Yes — if you control premises where people could be exposed to Legionella, UK law requires you to assess that risk. What trips people up is that no statute is called the “Legionella Act”. The duty is assembled from broader health-and-safety law, and the risk assessment everyone talks about is the first link in a longer chain, not the whole of it.

So the genuinely useful question isn’t “is it required?” It’s “what does meeting that duty look like in my building, and how would I show an inspector that I have?”

Where the duty actually comes from

Three pieces of legislation do the heavy lifting. The Health and Safety at Work etc. Act 1974 places a general duty on employers and people in control of premises to protect employees and anyone else who might be affected by what they do. The Control of Substances Hazardous to Health Regulations — COSHH — treat Legionella as a biological agent hazardous to health, which means you must assess and control exposure to it. And the requirement to carry out a risk assessment that is “suitable and sufficient” sits in the management regulations that sit beneath all of it.

On top of the law sits the Approved Code of Practice, L8 [1]. An ACoP carries particular legal weight: follow it and you are generally taken to have done enough; depart from it and you have to show you achieved compliance some other way. HSG274 is the technical detail behind L8 — the practical “how” of monitoring and control [2]. Together, L8 and HSE’s plain summary of what duty holders must do are the references an enforcing officer will measure you against [3].

What the law actually asks of the assessment

The legal test is short and unforgiving: the assessment has to be suitable and sufficient, and it has to stay current. That is it. There is no prescribed page count, no mandatory template, no government form to fill in.

“Suitable and sufficient” means the assessment reflects your actual system and how it is used — the stored water, the pipework, the outlets that barely get touched, the people who could breathe in an aerosol. BS 8580-1 is the recognised code of practice for how to carry one out properly [4]. It isn’t the law in itself, but it is the methodology a competent assessor works to, and the standard your work will be judged against if anything ever goes wrong.

The word people skip over is “current”. An assessment written for a building that has since been refurbished, repurposed or re-occupied no longer describes the risk in front of you. As far as the duty is concerned, an out-of-date assessment is close to having none at all.

How the duty lands in different buildings

The law is risk-based, so the same obligation looks very different depending on what you run.

A small, low-risk office still has to do it. HSE accepts that many simple premises will conclude their risk is low and already controlled — but “low risk” is a finding you reach by assessing, not an assumption you start from. You need the assessment, and you need to be able to produce it.

A residential landlord is squarely caught too. Landlords have a legal duty to assess and control Legionella risk in the properties they let, and this is one of the most misunderstood corners of the whole subject [5]. Notice what the duty is not: there is no statutory “Legionella certificate” a landlord must buy each year. The obligation is to assess, manage, and keep evidence of it.

A building with a cooling tower or evaporative condenser carries a further, separate duty: you must notify your local authority that the device exists, and certain cases and dangerous occurrences are reportable under RIDDOR [6]. That notification is easy to overlook precisely because it sits outside the risk-assessment paperwork entirely.

And if you bring in a contractor — which most organisations sensibly do — the duty does not transfer with the purchase order. You can appoint a competent person to carry out the assessment and the controls, but accountability stays with you as the duty holder. That means keeping enough competence in-house to choose a credible provider, brief them properly on the building, and challenge a report that doesn’t ring true.

What the rulebook doesn’t spell out

A few things sit between the lines of the guidance and catch people out more than any technical detail.

The risk assessment is the start of compliance, not the proof of it. Identifying the risk is a legal duty — but so is acting on what you find, monitoring it, and reviewing it. A spotless assessment on a shelf, with nothing happening underneath it, is a finding with no response, and that gap is the first thing an inspector tends to probe.

Doing it yourself is perfectly legal if you are genuinely competent — and competence is the catch. The duty quietly assumes you can recognise the limits of your own knowledge. Plenty of simple systems can be assessed in-house; the moment you are unsure whether something is a dead leg or whether a cylinder is reaching temperature, that uncertainty is itself telling you something.

There is no single document that “is” your compliance. People go hunting for the one certificate, the one report, the one tick that settles it. The duty is a chain — assess, control, monitor, record, review — and your defence is that chain being visibly joined up, with named people against each link.

A note on what this is, and isn’t

This is an editor’s plain reading of published HSE guidance, not legal advice. Whether your specific premises, tenancy or water system meets the duty is a judgement for a competent assessor who has actually seen the site, and enforcement calls ultimately rest with HSE and the courts. Use what follows to ask sharper questions, not as a ruling on your building.

Your next check

You don’t need a project to find out where you stand. Pull up your current Legionella risk assessment today and test it against three questions: what date does it carry; does it describe the building as it is now, not as it was at the last refit; and is there a named person responsible for acting on its findings? If any answer is missing, you have found the gap the law cares about most.

From there, the natural next moves are understanding what a competent assessment should contain — see Legionella risk assessment basics — and being clear on who actually carries the duty, set out in Duty Holder and Responsible Person roles.

FAQ

Yes. The duty applies regardless of how small the premises are. A simple assessment may well conclude the risk is low and already controlled, but you still have to carry it out, record that conclusion, and keep it current [3].

Is there an official Legionella certificate I can buy to prove compliance?

No. There is no statutory Legionella certificate in UK law. What the law expects is a suitable and sufficient risk assessment plus evidence that you are acting on it — monitoring, records and review — rather than a single badge or document [1].

How often does the law say the assessment must be redone?

There is no fixed legal interval. You review it at the frequency your own assessment sets, and sooner whenever the system, its use, the people exposed or your control evidence change [1]. An assessment that no longer matches the building is treated as out of date.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] BSI, “BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice”. https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [5] HSE, “Legionella and landlords’ responsibilities”. https://www.hse.gov.uk/legionnaires/legionella-landlords-responsibilities.htm [6] HSE, “Other duties: RIDDOR and notification of cooling towers or evaporative condensers”. https://www.hse.gov.uk/legionnaires/what-you-must-do/duties.htm