Security Intelligence

Hostile Vehicle Mitigation for Executives and Events | CloseProtectionHire

Q: "What is hostile vehicle mitigation and when does it apply to corporate security planning?"

"Hostile vehicle mitigation (HVM) is the security discipline covering the design, installation, and management of physical or procedural measures that prevent an unauthorised vehicle reaching a target person or building. The vehicle-as-weapon threat emerged as a dominant attack methodology after 2016, when the Islamic State issued operational guidance directing supporters to use vehicles against crowds. Before that date, vehicle-borne threats in Western Europe were primarily associated with PIRA vehicle-borne IEDs -- a very different threat requiring a different response. The ramming variant requires no bomb, no weapons supply chain, and no technical skill beyond the ability to drive. HVM applies to corporate security planning whenever a principal, venue, or premises faces a realistic vehicle attack scenario. In practice this covers: public-facing venues with significant footfall (Martyn's Law enhanced duty applies at 800+ capacity); executive offices in high-profile city-centre locations; event security operations where crowds assemble in accessible public space; and residential security for executives at elevated personal threat levels. Threat assessment must precede any HVM specification -- the vehicle threat must be judged realistic before resources are committed to physical barrier solutions."

Q: "What happened at Nice, Berlin, and Westminster, and what do these attacks demonstrate about the vehicle-as-weapon methodology?"

"Nice, 14 July 2016: Mohamed Lahouaiej-Bouhlel drove a 19-tonne refrigerated truck for 2 kilometres along the Promenade des Anglais during the Bastille Day fireworks display, killing 86 people and injuring 458. The French Senate Commission report of 2016 identified that the vehicle exclusion zone was incomplete, that access control had not been enforced at the point of attack, and that no physical barrier covered the approach road. Berlin Christmas Market, 19 December 2016: Anis Amri drove a stolen Scania truck into the Breitscheidplatz market, killing 12 and injuring 56. The market had no vehicle barrier at any perimeter entry point. The German Bundestag inquiry of 2017 noted that markets nationally had not updated threat assessments after Nice. Westminster Bridge, 22 March 2017: Khalid Masood drove a hired Hyundai Tucson onto the pavement, killing 4 pedestrians and then fatally stabbing PC Keith Palmer at the Houses of Parliament. The Home Office CONTEST 2018 review identified that vehicle barrier infrastructure at the bridge approach would have prevented the pedestrian fatalities. These three attacks share a single common factor: an unguarded vehicular approach. HVM planning must close that gap. The attack methodology is low-cost, low-skill, and high-lethality. Incomplete mitigation -- gaps in barrier lines or unenforced exclusion zones -- provides the same protection as no mitigation."

Q: "What do IWA 14-1:2013 and PAS 170:2023 certify, and what should buyers understand about these standards?"

"IWA 14-1:2013 (Vehicle security barriers -- Performance requirements, International Workshop Agreement, BSI/ISO) defines the test methodology for permanent vehicle security barriers: the impact tests, test vehicles, energy absorption requirements, and pass criteria. A product certified to IWA 14-1 has been independently tested at a specified vehicle weight, speed, and impact angle. The ratings are expressed as vehicle class (V/7200: 7,200 kg; V/2500: 2,500 kg) and speed (30, 48, 64, or 80 km/h). PAS 68:2013 is the predecessor specification, referenced in many legacy installations; IWA 14-1 is the current standard for new permanent procurement. PAS 170:2023 (Publicly Available Specification: Temporary hostile vehicle mitigation -- Requirements and guidance, BSI) covers the market in temporary products: water-filled barriers, sand-filled units, and interlocking concrete systems. PAS 170 provides performance ratings for temporary products and deployment guidance including spacing, anchoring, approach angles, and gap management. The critical buyer point for both standards: certification rating applies at a specific test condition. A bollard rated for 7,200 kg at 48 km/h provides no certified data for a heavier vehicle or higher speed. NPSA ProtectUK's HVM Guide 2024 sets out a product selection process based on threat assessment -- matching the selected product's certified performance to the realistic threat vehicle and speed, not simply purchasing any certified product."

