The Management of Health and Safety at Work Regulations 1999 (MHSWR) are the regulations that convert the general duties in the Health and Safety at Work Act 1974 into specific management arrangements UK employers have to put in place. They require every employer to carry out risk assessments, appoint competent persons, provide training, set up emergency procedures, give workers health and safety information, and cooperate with other employers sharing a workplace. MHSWR applies to almost every UK workplace and to virtually every employer with at least one employee. The regulations are made under HSWA 1974 and are enforced by HSE and local authorities. The 14 main regulations between them define what “managing health and safety” actually means in legal terms — making MHSWR the most-cited regulation in UK workplace H&S enforcement.
The Health and Safety at Work Act 1974 says employers must ensure, so far as is reasonably practicable, the health and safety of their employees. It does not say how. The Management of Health and Safety at Work Regulations 1999 fill that gap. MHSWR is the regulation that operationalises the parent Act — defining the management arrangements an employer has to put in place to meet the Section 2 duty in real terms.
This guide explains what MHSWR requires, who it applies to, what each of the main duties means in practice, and how the regulations connect to the rest of the UK H&S framework. It’s written for UK employers, managers and people new to H&S responsibility — not for lawyers or H&S specialists.
What is MHSWR 1999?
MHSWR is a set of regulations made under Section 15 of the Health and Safety at Work Act 1974. The regulations were first introduced in 1992 to implement the EU Framework Directive (89/391/EEC) on workplace health and safety, and were re-enacted in 1999 with revisions. The 1999 version remains in force and has been amended in places since.
MHSWR applies to almost every workplace in Great Britain, regardless of sector or size. The regulations are enforced by the Health and Safety Executive (HSE) and local authorities, with the same enforcement powers and penalties available as under the parent Act. Breach is a criminal offence; the burden of proof is reversed in the same way as under HSWA, meaning once the prosecution has established that a duty applied and was not met, the defendant must prove that compliance was not reasonably practicable.
The most-cited reason MHSWR matters is that it is the regulation under which most UK employers are first prosecuted. Section 2 of HSWA is the foundational duty, but Section 2 is broad — HSE typically frames specific charges around the precise MHSWR regulation that was breached, because MHSWR’s duties are concrete enough to evidence in court.
The 14 main regulations and what they require
MHSWR contains 30 regulations in total but the core duties on employers sit in regulations 3 to 22. The most important are summarised below in the order they typically come up in workplace practice.
Regulation 3 — Risk Assessment
Every employer must carry out a “suitable and sufficient” assessment of the risks to the health and safety of employees and to anyone else affected by their work activities. Risk assessment is not optional, not informal, and not a one-off exercise — it has to be done, recorded (where the employer has five or more employees), reviewed when circumstances change, and acted on.
For the practical methodology behind this duty, see our 5 Steps to Risk Assessment guide, which walks through the HSE-recommended approach. Most prosecutions for MHSWR breach turn on Regulation 3 — either no assessment was done, or the assessment that was done failed to identify a foreseeable risk.
Regulation 4 — Principles of prevention
Where preventive and protective measures are needed, the employer must apply them in line with a hierarchy of control set out in Schedule 1 to the regulations. The hierarchy in summary: avoid risks where possible; evaluate those that can’t be avoided; combat risks at source; adapt work to the worker; adapt to technical progress; replace dangerous with non- or less-dangerous; develop a coherent prevention policy; prioritise collective protection over individual protection; give appropriate instructions to workers.
This hierarchy is what’s behind the “PPE is the last line of defence” principle that runs through UK workplace safety culture — it’s not a slogan, it’s a legal requirement under Schedule 1.
Regulation 5 — Health and safety arrangements
Every employer must make and give effect to appropriate arrangements for the planning, organisation, control, monitoring and review of preventive and protective measures. Employers with five or more employees must record those arrangements in writing.
This is the “management system” duty — what HSG65 (HSE’s Plan-Do-Check-Act framework) and ISO 45001 are designed to satisfy. The arrangements don’t have to follow a specific framework but they have to demonstrate a structured approach to managing H&S over time.
Regulation 6 — Health surveillance
Where the risk assessment identifies that workers are exposed to identifiable health risks where surveillance would detect harm at an early stage, the employer must provide appropriate health surveillance. This typically applies to occupational noise, vibration, hazardous substances, ionising radiation, and lead.
