When a Legionella prosecution or an improvement notice reaches the trade press, the reflex in most estates teams is to read it as someone else’s bad luck and move on. That reflex is the weak point. The sharper question is not what the named duty holder did wrong — it is whether your own records would survive the same line of questioning on your worst week of the year.
Enforcement is not becoming more random. It is becoming more interested in evidence: in whether you can show control happening day to day, not just assert that it does. Read each case that way and the enforcement trends worth tracking stop reading like a threat and start reading like a list of things to go and check.
The reading that lets a team off the hook
The comfortable interpretation is that enforcement is a paperwork audit you pass by keeping a tidy binder. The slightly less comfortable one is that the named site got unlucky — a contractor slipped, a sample came back high, the inspector was in a mood.
Both readings share a flaw. They treat the outcome as the event. By the time a notice is served, the real failure usually happened months earlier and quietly: a control that drifted, a warning sign nobody owned, a remedial action logged but never closed — the quiet pattern behind most failed control plans (see Why Legionella control plans fail). The enforcement is just the moment that history became visible. Study only the outcome and you learn nothing you can carry back to your own site.
What is actually shifting
The rules themselves move slowly. L8 and HSG274 remain the core references for what competent control looks like [1][2], and the underlying duty has not changed: a foreseeable risk must be assessed, controlled, monitored and reviewed [3]. What has shifted is the weight placed on the word show.
Three currents are worth naming. First, risk assessment has hardened from a one-off document into a living judgement, with BS 8580-1 setting out what a competent assessment should actually contain [4]. Second, the centre of gravity is moving from reactive control toward planned, whole-system thinking — the water safety plan approach in BS 8680 is the clearest signal of that direction [5]. Third, “competent person” is no longer a label you award yourself; the Legionella Control Association’s code of conduct has become the practical shorthand for what a competent service provider is expected to demonstrate [6].
Put those together and the trend is not a fresh rule to comply with. It is a rising bar on what counts as proof. A folder that shows you bought a service is worth less than a thin file that shows you noticed a problem and dealt with it.
The four questions behind a notice
When you read an enforcement story — or pressure-test your own building — run it through four questions, in order. They are the questions the evidence ends up answering anyway.
- Was it foreseeable? Could a competent assessment have predicted this exposure: the low-use wing, the redundant calorifier, the cooling tower nobody flagged? Hindsight does not count. Foreseeability does.
- Was control proportionate and actually in place? Not “was there a scheme” but “was the scheme matched to the risk and running”. Monitoring and testing frequency, for instance, should follow the risk assessment rather than a comfortable default [2].
- Can you demonstrate it? Records have to show decisions and results, not just completed task boxes. “Temperature 48°C, below target, outlet isolated, raised to the responsible person, retested on the 22nd” demonstrates control. A green tick demonstrates that someone ticked.
- Was it closed? A defect found and fixed is control working. A defect found, logged and left open is the pattern that turns an inspection into a notice — and the one that keeps positive results coming back (that close-out gap is its own failure mode; see Failed remedial action close-out).
Any honest “no” is a fault to fix now, while it is cheap.
What nobody tells you about how a case unfolds
A few things about enforcement only become obvious once you have sat through one.
It rarely starts with a sample. The trigger is usually external — a reported case, a complaint from an occupant, a RIDDOR report, or an inspection prompted by activity in your sector — and the lab work comes afterward [7]. Chasing the perfect sample result while your trigger-side housekeeping is weak is optimising the wrong thing.
A clean recent sample protects you far less than people assume. Sampling verifies one outlet at one moment; it is not evidence that the regime works, and testing is meant to follow the risk assessment rather than stand in for control [8]. An out-of-range reading with a documented, dated response can show a functioning system better than a flawless certificate with no story behind it.
What escalates a defect is repetition, not severity. One missed flush is a slip. The same outlet missed for three months with no escalation is the evidence that management was not reviewing the evidence — and that is the finding inspectors care about most.
And some duties put you on the regulator’s radar before any inspection. Certain work-related Legionnaires’ cases are reportable under RIDDOR [7], and cooling towers or evaporative condensers must be notified to the local authority [9]. Getting either wrong invites scrutiny you could have avoided.
Where this leaves you
None of this needs a bigger budget or a new standard to chase. It needs reading enforcement trends as a mirror rather than a weather report.
One caveat, stated plainly: enforcement decisions rest with the regulator and turn on the specific facts of a site, so nothing here predicts how any particular case would be handled, and none of it is legal advice. Your own risk assessment, applied by a competent person, stays the authority on what your building actually needs.
The practical next step takes an afternoon. Pull the last out-of-range temperature, positive sample or missed task from the past twelve months, and trace it forward through the four questions above. If you cannot show, on paper, that someone noticed it, decided what to do, and closed it out, you have just found the gap an inspection would have found for you — only cheaper. Fix that one, then go and find the next.
FAQ
What usually brings a building’s water system to the regulator’s attention?
Often it is not a routine inspection. A reported or RIDDOR-relevant case, an occupant complaint, or attention on your sector tends to be the trigger, and the examination of your assessment, controls, monitoring and records follows from there [7]. Strong trigger-side habits — knowing your reporting duties and acting on complaints quickly — matter as much as the sampling does.
Do we have to report Legionnaires’ cases or notify our cooling towers ourselves?
Potentially yes on both. Certain work-related cases are reportable under RIDDOR [7], and cooling towers or evaporative condensers must be notified to the local authority [9]. Confirm exactly what applies to your site and circumstances rather than assuming someone upstream has already handled it.
If our sampling results are all clean, can we still face enforcement?
Yes. Sampling verifies specific outlets at a moment in time and is meant to support, not replace, control of temperature, stagnation and cleanliness, with testing following the risk assessment [8]. Enforcement looks at whether control is happening and demonstrable, so clean results with no underlying control story carry limited weight.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [5] BSI, “BS 8680:2020 - Water quality. Water safety plans. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-water-safety-plans-code-of-practice [6] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/ [7] HSE, “RIDDOR - Reporting of Injuries, Diseases and Dangerous Occurrences Regulations”. https://www.hse.gov.uk/riddor/ [8] HSE, “Testing and monitoring your water system for legionella”. https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [9] HSE, “Other duties: RIDDOR and notification of cooling towers or evaporative condensers”. https://www.hse.gov.uk/legionnaires/what-you-must-do/duties.htm