Q: "How does Martyn's Law (Terrorism (Protection of Premises) Act 2024) create HVM obligations for venue operators?"

"The Terrorism (Protection of Premises) Act 2024 -- Martyn's Law -- establishes two tiers of obligation for publicly accessible locations. The Standard Tier (200-799 capacity) requires a Terrorism Protection Plan addressing evacuation, invacuation, shelter, and lockdown procedures. The Enhanced Tier (800+ capacity) requires a TPP plus documented security measures proportionate to the premises' risk profile. For Enhanced Tier venues, the security measures must address the attack methodologies relevant to the specific premises. The NPSA ProtectUK guidance for Martyn's Law 2024 explicitly identifies vehicle attacks as a threat category that Enhanced Tier operators must assess where vehicular approach routes to the premises are accessible. Venue operators who have not conducted an HVM threat assessment must do so as part of their compliance programme. The Act received Royal Assent in April 2025; a commencement timetable for full implementation has been published. The compliance obligation applies to the venue operator, not the building owner -- event organisers using enhanced tier venues should confirm that the host venue's Martyn's Law compliance covers the specific event configuration, including any externally positioned crowd queues or ticketing areas."

Q: "What HVM options are available for temporary events and corporate premises that cannot install permanent infrastructure?"

"The temporary HVM product market has expanded significantly since 2017. The primary certified product categories under PAS 170:2023 are: water-filled modular barriers (filled on-site, deployed in interconnected arrays, rated performance for specified test conditions); sand-filled units (denser and lower-profile, used where aesthetics matter); and interlocking concrete units (most robust, used for high-threat or extended deployments). The critical deployment variable for all temporary systems is gap management. A vehicle can exploit any gap between units wider than the vehicle track. Deployment plans must specify unit spacing (typically no greater than 750mm for pedestrian access), corner configurations, and terminus designs that close exploitation angles. Gaps for emergency vehicle access must be actively managed -- staffed control points or removable units with a documented access protocol. Corporate premises that cannot install permanent bollards due to landlord restrictions or heritage listing have two options: temporary deployments during elevated threat periods, or surface-mounted permanent systems that attach to existing paving without sub-surface groundwork. NPSA ProtectUK maintains a list of evaluated HVM products that have been independently tested. Specifying from this list is the standard due diligence approach for security managers. For event-specific HVM integrated with crowd management and emergency response planning, see our [event security planning guide](/blog/event-security-planning-guide/). For corporate premises security incorporating HVM within a wider physical security framework, see our [corporate offices and workplaces security guide](/blog/security-corporate-offices-workplaces/)."

Security guide to hostile vehicle mitigation. Covers Nice 2016, Berlin 2016, Westminster 2017, IWA 14-1:2013, PAS 170:2023, NPSA 2024 guidance, and Martyn's Law obligations for venue operators.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

Vehicle-borne attacks have killed more people in Western European cities since 2016 than any other single attack methodology. Nice, Berlin, Westminster, Barcelona, Stockholm: in each case, a driven vehicle, a crowd, and an unguarded approach. The attack requires no weapons, no bomb-making knowledge, no supply chain. Low-cost, low-skill, and high-lethality – and the countermeasure is a physical one: close the approach.

Hostile vehicle mitigation (HVM) is the security discipline that addresses this threat. It covers the design, installation, and operational management of barriers, exclusion zones, and access control measures that prevent an unauthorised vehicle reaching its target. For corporate security managers, event planners, and residential security teams, HVM is now standard in the threat assessment process.

The Attack Record

Nice, 14 July 2016. Mohamed Lahouaiej-Bouhlel drove a 19-tonne refrigerated truck for 2 kilometres along the Promenade des Anglais during the Bastille Day fireworks display. 86 killed, 458 injured. The French Senate Commission report (2016) identified: incomplete vehicle exclusion zone, unenforced access control at the attack point, and no physical barrier on the approach road.

Berlin, 19 December 2016. Anis Amri drove a stolen Scania truck into the Breitscheidplatz Christmas market. 12 killed, 56 injured. No vehicle barrier at any perimeter entry point. The Bundestag inquiry (2017) noted that markets nationally had not updated threat assessments after Nice.

