Do I Need a Legionella Risk Assessment? Who Must Comply and When
Published 28 March 2026 · Last reviewed 14 March 2026
The short answer: in almost all cases, yes. If you are responsible for a building with a water system in the UK and other people occupy or work in it, you are likely to need a legionella risk assessment. Genuine exceptions exist (see below) but they are uncommon.
Here is a building-by-building breakdown of who needs one, who does not, and what triggers the requirement.
The legal trigger
The requirement comes from the Health and Safety at Work etc. Act 1974 and the Control of Substances Hazardous to Health Regulations 2002 (COSHH). These apply to anyone who is:
- An employer with premises containing a water system, or
- A person in control of premises (landlords, building managers, facilities managers)
ACoP L8 is the Approved Code of Practice that specifies how to comply with these duties in relation to legionella.
Do I need one? Quick reference
| Building type | Need a risk assessment? | Notes |
|---|---|---|
| Rental property (single let) | Yes | Landlord is the duty holder |
| HMO | Yes | Higher risk — shared facilities, tenant turnover |
| Care home | Yes | Higher risk — vulnerable occupants |
| Dental or GP practice | Yes | Aerosol generation during procedures |
| Hotel or B&B | Yes | Seasonal occupancy creates stagnation risks |
| School | Yes | Holiday closures create stagnation risks |
| Office building | Yes | Employer duty under COSHH |
| Shop or retail unit | Yes | If it has a water system (even just a toilet and sink) |
| Owner-occupied home | No | No duty holder/tenant relationship. You manage your own risk. |
| Building with no water system | No | Extremely rare — most buildings have at least cold water |
If your building has hot and cold water and someone other than you occupies or works in it, you need a risk assessment.
Common misconceptions
"My property is low risk, so I don't need one"
Low risk does not mean no risk. Even a simple flat with a combi boiler and no stored water has some risk — a shower that creates aerosols, an unused second bathroom, pipework running through warm spaces. The assessment may be brief and the conclusion may be "low risk, minimal controls needed" — but the assessment itself must exist.
"I need a legionella certificate"
There is no such thing as a legionella certificate in UK law. Unlike gas safety (which requires an annual Gas Safety Certificate from a Gas Safe registered engineer), legionella compliance is based on a risk assessment and ongoing records — not a one-off certificate. HSE confirms this explicitly.
"I need to hire a specialist"
Not necessarily. HSE confirms that landlords of simple domestic water systems can carry out their own risk assessment if they are competent. For standard residential properties (combi boiler or stored cylinder, no cooling tower, no complex distribution), a competent landlord can self-assess.
"Legionella testing is legally required"
Routine microbiological testing (sampling water for legionella bacteria) is not required for standard domestic hot and cold water systems. Testing is only needed in specific circumstances — usually for larger or complex systems, or after a positive sample or incident. What IS required is the risk assessment and ongoing temperature monitoring.
What triggers a NEW assessment
You need a fresh risk assessment (not just a review) when:
- You acquire a property with no existing assessment
- A property is newly built or substantially refurbished
- The water system is significantly modified (new storage, new distribution, new outlets)
- The previous assessment is lost or was never documented
For review triggers on an existing assessment, see our guide to risk assessment review frequency.
What happens if you do not have one
Enforcement follows a ladder:
- Informal advice — an inspector tells you to get one done
- Improvement notice — formal requirement to produce a risk assessment within a specified timeframe
- Prosecution — fines and imprisonment under health and safety legislation, with penalties reflecting the severity of the breach
The absence of a risk assessment is not, by itself, a criminal offence — but it is strong evidence of non-compliance if a tenant falls ill or an inspector investigates.
Getting started
For landlords and building managers of standard properties, the process is:
- Assess — use LegioLog's Risk Assessment Template Generator to create a building-specific template
- Document — complete the assessment, sign, date, and set a review date
- Monitor — start the ongoing temperature checks and flushing schedule. Use the Temperature Compliance Checker and Flushing Schedule Calculator to set up your routine.
For the full regulatory background, see our ACoP L8 and HSG274 guide.
This guide covers legionella risk assessment requirements under UK health and safety law. This is general compliance guidance, not legal or professional advice — for site-specific assessments, consult a competent person as defined by ACoP L8.
Sources
Keep your legionella records audit-ready
Join the waitlist for LegioLog — purpose-built compliance tracking for UK duty holders.
No spam. Unsubscribe any time. Privacy policy
Related guides
UK Legionella Testing Requirements: What the Law Says in 2026
What UK law requires for legionella testing — the difference between risk assessment, temperature monitoring, and microbiological testing, and who needs each.
Legionella Written Scheme of Control: What to Include and How to Write One
How to write a legionella written scheme of control under ACoP L8 — the 6 required sections, building-type examples, and how it connects to your risk assessment.
Legionella Risk Assessment for Landlords: What You Actually Need to Do
Step-by-step guide to legionella risk assessments for UK landlords — what the law requires, how to self-assess, what records to keep, and what inspectors check.