)O to require Responsible Persons to record all findings from their fire risk assessment, not just significant ones. For public sector buildings this is a material change. Fire risk assessments that were previously summarised are now required to be recorded in full. Fire safety arrangements — how fire safety is managed on the premises — must also be formally documented. For multi-occupied or higher-risk buildings, this documentation must be shared with other Responsible Persons in the building.
From 6 April 2026, the Fire Safety (Residential Evacuation Plans) Regulations 2025 also require Responsible Persons to produce Personal Emergency Evacuation Plans for residents in buildings between 11 and 18 metres whose ability to self-evacuate is compromised. This is directly relevant to any public sector organisation managing social housing, NHS residential facilities, or sheltered accommodation.
The technical standard for fire detection and alarm systems is BS 5839-1:2025, which replaced the 2017 version on 30 April 2025. Any system designed, installed, or significantly modified after that date must comply with the current standard.
Every public sector organisation operating CCTV is a data controller processing personal data. UK GDPR and the Data Protection Act 2018 require a lawful basis for processing, a written CCTV policy, ICO-compliant signage, documented retention periods, and a process for handling Subject Access Requests. The Data (Use and Access) Act 2025 reinforced these obligations.
Public sector bodies are also subject to the Surveillance Camera Code of Practice, which is a statutory code issued under the Protection of Freedoms Act 2012. The Code sets 12 guiding principles covering purpose specification, necessity, proportionality, and community impact. While the Code does not override UK GDPR, it creates additional obligations for public bodies that do not apply to private sector CCTV operators. Any public sector CCTV system should be reviewed against both frameworks, not just one. A Data Protection Impact Assessment is required before deploying any system using AI analytics or processing biometric data.
This is the issue most public sector estates managers know about but have not fully resolved, and it deserves direct treatment. The majority of UK public sector CCTV infrastructure is built on equipment from Chinese manufacturers — primarily Hikvision and Dahua — that is now the subject of government guidance recommending its removal.
Research has found that 73% of UK local authorities were using Hikvision or Dahua equipment at the time of the government review. The Cabinet Office required removal from sensitive central government sites by April 2025. While that mandate does not yet extend by law to all local authorities and NHS estates, the National Protective Security Authority advises all public bodies to avoid surveillance systems from high-risk manufacturers and to review existing deployments. An organisation that continues to operate this equipment after the NPSA guidance, and suffers a data incident or security breach traceable to it, is in a significantly weaker position than one that has addressed the issue proactively.
The government's position, set out in the November 2022 Cabinet Office direction and reinforced by NPSA guidance, is that equipment made by companies subject to China's National Intelligence Law creates risks that cannot be fully mitigated through configuration or network isolation. That law can compel Chinese companies to share data with Chinese state intelligence agencies. A camera system that is physically isolated from the internet can still present risks through its management software, firmware update mechanism, and supply chain.
The practical questions for a public sector estates manager are these. First, does your current CCTV estate include Hikvision, Dahua, or other equipment from manufacturers subject to Chinese security laws? If you do not know the answer, your asset register is incomplete. Second, is any of that equipment connected to your corporate network or to systems handling sensitive data? Connection to departmental networks was specifically prohibited for central government in 2022 and the same principle should be applied across public bodies. Third, is there a documented plan and timeline for replacement? An organisation that has identified the risk and has a credible remediation plan is in a substantially better compliance position than one that has not acknowledged it.
Replacement does not have to happen overnight. A phased programme that prioritises the highest-risk sites first — those handling sensitive personal data, those with external network connectivity, those in buildings serving vulnerable populations — is both proportionate and defensible. What is not defensible is continued inaction after the NPSA guidance has made the risk explicit.
On the procurement implication: when replacing Chinese-manufactured equipment, your specification should explicitly require that cameras and recording equipment are manufactured by companies not subject to high-risk jurisdiction laws. NDAA compliance (the US National Defense Authorization Act standard) is one reference point, but it is not the UK government's standard. The NPSA guidance is the applicable reference for UK public sector procurement. Ask suppliers to confirm, in writing, the manufacturing origin and data sovereignty position of every product they propose.