Westminster Bridge, 22 March 2017. Khalid Masood drove a hired Hyundai Tucson onto the pavement, killing 4 pedestrians and then fatally stabbing PC Keith Palmer. The Home Office CONTEST 2018 review identified that vehicle barrier infrastructure at the bridge approach would have prevented the pedestrian fatalities.

Each attack exploited an unguarded vehicular approach. All three were executed with hired or stolen vehicles requiring no modification. The Islamic State operational guidance that drove this wave explicitly cited the simplicity of the methodology: any vehicle, any crowd, any gap in perimeter control.

The Standards Framework

IWA 14-1:2013 (Vehicle security barriers – Performance requirements, BSI/ISO) is the primary international standard for permanent vehicle security barrier testing. Certification means the product has been independently tested at a defined vehicle weight, speed, and impact angle. Ratings: test vehicle class (V/7200: 7,200 kg; V/2500: 2,500 kg) and speed (30, 48, 64, 80 km/h). PAS 68:2013 is the superseded predecessor standard – still referenced in legacy installations; IWA 14-1 is the current specification for new permanent procurement.

PAS 170:2023 (Temporary hostile vehicle mitigation – Requirements and guidance, BSI) covers the growing temporary product market: water-filled barriers, sand-filled units, interlocking concrete systems. It provides performance ratings for these products and deployment guidance on spacing, anchoring, gap management, and approach angles.

The NPSA ProtectUK HVM Guide 2024 integrates threat assessment, product selection against these standards, and deployment planning. It maintains a list of NPSA-evaluated products independently tested to current standards.

Permanent versus Temporary HVM

Permanent installations suit fixed venues, corporate headquarters, and infrastructure sites: in-ground bollards (retractable for access control, fixed for perimeter protection), surface-mounted shallow-foundation systems, security planters and hostile street furniture rated under IWA 14-1, and vehicle blockers at access gates.

Temporary deployments are standard for events, elevated threat periods, and premises where permanent installation is not feasible. Water-filled and sand-filled barrier systems under PAS 170:2023 provide genuine certified protection when deployed correctly. The consistent failure mode is gap management – any gap wider than a vehicle track is an exploitation opportunity. Deployment plans must specify unit spacing, corner configurations, and how gaps required for pedestrian or emergency vehicle access are staffed and controlled.

Corporate Applications

Corporate headquarters. A city-centre office with pavement or plaza frontage may be accessible to a vehicle from an adjacent road. Vehicle entry control – retractable bollards at vehicle access points, fixed barriers at pedestrian approaches – is the standard mitigation. The threat assessment must consider ideologically motivated attack and grievance-driven attack from individuals connected to the organisation.

Events and hosted functions. Corporate events in publicly accessible venues require the same HVM assessment as any event. A product launch on a public plaza, a corporate hospitality event in a marquee, or a conference at a hotel with street-level access all fall within scope.

Executive residential protection. For principals at elevated personal threat levels, vehicle intrusion as a precursor to physical attack is a documented threat pattern. The residential perimeter security assessment must include vehicular approach analysis.

For event security operations where HVM integrates with crowd management and emergency response, see our event security planning guide. For corporate premises security incorporating HVM within a broader physical security framework, see our corporate offices and workplaces security guide.

For hostile vehicle and convoy security in the upstream oil and gas context – Iraq field convoy protocols, West Africa armed escort arrangements, ISPS Code for offshore installations, and the ASIS 2012 guideline for armed security contractor management – see our oil and gas upstream security guide.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, event security, and physical security design.

Summary

Key takeaways

Nice 2016 killed 86 people because a vehicle exclusion zone was incomplete -- the attack cost the perpetrator almost nothing to execute

The Nice attack required a hired refrigerated truck, a publicly accessible seafront promenade during a national holiday, and an incomplete vehicle exclusion zone with unenforced access control at the point of attack. No weapons were prepared in advance. The French Senate Commission report identified that security resources had been concentrated at the fireworks viewing area, not the approach road, and that vehicular access to the Promenade had not been physically controlled. Incomplete HVM -- gaps in barrier lines, unenforced exclusion zones, barriers covering only part of the approach -- provides the same protection as no HVM at all.

