Legionella Compliance for Small UK Businesses: A Practical Guide
- Trefnus
- 3 days ago
- 10 min read
Published: May 2026 | Last reviewed: May 2026
Legionella compliance for small Businesses - Introduction
If you run a small business with premises that have a water system, Legionella compliance is not optional. It is a legal duty under UK health and safety law, and failing to meet it can result in serious harm to staff, customers, and visitors, as well as significant fines and reputational damage.
Many small business owners assume Legionella is only a concern for large hotels or hospitals. In reality, any premises with a hot or cold water system can present a risk. The good news is that managing that risk does not have to be complicated or expensive.
With a clear understanding of your responsibilities and a structured approach to preventive maintenance, Legionella compliance for small businesses is well within reach.
This guide walks you through what Legionella is, what the law requires, and the practical steps you can take to protect your people and your business.
What Is Legionella and Why Does It Matter?
Legionella is a type of bacteria that occurs naturally in freshwater environments. It becomes a health risk when it multiplies inside man-made water systems and is then inhaled through fine water droplets, known as aerosols. This can lead to Legionnaires' disease, a potentially fatal form of pneumonia, or the milder Pontiac fever.
The bacteria thrive in water between 20 and 45 degrees Celsius and are particularly prevalent where water is allowed to stagnate, where there is a build-up of sediment or scale, or where pipework is old and corroded.
Common Sources of Risk
Hot and cold water systems, including tanks, cylinders, and pipes
Showers and aerosol-generating outlets
Cooling towers, evaporative condensers, humidifiers, and certain water-based air conditioning systems
Water features such as fountains
Infrequently used outlets or dead legs in pipework
What the Law Says: Your Legal Duties
In the UK, the primary legislation is the Health and Safety at Work etc. Act 1974, supported by the Control of Substances Hazardous to Health Regulations 2002 (COSHH) and the Management of Health and Safety at Work Regulations 1999. The Health and Safety Executive (HSE) provides detailed guidance in the Approved Code of Practice L8 (ACOP L8) and the Technical Guidance HSG274.
As an employer or person in control of premises, you are legally required to:
• Identify and assess the risk of Legionella in your water systems
• Put in place a written scheme to prevent or control the risk
• Implement, manage, and monitor the control measures
• Keep records of all risk assessments, actions, and checks
• Appoint a responsible person to oversee Legionella management
It is worth noting that you do not need to take on a specialist contractor for every task. For simple systems, such as a small office with a domestic-style hot water cylinder and minimal pipework, a competent in-house person may be able to carry out the risk assessment and manage compliance. However, many businesses choose to appoint a qualified water hygiene specialist, particularly where systems are more complex or internal expertise is limited.
Carrying Out a Legionella Risk Assessment
The starting point for Legionella compliance for small businesses is a thorough risk assessment. This does not need to be overly complex, but it does need to be systematic and documented.
What the Assessment Should Cover
A full description of your water systems, including tanks, pipework routes, and outlets
Identification of conditions that could support bacterial growth, such as temperatures in the danger zone, stagnant water, or areas of disuse
The population at risk, including staff, customers, and any vulnerable individuals such as elderly or immunocompromised people
Existing controls already in place and their effectiveness
Any further actions required to manage or eliminate the risk
The risk assessment should be reviewed regularly and whenever there are significant changes to your water system, your premises, or the way they are used. If your system is straightforward and the risk is low, your assessment may conclude that little further action is needed beyond basic monitoring and housekeeping. If the risk is higher, you will need a more detailed control scheme.
Key Control Measures and How Often to Apply Them
Control Measure | Recommended Frequency | Notes |
Temperature checks (hot water sentinel outlets) | Monthly | Hot water should reach at least 50°C at sentinel outlets within one minute; representative outlets checked on a rotational basis |
Temperature checks (cold water sentinel outlets) | Monthly | Cold water should be below 20°C at sentinel outlets within two minutes; representative outlets checked rotationally |
Cold water storage temperature monitoring | At least every 6 months | Stored cold water should remain consistently below 20°C |
Flushing of infrequently used outlets | Weekly | All outlets not regularly used should be flushed for at least two minutes |
Cold water storage tank inspection | Annually | Check cleanliness, condition, insulation, lids, and for signs of contamination or debris |
Descaling and cleaning of showerheads and aerosol-generating outlets | Quarterly | Dismantle and clean, or replace if heavily scaled |
Risk assessment review | Regularly, and whenever significant changes occur | Many organisations adopt a two-year review cycle for lower-risk systems; review sooner if systems or occupancy change |
Legionella sampling (water testing) | As advised by risk assessment | Routine sampling is not normally required for standard hot and cold water systems where temperature control is effective; generally reserved for higher-risk systems, where controls are failing, or after significant remedial works |
Table 1: Recommended Legionella control measures and indicative frequencies for small business premises.
