Search for “the Legionella law” and you will not find a single act with that name. The duties come from general health and safety law, aimed at water systems, and they land on whoever controls the building. Grasp that one fact and the rest is detail.
That “whoever” is usually you: the employer, the landlord, the managing agent, the person in day-to-day control of the premises. The law does not ask whether you meant well. It asks whether you understood your water system, did something proportionate about the foreseeable risk, and can show it.
None of what follows is legal advice, and it is not a stand-in for a competent assessment of your own site. It is the shape of the rules and who they fall on. The exact duties that bite at your building, and the evidence that discharges them, come out of your own risk assessment.
What the law actually asks of you
HSE boils the core duty down to five things: identify and assess the sources of risk, manage that risk, prevent or control it, keep the right records, and meet a few other specific duties [1]. Everything else in Legionella compliance is machinery built to do those five things and prove them.
Underneath sit two pillars of UK law. The Health and Safety at Work etc. Act 1974 places a general duty on employers and those in control of premises to protect anyone who could be affected by the work. The Control of Substances Hazardous to Health Regulations, COSHH, then treat Legionella as a biological hazard you must assess and control like any other [1]. The Approved Code of Practice, ACoP L8, sets out how regulators expect you to do that, and HSG274 fills in the technical detail on hot and cold water, cooling systems and other plant [2][3].
So compliance is not a certificate you obtain. It is a duty to manage a risk, continuously, and to keep the proof.
Duty holder or responsible person: who is actually on the hook
Two roles get muddled constantly, and the difference matters most when something goes wrong.
The duty holder carries the legal accountability. That is the organisation or person in control of the premises: the employer, the landlord, sometimes the managing agent under contract. The buck stops here.
The responsible person is the competent individual the duty holder appoints to take day-to-day charge of the control scheme, managing the monitoring, the records, the contractors and the remedial actions [2]. They might be in-house or external. What they cannot be is a name on a form who never sees the system.
Here is the line people miss. You can hand the work to a specialist contractor, and many duty holders should. You cannot hand over the accountability. If you appoint someone, you still need enough competence to brief them, judge their results, and challenge them when something looks off. Outsourcing the task is not outsourcing the duty.
What the law won’t spell out for you
The official guidance is strong on what to do and quiet on a few things that trip people up. These are worth knowing before an inspector, or an incident, teaches them the hard way.
- There is no Legionella licence to earn. Nobody signs you off as compliant for the year. The duty is ongoing, and the question is always whether control was genuinely in place on the day in question.
- ACoP L8 has teeth beyond ordinary guidance. It carries a special legal status: if you are prosecuted and shown not to have followed it, you must prove you controlled the risk in some equally effective way, or a court can find you at fault [2].
- The law judges evidence, not intentions. A thick folder of policies proves nothing on its own. What counts is the record of temperatures taken, outlets flushed, exceptions chased and faults fixed: the trail that shows the scheme was actually followed.
- Small and domestic premises are not exempt. There is no floor-area cut-off. Landlords of residential lets carry duties too, scaled to the risk, and “it’s only a house” is not a defence [4].
- There are quieter duties bolted on. Cooling towers and evaporative condensers must be notified to the local authority, and a diagnosed case linked to your premises can trigger reporting under RIDDOR [5]. These sit outside the day-to-day routine and are easy to forget until the moment they apply.
Your first two checks
You do not need a full management system by Friday. You need to settle two questions: who is the duty holder for this building, in writing, and is there a current, site-specific risk assessment behind whatever is already being done.
If both are clear, read the assessment against reality. Does the named responsible person recognise it, and do the records show the controls actually happening? If the duty holder is vague, or the assessment is missing or stale, that is the first gap to close, because every other duty hangs off it. Legionella risk assessment basics: what it is and why you need it walks through what a sound risk assessment contains, and ACoP L8: understanding the UK Legionella Code of Practice unpacks how ACoP L8 expects you to act on it.
FAQ
Is there one specific UK law about Legionella?
No. The duties flow from the Health and Safety at Work etc. Act 1974 and the COSHH Regulations, with ACoP L8 as the approved code and HSG274 as the technical guidance [1][2][3]. There is no standalone Legionella Act and no compliance certificate to collect.
If I pay a contractor to handle it, am I legally covered?
Not on its own. You can delegate the work, but the legal accountability stays with the duty holder. You still have to appoint a competent provider, understand what they report, and act on it, which is why the law expects the duty holder to keep enough oversight to challenge the people doing the work [2].
Do small businesses and private landlords really have to comply?
Yes. There is no exemption for small or domestic premises. Landlords of residential properties hold duties proportionate to the risk, and most lower-risk homes need a sensible assessment and basic controls rather than elaborate testing [4].
Sources
[1] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [4] HSE, “Legionella and landlords’ responsibilities”. https://www.hse.gov.uk/legionnaires/legionella-landlords-responsibilities.htm [5] HSE, “Other duties: RIDDOR and notification of cooling towers or evaporative condensers”. https://www.hse.gov.uk/legionnaires/what-you-must-do/duties.htm