Ask most duty holders what non-compliance costs and they reach straight for the fine. It is the wrong anchor. A court penalty is the least predictable line on the page, it only lands if a prosecution actually runs, and it is rarely the biggest number once everything else is added up. The expensive part of getting Legionella control wrong is the stack of costs that arrive together, often long before anyone sees a courtroom, and most of that stack is avoidable for a fraction of its total.

So the question worth asking finance is not “what is the worst-case fine?” It is “what does weak control actually cost us, and what does it cost to close the gap?” Separate those two numbers and the spending decision tends to make itself.

Legionella control sits under the Health and Safety at Work etc. Act 1974 and the Control of Substances Hazardous to Health Regulations, with the working detail in HSE’s Approved Code of Practice L8 and the technical guidance HSG274 [1][2]. HSE’s own summary of the duty is plain enough: identify and assess sources of risk, manage them, prevent or control them, keep records, and meet other relevant duties [3].

L8’s status is the part that bites on cost. As an Approved Code of Practice it carries particular legal weight — if you are prosecuted over a breach and did not follow the relevant ACoP guidance, you have to show you achieved an equivalent standard some other way [1]. That is why “we had a folder” and “we can prove control” are not the same sentence. The first is paperwork; the second is a defence. For the underlying duties and who carries them, UK Legionella compliance 101 sets out the framework this article puts a price on.

Where the bill actually comes from

The cost of getting it wrong is not one invoice. It arrives in four streams, and they do not wait their turn.

  • Enforcement cost. An improvement notice gives you a deadline to fix a failing. A prohibition notice stops you using a system immediately, which turns a paperwork problem into an operational one overnight. At the serious end sits prosecution. HSE can also recover the cost of its time when it identifies a material breach, so an inspector’s visit can quietly become your invoice. None of these figures is fixed in advance, which is exactly why budgeting around “the fine” is guesswork.
  • Civil and human cost. This is the one that should sit at the top. Legionnaires’ disease is a serious, sometimes fatal pneumonia [4], and UKHSA records and investigates cases in England and Wales every year [5]. If a case is linked to your system, personal-injury claims can follow, and a work-related case is also where RIDDOR reporting and a formal investigation begin [6]. The harm to a person is the real story; the claim is just its financial shadow.
  • Commercial cost. Emergency disinfection and remedial works at short notice cost far more than the same work planned. Add system or building downtime, a failed pre-acquisition or pre-let water survey that stalls a sale, and lost tenders where evidence of compliance is a straight pass-or-fail gate. Plenty of large clients now ask for your water-safety records before they sign anything. No records, no contract.
  • Reputational cost. The slow one. It outlasts the fine and the remediation, it is the hardest to put a figure on, and that difficulty is precisely why people leave it out of the business case. Leaving it out does not make it zero.

The decision rule that falls out of this is simple to say and useful to apply: spend first wherever a gap both raises real exposure and weakens your proof of control. A neglected low-use shower fails on both counts at once. A third annual sample on an outlet that is already self-flushing through constant use fails on neither, so it is rarely your priority pound.

Why the cheap side is so cheap

Planned control is bounded and predictable. It is the risk assessment and its reviews, routine temperature monitoring, flushing of low-use outlets, cleaning and descaling, sampling where the assessment calls for it, training, and the records that tie all of it to named people and dates. You can forecast that spend to the month.

The non-compliance stack is the opposite: unbounded and correlated. When it goes wrong, several of those streams hit in the same fortnight. Buying off an unbounded, correlated risk with a bounded, predictable spend is one of the better trades available to a facilities team.

Two moves give the most cover for the money. First, make the evidence continuous rather than annual — a survey that lives on a shelf ages badly, and the gap between “assessed once” and “controlled now” is where liability collects, which is the argument Beyond the survey makes in full. Second, appoint competent help and keep the trail: using a service provider registered with the Legionella Control Association supports the competence test [7]. Just remember that appointing a contractor does not transfer the duty. You can delegate the task; the accountability and the oversight stay with you.

Putting the number to finance

Take it upstairs as two figures, not a horror story. On one side, the bounded annual cost of planned control. On the other, the unbounded and correlated cost of a failure that lands all at once. Make the point that monitoring frequency is set by the risk assessment, not chosen to hit a budget line [2] — so cutting it back is not a saving, it is a decision to carry unquantified risk. And name the cheapest insurance you own: records that genuinely prove control, because good evidence shortens or deflects almost every cost above it.

A note on figures and the law

This is general guidance, not legal advice. Penalties, enforcement decisions and whether a particular case is reportable all turn on the specific facts, and what controls and evidence your site actually needs is settled by a competent, site-specific risk assessment — not by an article. Do not budget against a number you found online, and where a real legal question is live, take proper advice rather than guessing from guidance pages.

FAQ

Can we be prosecuted even if nobody fell ill?

Yes. The duties are about controlling risk, so a serious failure to assess or control your water systems can attract enforcement without a single confirmed case of illness [3]. Harm makes a case worse; its absence does not make non-compliance lawful.

Do we have to report a Legionnaires’ case to anyone?

Potentially, yes. A work-related case of legionellosis can be reportable under RIDDOR, and clinical cases are notified to and investigated by the public health authorities [6]. The wrong instinct is to sit on it and hope; check the reporting position early.

No. You can delegate the work, not the duty. You remain responsible for appointing competent people, briefing them properly and checking what they actually did, and choosing an LCA-registered provider helps you evidence that competence [7][3].

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] NHS, “Legionnaires’ disease”. https://www.nhs.uk/conditions/legionnaires-disease/ [5] UKHSA, “Legionellosis in residents of England and Wales: 2024”. https://www.gov.uk/government/statistics/legionellosis-in-residents-of-england-and-wales-2024/legionellosis-in-residents-of-england-and-wales-2024 [6] HSE, “RIDDOR - Reporting of Injuries, Diseases and Dangerous Occurrences Regulations”. https://www.hse.gov.uk/riddor/ [7] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/