Regulation 7 — Health and safety assistance (the competent person duty)
Every employer must appoint one or more competent persons to assist them in undertaking the measures needed to comply with H&S requirements. “Competent” means having sufficient training, experience, knowledge and other qualities to be able to advise the employer properly.
For most small-to-medium employers, this is the single regulation most likely to surface in a compliance review. The competent person can be an employee or an external consultant; for organisations without in-house H&S expertise, retaining external advisory support to satisfy Regulation 7 is the standard route. Our advisory service can serve as the competent person under Regulation 7 for organisations without internal H&S resource.
Regulation 8 — Procedures for serious and imminent danger
Every employer must establish procedures to be followed in the event of serious and imminent danger to people at work, including arrangements for evacuation. Workers must be informed of the procedures, trained on them, and able to stop work and proceed to safety if there is serious and imminent danger.
This is the regulation that requires fire evacuation procedures, lockdown procedures, and emergency response plans. It’s also the regulation that gives workers the legal right to leave a workplace they reasonably believe to be dangerous.
Regulation 9 — Contacts with external services
Employers must arrange necessary contacts with external services, particularly first aid, emergency medical care, and rescue. For most workplaces this is straightforward (designated first aiders, contact with the emergency services); for higher-risk environments it can require pre-arranged liaison with fire and rescue or specialist medical providers.
Regulation 10 — Information for employees
Workers must be given comprehensible and relevant information on the risks identified, the preventive and protective measures, the procedures for serious and imminent danger, and the identity of the competent persons. The information has to be in a form workers can actually understand — including consideration of language, literacy, and any disability that affects comprehension.
Regulation 11 — Cooperation and coordination between employers
Where two or more employers share a workplace, each has to cooperate with the others on H&S compliance, coordinate their measures, and inform the others (and the others’ workers) of risks arising from their own work activities. This regulation is heavily relied on in construction, in shared office buildings, and in any setting where contractors and the host employer’s staff work alongside each other.
Regulation 12 — People working in host employers’ undertakings
Where workers from outside undertakings come into a host employer’s premises, the host has to give them comprehensible information on the risks they may be exposed to and the protective measures in place. This is the regulation that underpins site induction for contractors and visitors.
Regulation 13 — Capabilities and training
Every employer must take account of the capabilities of employees regarding H&S in entrusting tasks, and must provide adequate H&S training when employees start work, when their job changes, when new technology or equipment is introduced, and on a refresher basis where needed. Training has to be repeated periodically and adapted to take account of new or changed risks.
Regulation 13 is the legal basis for almost all UK workplace H&S training. It’s also the regulation that supports the case for refresher cycles — “training has to be repeated periodically” is a direct legal requirement, not a best-practice suggestion.
Regulation 14 — Employees’ duties
Employees have to use machinery, equipment, dangerous substances, transport, safety devices and PPE in accordance with the training and instructions given. They have to inform their employer of any work situation they reasonably consider to be a serious and immediate danger, and of any matter they consider represents a shortcoming in the protective arrangements. This regulation works alongside Section 7 of HSWA 1974 in defining employee duties.
Regulations 16–19 — Protection of new and expectant mothers and young persons
Specific assessment and protection requirements apply where the workforce includes pregnant workers, new mothers, or young persons (under 18). The risk assessment under Regulation 3 has to consider these groups specifically; particular hazards (lead, ionising radiation, certain chemical agents, heavy manual handling) require specific measures or restrictions.
How MHSWR 1999 fits with HSWA 1974
MHSWR is the operational regulation under HSWA. The relationship runs as follows:
| Layer | What it does |
|---|---|
| HSWA 1974 Section 2 | Sets the goal — ensure, so far as is reasonably practicable, the health, safety and welfare of employees |
| MHSWR 1999 | Defines the management arrangements that satisfy Section 2 in practice — risk assessment, competent person, training, emergency procedures, etc. |
| Hazard-specific regulations (COSHH, CDM, Working at Height, etc.) | Define the specific controls required for specific hazards once they’re identified through MHSWR Regulation 3 |
Most workplace H&S compliance turns on the relationship between these three layers. MHSWR sits in the middle — it’s where the abstract HSWA duty becomes concrete management practice, before the hazard-specific regulations add further detail for specific risks.