Appointing a Responsible Person
One of the most important steps you can take is to designate a responsible person for Legionella management. This should be someone with sufficient authority, knowledge, and time to carry out or coordinate the necessary tasks. In a small business, this is often the owner or a senior manager.
The responsible person does not need to be a Legionella specialist, but they should understand the basics of your water system, know what checks need to be carried out and when, and be able to maintain accurate records. Training courses are widely available and can be completed in a day.
Manage Legionella Records with Trefnus CMMS Trefnus CMMS is a maintenance management system designed for small and medium-sized businesses. It helps you schedule and track preventive maintenance activities, manage assets, log defects, and maintain a complete audit trail, all without requiring a dedicated IT infrastructure. With Trefnus CMMS you can set up recurring tasks for monthly temperature checks, quarterly outlet cleaning, and annual inspections, assign them to your responsible person, and record completions with photos and notes. Your compliance log stays structured and up to date, making it straightforward to produce evidence of your control activities if they are ever requested. Find out more at: |
Record Keeping: What You Need to Keep and for How Long
Accurate record keeping is central to demonstrating compliance. If your premises are ever inspected by the HSE or Environmental Health, your records will be the primary evidence that you have managed the risk effectively.
Records You Should Maintain
The original risk assessment and any subsequent reviews
Your written control scheme or water safety plan
A log of all monitoring checks, including temperatures, dates, and readings
Records of any remedial actions taken and when they were completed
Details of any water sampling or laboratory test results
Maintenance records for relevant plant and equipment
Training records for the responsible person and any other staff involved
Many Legionella records are commonly retained for at least five years, particularly risk assessments, written control schemes, and records of significant remedial works. Routine monitoring logs are sometimes kept for shorter periods, but retaining everything for five years or more is a straightforward and defensible approach. If you use a digital maintenance management system, there is no reason not to keep them indefinitely, and doing so provides a much stronger audit trail.
Common Mistakes Small Businesses Make
Many businesses carry out their Legionella risk assessment once and then forget about it. Here are the most common compliance failures that the HSE and environmental health officers identify.
Assuming the Risk Is Negligible
Even a modest office or retail space with a single hot water system can harbour Legionella if the water is held at the wrong temperature or if pipework includes dead legs. Never assume the risk is zero without completing a formal assessment.
Failing to Flush Infrequently Used Outlets
Stagnant water in taps or showers that are used only occasionally is one of the most common causes of bacterial growth. If your premises has staff toilets on one floor that are rarely used, those outlets need regular flushing, even if no one is using them.
Not Reviewing the Assessment After Changes
Refurbishments, changes in occupancy, or alterations to your water system can all affect your risk profile. Your risk assessment must be reviewed whenever such changes occur.
Keeping Inadequate Records
A verbal assurance that checks have been carried out is not sufficient. Without documented evidence, you cannot demonstrate compliance. Use a structured log, whether paper-based or digital, and ensure it is kept up to date.
Outsourcing Without Oversight
Many small businesses appoint a contractor to handle Legionella management and then assume the matter is taken care of. Even if you use a specialist, you remain the dutyholder. You must understand what checks are being done, receive the results, and retain the records yourself.
Key Terms: A Quick Reference
Term | Meaning |
ACOP L8 | Approved Code of Practice for the Control of Legionella Bacteria in Water Systems, published by the HSE |
HSG274 | HSE Technical Guidance document providing detailed advice on Legionella management in various water system types |
Dutyholder | The employer or person with control of premises who has legal responsibility for managing Legionella risk |
Responsible person | The individual appointed by the dutyholder to manage day-to-day Legionella control measures |
Dead leg | A section of pipework that does not have regular flow, creating conditions where water stagnates |
Aerosol | A fine mist of water droplets through which Legionella bacteria can be inhaled |
Written control scheme | A document setting out the specific control measures for managing Legionella risk in a premises; the term used in ACOP L8 for the required written plan |
Temperature monitoring | Routine checking of hot and cold water temperatures at outlets to verify they remain outside the bacterial growth range |
Table 2: Key terminology used in Legionella compliance guidance.