Public sector CCTV sits at the intersection of a security requirement, a data protection obligation, a public accountability duty, and — for local authorities operating public space CCTV — a community safety function. Getting the specification right means addressing all four dimensions, not just the technical one.
The Surveillance Camera Code requires that every system has a documented purpose before it is installed. This is not a bureaucratic nicety. It is the legal foundation on which every other decision rests — camera placement, retention period, access controls, and AI analytics capability all flow from a clearly defined purpose. A system installed because "it seemed like a good idea" or "the previous council did it" is not compliant. The purpose must be specific, documented, and reviewed whenever the system is changed or its use extended.
Public sector estates typically require a tiered approach to CCTV coverage. Entry points and public-facing areas require coverage sufficient for facial identification — generally a camera resolution of 2MP or better at face height with adequate lighting. Car parks and perimeter areas require detection-level coverage. Server rooms, cash handling areas, and other sensitive locations require dedicated, higher-specification coverage with extended retention. Specifying every camera to the same standard is both unnecessary and expensive. A risk-led specification matches camera capability to the purpose and consequence of failure at each location.
The standard for public sector CCTV is 31 days. Shorter retention periods reduce storage costs but reduce the system's utility for investigations, complaints processes, and insurance claims. Longer retention requires documented justification. For NHS facilities handling safeguarding-relevant footage, 31 days should be treated as a minimum rather than a default. Whatever period is chosen, it must be specified in your CCTV policy and the system must be configured to enforce it. Footage retained beyond the documented period without justification is a UK GDPR breach.
AI-powered analytics — facial recognition, crowd density monitoring, behaviour analysis, vehicle recognition — are increasingly available as standard features in modern camera systems. Public sector organisations should approach these features with particular caution. Facial recognition in public spaces is subject to significant legal uncertainty in the UK and several police forces that deployed it faced successful legal challenges. Crowd monitoring in leisure and civic settings raises proportionality questions under the Surveillance Camera Code. Every AI analytics feature that processes personal data requires a DPIA before deployment and must be covered in your CCTV policy. Enabling a feature because it is included in the system without documenting its use and legal basis is a compliance risk. For a detailed guide see the AI CCTV analytics guide and the CCTV data protection guide.
Public sector buildings are characterised by a complexity of access requirements that most private sector facilities never face. A civic centre may house a housing benefits team, a registrar's office, a council chamber, a public reception area, and a staff-only administration floor — all requiring different levels of access for different categories of person, changing throughout the day. An NHS building may serve patients, clinical staff, administrative staff, contractors, suppliers, and emergency services, each with different legitimate access patterns and different consequences if access controls fail.
A modern electronic access control system manages this complexity through credential-based permissions rather than physical keys. Staff hold credentials — cards, fobs, mobile devices, or biometric tokens — that are configured to allow access to specific areas during specific time periods. A cleaning contractor's credential allows access to office areas between 6am and 8am but not to the data centre at any time. A senior manager's credential allows access to all areas. An agency worker's credential expires automatically on their last day. All of this is managed from a central platform, with an audit log of every access event.
The advantages over mechanical keys for public sector estates are substantial. When a credential is lost, it is deactivated in seconds rather than requiring a lock change. When a member of staff leaves, their access is removed instantly rather than relying on key return. When a security incident is being investigated, the access log provides a time-stamped record of who was where and when. When a contractor requires temporary access, it is granted for exactly the period needed and expires automatically.
On contractor and visitor management: public sector organisations regularly have large numbers of contractors, maintenance teams, inspectors, and visitors on site. A visitor management system integrated with access control replaces paper sign-in books with a process that logs arrivals and departures, notifies hosts, enforces DBS check requirements for relevant visitors, and generates a real-time occupancy record. That record supports Martyn's Law invacuation planning, fire evacuation roll calls, and the duty-of-care obligations that arise whenever a member of the public is on your premises.