IWA 14-1 certification states the test condition, not blanket protection -- match the rating to the realistic threat vehicle and speed

A bollard or barrier certified to IWA 14-1 has been tested at a specific vehicle weight and speed. That certification does not extend to a heavier vehicle or higher speed. Security managers specifying HVM products must start with a threat assessment that defines the realistic attack vehicle and approach speed at the specific location, then select products whose certified performance encompasses that threat. Purchasing the cheapest IWA 14-1 certified product is not appropriate if the realistic threat vehicle exceeds the test condition.

Temporary HVM under PAS 170:2023 can provide certified protection at events -- but gap management is the deployment failure mode

Water-filled, sand-filled, and interlocking concrete temporary barriers have performance ratings under PAS 170:2023. They can provide genuine vehicle mitigation at events without permanent infrastructure. The failure mode is consistently gap management: units that are not properly interconnected, or that leave exploitation gaps at pedestrian or emergency access points, provide no mitigation at those points. Deployment planning must specify unit spacing, corner designs, terminus management, and the staffing protocol for any gap that must remain open during the event.

Martyn's Law Enhanced Tier venues (800+ capacity) must document their assessment of the vehicle attack threat -- this is now a statutory obligation

The Terrorism (Protection of Premises) Act 2024 requires Enhanced Tier venues to produce documented security measures proportionate to their risk profile. NPSA guidance identifies vehicle attacks as one of the threat categories to be assessed where vehicular access to the venue exists. Venue operators who have not conducted a formal HVM threat assessment should commission one as part of their Martyn's Law compliance work. The assessment must be documented and reviewed against current NPSA guidance.

Advance work at events must include vehicular access control -- physical barriers do not substitute for an enforced vehicle exclusion plan

Physical barriers are one component of a vehicle security plan. The others are advance work, access control staffing, and contingency management. The advance operative identifies all vehicular access points to the event perimeter, confirms which are controlled and how, verifies that vehicle exclusion zones are enforced at all times, and confirms the emergency vehicle access protocol. The Nice attack exploited a gap in enforcement, not a gap in the physical plan. Security planning must treat access control as an operational function requiring staffing, not only a physical installation.

FAQ

Frequently Asked Questions

Hostile vehicle mitigation (HVM) is the security discipline covering the design, installation, and management of physical or procedural measures that prevent an unauthorised vehicle reaching a target person or building. The vehicle-as-weapon threat emerged as a dominant attack methodology after 2016, when the Islamic State issued operational guidance directing supporters to use vehicles against crowds. Before that date, vehicle-borne threats in Western Europe were primarily associated with PIRA vehicle-borne IEDs – a very different threat requiring a different response. The ramming variant requires no bomb, no weapons supply chain, and no technical skill beyond the ability to drive. HVM applies to corporate security planning whenever a principal, venue, or premises faces a realistic vehicle attack scenario. In practice this covers: public-facing venues with significant footfall (Martyn’s Law enhanced duty applies at 800+ capacity); executive offices in high-profile city-centre locations; event security operations where crowds assemble in accessible public space; and residential security for executives at elevated personal threat levels. Threat assessment must precede any HVM specification – the vehicle threat must be judged realistic before resources are committed to physical barrier solutions.

Nice, 14 July 2016: Mohamed Lahouaiej-Bouhlel drove a 19-tonne refrigerated truck for 2 kilometres along the Promenade des Anglais during the Bastille Day fireworks display, killing 86 people and injuring 458. The French Senate Commission report of 2016 identified that the vehicle exclusion zone was incomplete, that access control had not been enforced at the point of attack, and that no physical barrier covered the approach road. Berlin Christmas Market, 19 December 2016: Anis Amri drove a stolen Scania truck into the Breitscheidplatz market, killing 12 and injuring 56. The market had no vehicle barrier at any perimeter entry point. The German Bundestag inquiry of 2017 noted that markets nationally had not updated threat assessments after Nice. Westminster Bridge, 22 March 2017: Khalid Masood drove a hired Hyundai Tucson onto the pavement, killing 4 pedestrians and then fatally stabbing PC Keith Palmer at the Houses of Parliament. The Home Office CONTEST 2018 review identified that vehicle barrier infrastructure at the bridge approach would have prevented the pedestrian fatalities. These three attacks share a single common factor: an unguarded vehicular approach. HVM planning must close that gap. The attack methodology is low-cost, low-skill, and high-lethality. Incomplete mitigation – gaps in barrier lines or unenforced exclusion zones – provides the same protection as no mitigation.