When to Bring In a Specialist
Not every aspect of Legionella management requires outside expertise, but there are certain situations where a qualified water hygiene specialist is advisable or essential.
Carrying out the initial risk assessment, particularly for more complex or larger water systems
After any significant works to your water system, such as replacing pipework, tanks, or heating equipment
When water sampling results indicate elevated bacterial counts
When you are unsure whether your current controls are adequate
When your premises have a cooling tower, spa pool, or other high-risk water system
The Water Management Society and the Legionella Control Association both maintain directories of accredited service providers who can help. Always ask for written reports and ensure you retain copies of all documentation they produce on your behalf.
Frequently Asked Questions
Does my small business legally need a Legionella risk assessment?
Yes. If you are an employer or have control of premises with a water system, you have a legal duty to assess the risk of Legionella under the Health and Safety at Work etc. Act 1974 and the Control of Substances Hazardous to Health Regulations 2002. This applies regardless of the size of your business. If the risk assessment concludes the risk is low and well controlled, you may need little more than basic monitoring and a simple written record. However, the assessment itself is a legal requirement, not optional.
How often should Legionella checks be carried out?
It depends on the type of check.
As a general guide:
Sentinel hot and cold water outlet temperatures should be checked monthly
Cold water storage temperatures should be monitored at least every six months
Infrequently used outlets should be flushed weekly
Cold water storage tanks should be visually inspected annually
Showerheads and aerosol-generating outlets should be cleaned quarterly
Your risk assessment will specify the exact frequencies appropriate for your system. Higher-risk systems may require more frequent checks.
Can I do Legionella compliance myself?
For straightforward systems in smaller premises, a competent in-house person can legally carry out monitoring checks, flush infrequently used outlets, and maintain records. The HSE requires a "competent person" rather than a qualified specialist for many tasks. That said, the initial risk assessment for anything other than a very simple system is best carried out by, or with input from, a qualified water hygiene specialist. You remain the dutyholder regardless of who carries out the work, so you must understand what is being done and retain all documentation.
Do I need Legionella water testing?
Routine microbiological water sampling is not normally required for standard hot and cold water systems where temperature control is being maintained effectively. HSE guidance makes clear that testing is generally reserved for higher-risk systems, such as cooling towers or spa pools, or where there is reason to believe controls are failing, for example following a suspected case of Legionnaires' disease or after significant remedial works. If your risk assessment recommends testing, or if a specialist advises it for your system type, you should follow that advice.
What records do I need to keep for Legionella compliance?
You should keep records of your risk assessment and any reviews, your written control scheme, all monitoring logs including dates, readings, and the name of the person carrying out checks, any remedial actions taken, water sampling results where applicable, and training records for your responsible person. These should be retained for at least five years. A digital maintenance log makes it straightforward to produce this evidence quickly if it is ever requested.
Conclusion
Legionella compliance for small businesses is a legal duty that is often misunderstood or underestimated. The risks are real, but so is your ability to manage them effectively with the right approach.
The foundations are straightforward: carry out a proper risk assessment, put a written control scheme in place, carry out regular monitoring, and keep thorough records. Appoint a responsible person who knows what to do and when, and make sure compliance is built into your routine operations rather than treated as a one-off exercise.
Using a maintenance management system can make a significant difference. Rather than relying on spreadsheets or paper logs, a system like Trefnus CMMS allows you to schedule recurring tasks, record completions, attach evidence, and produce a ready-made audit trail at any time. That kind of systematic approach is exactly what the HSE expects, and it gives you confidence that nothing has been missed.
To explore how Trefnus CMMS can support your compliance activities, visit trefnus.com/cmms.
Further Reading and Official Guidance
HSE Legionella guidance: www.hse.gov.uk/legionnaires/
ACOP L8 (Approved Code of Practice): www.hse.gov.uk/pubns/books/l8.htm
HSG274 Technical Guidance: www.hse.gov.uk/pubns/books/hsg274.htm
Legionella Control Association: www.legionellacontrol.org.uk/
Disclaimer
The information in this article is intended for general guidance only and does not constitute professional legal, financial, or regulatory advice. Always consult a qualified professional for advice specific to your circumstances.