Public sector buildings are high-value targets. They hold cash, computer equipment, vehicles, tools, and in some cases controlled substances or sensitive documents. They are often large, complex to secure, and predictably unoccupied during evenings, weekends, and holiday periods. The combination of high value and predictable unoccupancy makes a properly specified and monitored intruder alarm one of the most cost-effective investments on the entire security estate.
Grade 2 intruder alarm systems are appropriate for most public sector office, civic, and administrative buildings. Grade 3 systems, which provide higher resistance to tampering and more sophisticated detection, are appropriate for higher-risk locations handling cash, controlled substances, or sensitive data. The grade specification should be driven by a site-specific risk assessment, not by the lowest price available.
Connection to a professional Alarm Receiving Centre with a police-response URN is the standard that public sector organisations should require. Unmonitored alarms or alarms connected to an ARC without police response capability are substantially less effective deterrents and produce worse outcomes when a genuine intrusion occurs. Remote video verification — where the ARC views camera footage to confirm an intrusion before calling police — dramatically reduces false alarm callouts and improves police response times when an alarm is genuine. This is the configuration worth specifying.
For NHS facilities and social care buildings, lone worker protection integrated with the alarm system provides an additional layer of staff safety that is both a welfare obligation and an increasingly common insurance requirement. Staff working alone in buildings outside normal hours should have a means of raising an alarm that reaches an ARC directly.
Fire system compliance for public sector organisations is governed by the RR(FS)O 2005, interpreted through BS 5839-1:2025 and the Building Safety Act 2022. The Responsible Person must ensure a written fire risk assessment is current, reviewed annually or when significant changes occur, and that the detection and alarm system reflects its findings.
The 2025 revision to BS 5839-1 introduced several changes of direct relevance to public sector estates managers. Fire-resistant cabling is now mandatory for all alarm circuits and mains supply cabling. Logbook requirements now specify that all deviations from the standard must be documented. Engineer competence requirements now include demonstrable ongoing CPD. For any system installed or significantly modified before April 2025, a review against the current standard is advisable before the next inspection.
The Building Safety Act Section 156 change is the most operationally significant recent development for public sector facilities teams. The requirement to record all fire risk assessment findings — not just significant ones — means that every item identified during an assessment, including minor observations and advisory notes, must now be in the documented record. This creates a more complete fire safety history of the premises and a more defensible audit trail, but it also means that assessments previously managed informally now require formal documentation. Estates teams whose fire risk assessments are managed through a spreadsheet or paper record rather than a dedicated system should review whether that approach remains adequate.
On higher-risk buildings: NHS facilities, social housing blocks, and any public sector building over 18 metres in height are subject to the Building Safety Act's higher-risk building regime, which requires registration with the Building Safety Regulator and the appointment of an Accountable Person. The security and fire systems in these buildings are subject to greater scrutiny and must be managed within a formal safety case framework. If your estate includes buildings in this category and you have not yet confirmed compliance with the higher-risk building requirements, this should be a priority for your legal team.
One of the most practical benefits available to public sector buyers that private sector organisations do not have is access to pre-competed procurement frameworks. A framework agreement is a contract awarded through an OJEU or Find a Tender process where a set of suppliers has already been evaluated, approved, and placed on a ranked or lot-based list. Contracting authorities can call off from a framework without running their own full tender, saving significant procurement time and cost while remaining fully compliant.
For security systems and services, several frameworks are relevant to different parts of the public sector. Understanding which ones you are eligible to use and which suppliers are on them is worth doing before you start any procurement.
Using a framework does not remove the need for a specification. Calling off from a framework without a clear scope, technical requirements, and evaluation criteria still produces poor outcomes and makes the resulting contract difficult to manage. The framework removes the advertising and competitive tender burden. The specification work remains your responsibility. For a guide to writing a security specification that produces comparable quotes see the security specification guide, which covers the principles that apply equally to public sector procurement.
Public sector security budgets are consistently under pressure, and the gap between what is needed and what is available is frequently used to justify deferring investment. The most useful counter to that argument is a total cost of ownership analysis that compares the five-year cost of adequate security provision against the five-year cost of incidents the investment prevents. Here are honest indicative ranges for South East England in 2026.