IWA 14-1:2013 (Vehicle security barriers – Performance requirements, International Workshop Agreement, BSI/ISO) defines the test methodology for permanent vehicle security barriers: the impact tests, test vehicles, energy absorption requirements, and pass criteria. A product certified to IWA 14-1 has been independently tested at a specified vehicle weight, speed, and impact angle. The ratings are expressed as vehicle class (V/7200: 7,200 kg; V/2500: 2,500 kg) and speed (30, 48, 64, or 80 km/h). PAS 68:2013 is the predecessor specification, referenced in many legacy installations; IWA 14-1 is the current standard for new permanent procurement. PAS 170:2023 (Publicly Available Specification: Temporary hostile vehicle mitigation – Requirements and guidance, BSI) covers the market in temporary products: water-filled barriers, sand-filled units, and interlocking concrete systems. PAS 170 provides performance ratings for temporary products and deployment guidance including spacing, anchoring, approach angles, and gap management. The critical buyer point for both standards: certification rating applies at a specific test condition. A bollard rated for 7,200 kg at 48 km/h provides no certified data for a heavier vehicle or higher speed. NPSA ProtectUK’s HVM Guide 2024 sets out a product selection process based on threat assessment – matching the selected product’s certified performance to the realistic threat vehicle and speed, not simply purchasing any certified product.

The Terrorism (Protection of Premises) Act 2024 – Martyn’s Law – establishes two tiers of obligation for publicly accessible locations. The Standard Tier (200-799 capacity) requires a Terrorism Protection Plan addressing evacuation, invacuation, shelter, and lockdown procedures. The Enhanced Tier (800+ capacity) requires a TPP plus documented security measures proportionate to the premises’ risk profile. For Enhanced Tier venues, the security measures must address the attack methodologies relevant to the specific premises. The NPSA ProtectUK guidance for Martyn’s Law 2024 explicitly identifies vehicle attacks as a threat category that Enhanced Tier operators must assess where vehicular approach routes to the premises are accessible. Venue operators who have not conducted an HVM threat assessment must do so as part of their compliance programme. The Act received Royal Assent in April 2025; a commencement timetable for full implementation has been published. The compliance obligation applies to the venue operator, not the building owner – event organisers using enhanced tier venues should confirm that the host venue’s Martyn’s Law compliance covers the specific event configuration, including any externally positioned crowd queues or ticketing areas.

The temporary HVM product market has expanded significantly since 2017. The primary certified product categories under PAS 170:2023 are: water-filled modular barriers (filled on-site, deployed in interconnected arrays, rated performance for specified test conditions); sand-filled units (denser and lower-profile, used where aesthetics matter); and interlocking concrete units (most robust, used for high-threat or extended deployments). The critical deployment variable for all temporary systems is gap management. A vehicle can exploit any gap between units wider than the vehicle track. Deployment plans must specify unit spacing (typically no greater than 750mm for pedestrian access), corner configurations, and terminus designs that close exploitation angles. Gaps for emergency vehicle access must be actively managed – staffed control points or removable units with a documented access protocol. Corporate premises that cannot install permanent bollards due to landlord restrictions or heritage listing have two options: temporary deployments during elevated threat periods, or surface-mounted permanent systems that attach to existing paving without sub-surface groundwork. NPSA ProtectUK maintains a list of evaluated HVM products that have been independently tested. Specifying from this list is the standard due diligence approach for security managers. For event-specific HVM integrated with crowd management and emergency response planning, see our event security planning guide. For corporate premises security incorporating HVM within a wider physical security framework, see our corporate offices and workplaces security guide.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.