For the wider regulatory picture, see our guide to the Health and Safety at Work Act 1974.
Common compliance failures
The four most common reasons UK employers fall short of MHSWR in HSE enforcement experience:
- Risk assessment that’s generic rather than workplace-specific — Regulation 3 requires a “suitable and sufficient” assessment, and template assessments unmodified for the actual workplace routinely fail this test in court
- No identifiable competent person — Regulation 7 is unambiguous, and the competent person has to actually exist and be capable of advising the employer, not just be named on paper
- Training that’s been delivered once and never refreshed — Regulation 13 explicitly requires periodic refresh, and a workforce trained five years ago for tasks that have changed since is not training-compliant
- Cooperation failures in shared workplaces — Regulation 11 is breached most often where contractors and host employers operate in parallel without genuine coordination, and these breaches are typically only exposed after an incident
Frequently asked questions
What does MHSWR stand for?
The Management of Health and Safety at Work Regulations 1999. The regulations are sometimes also abbreviated to “the Management Regulations” in HSE publications.
Who does MHSWR 1999 apply to?
Almost every UK employer, the self-employed in respect of their own activities, and (through Regulation 14) employees. The regulations apply across virtually all sectors and to organisations of all sizes.
What’s the difference between HSWA 1974 and MHSWR 1999?
HSWA 1974 is the parent Act that sets out general duties in plain terms. MHSWR 1999 is the regulation made under HSWA that operationalises Section 2 by requiring formal risk assessments, written arrangements, competent persons, training, and emergency procedures. HSWA sets the goal; MHSWR specifies the management framework.
Do small employers have to comply with MHSWR?
Yes — MHSWR applies to virtually all employers regardless of size. The only size-related distinction in the regulations is that employers with five or more employees must record their risk assessment and their H&S arrangements in writing. The duties themselves apply to all employers.
Who can be a “competent person” under Regulation 7?
Anyone with sufficient training, experience, knowledge and other qualities to advise the employer properly on the H&S measures the workplace requires. The competent person can be an employee (with appropriate training) or an external consultant (engaged on a retained or project basis). Regulation 7 prefers internal appointment where possible but does not require it.
How often does training have to be repeated under Regulation 13?
The regulations don’t specify a fixed interval. They require training to be repeated “periodically where appropriate” — the appropriate interval depends on the risk, the rate of change in equipment or procedures, and the rate of skill decay. Industry-standard refresher cycles (e.g. 3 years for IOSH Managing Safely, 1–3 years for first aid depending on the qualification) are usually treated as the minimum reasonable interval.
What are the penalties for breaching MHSWR?
The same penalties apply as for breach of HSWA itself — unlimited fines in either court, and up to 12 months’ imprisonment in the magistrates’ court or up to 2 years in the Crown Court. Sentencing Council guidelines apply, and large-organisation defendants in serious cases can face fines well into seven figures.
How does MHSWR connect to ISO 45001?
ISO 45001 is the international standard for occupational H&S management systems. Implementing ISO 45001 will, if done well, satisfy the management-system duties in MHSWR Regulation 5 and the Plan-Do-Check-Act expectations behind it. ISO 45001 certification is not legally required — MHSWR compliance is — but the standard is a recognised route to demonstrating that the management arrangements are real and structured.
Where to learn more
Practical compliance with MHSWR is built through training, structured management arrangements, and competent advice. KeyOstas offers options at every level:
- IOSH Working Safely — entry-level course covering employee duties (Regulation 14) and basic hazard awareness
- IOSH Managing Safely — 3-day course for managers and supervisors covering risk assessment, the competent person duty, and the management framework
- Risk Assessment Training — practical 1-day course focused specifically on Regulation 3 compliance
- NEBOSH National General Certificate — Level 3 qualification covering MHSWR in depth alongside the parent Act and the wider regulatory framework
- KeyOstas Advisory Service — can act as competent person under Regulation 7 for organisations without internal H&S resource, or support existing in-house teams
For the wider regulatory picture, see our guide to the Health and Safety at Work Act 1974, our 5 Steps to Risk Assessment guide for Regulation 3 in detail, and our specific guides on COSHH, CDM 2015 and Working at Height for the hazard-specific regulations that sit alongside MHSWR. Or call us on +44 (0) 3300 569534 to discuss training, consultancy, or compliance support.
Word count: ~2,500