A standard installation covering the main public entrance, car park, and key perimeter points of a typical council building or health centre: £6,000 to £12,000 installed. A comprehensive estate-level system for a large civic building or NHS facility with full coverage, AI analytics, centralised management, and 31-day NVR storage: £30,000 to £70,000 installed. Annual maintenance contracts typically run at 10 to 15 per cent of installation cost. Where a Chinese equipment replacement programme is required, factor in the cost of new cameras, recabling where required, updated recording infrastructure, and decommissioning of legacy equipment.
A basic system covering main entrance and key internal doors of a small public building: £8,000 to £15,000. A comprehensive multi-door system for a large multi-occupancy estate building with full integration, contractor management, and time-based permissions: £25,000 to £60,000. Annual software licences and maintenance add £2,000 to £6,000 per year depending on system scale.
A Grade 2 system for a single public sector office building: £3,000 to £7,000. For a large multi-building site: £10,000 to £25,000. Professional ARC monitoring with police-response URN: £400 to £800 per year. This remains one of the highest return-on-investment items in the public sector security budget relative to its cost.
A new Category L3 installation for a single public building: £5,000 to £15,000. For a large multi-building NHS or council estate: £20,000 to £60,000. Annual maintenance to BS 5839-1:2025: £1,000 to £4,000 depending on system size and number of buildings.
Security investment in the public sector is rarely approved on its own merits. It needs to be framed in the language the approving body uses: risk reduction, audit compliance, insurance implications, and cost avoidance. A single overnight break-in at a council facility costs an average of £18,000 to £35,000 when property damage, replacement costs, business disruption, staff time, and insurance excess are aggregated. A Martyn's Law compliance failure carries potential fines of up to £10,000 for Standard Tier premises and daily penalties of £500. A GDPR enforcement action arising from inadequate CCTV data governance can result in fines of up to £17.5 million or 4% of annual turnover for public sector bodies.
The security challenge for most public sector organisations is not managing one building well. It is managing fifty buildings consistently — with different ages, configurations, occupancy patterns, and risk profiles — from a central estates function that rarely has the resources the challenge requires.
The most effective approach is a tiered management model that distinguishes between active management (the things that require regular human attention) and passive monitoring (the things that can be handled by systems and escalated only when needed). A centralised video management platform that aggregates camera feeds from multiple sites and generates alerts only when AI analytics identifies genuine anomalies means that an estates manager can have real-time oversight of a 30-building estate without sitting in front of a bank of screens. A centralised access control platform means that credential management, time-based permissions, and entry logs for all sites are managed from a single interface.
Planned preventative maintenance contracts covering all security systems across the estate are more cost-effective than site-by-site arrangements and produce more consistent outcomes. A single PPM contractor who knows your estate, understands the inter-relationship between systems across sites, and has a defined response time for reactive callouts is worth more than several specialist contractors each managing one system. Integration between maintenance records, compliance documentation, and estates management systems reduces the administrative burden and produces the audit trail that internal and external scrutiny requires.
Holiday periods and building closures require specific attention. An estates manager responsible for 40 council buildings during the Christmas closure period needs a systematic checklist process, not a mental note. Each building should have a documented pre-closure security check, the monitoring centre should be notified of closure dates and any planned maintenance, and any outstanding remedial works from the last PPM visit should be resolved before the building is vacated for an extended period.
The questions below are the ones a Responsible Person, Section 151 officer, internal auditor, or CQC inspector may ask about your security provision. If any of them cannot be answered confidently and with supporting documentation, that is a gap that needs addressing.
A note on this guide: public sector security law and guidance changes regularly. The Procurement Act 2023 is still being fully implemented. Martyn's Law enforcement begins in April 2027. Building Safety Act requirements continue to be phased in. This guide reflects the position in June 2026 and will be reviewed annually. Verify legislative references against current versions before acting on them, and seek legal advice where specific compliance questions arise.
A free site survey gives you a clear, documented assessment of your current provision against each of these areas. We work across local authorities, NHS estates, housing associations, and government bodies throughout the South East, and we understand the procurement, compliance, and audit pressures that come with public sector work.
Request a Free Survey →