A Legionella risk assessment remains a legal requirement for many UK organisations in 2026, yet there is still widespread uncertainty about who needs one, how often it should be reviewed, and what “suitable and sufficient” actually means in practice.
This guide explains what a Legionella risk assessment is, who is responsible for commissioning one, and the legal duties that apply under current UK legislation and guidance.
What is a Legionella Risk Assessment?
A Legionella Risk Assessment is a systematic review of a water system to identify conditions that could allow Legionella bacteria to grow and spread. The assessment considers how water is stored, distributed, used, and controlled within a building.
It identifies:
- Where Legionella bacteria could multiply
- Who may be at risk of exposure
- Existing control measures
- Any additional actions required to reduce risk
The outcome is a written record that forms the foundation of a site’s water hygiene management programme.
Risk assessments often identify assets such as TMVs that require ongoing maintenance. You can read more about recommended servicing frequencies in our guide on how often TMVs should be serviced.
Why Legionella Remains a Risk in 2026
Legionella bacteria are naturally present in water and become a health risk when conditions allow them to multiply – typically in stagnant water, at temperatures between 20 °C and 45 °C, or where biofilm, scale, or sediment is present.
Modern buildings continue to present challenges due to:
- Complex plumbing systems
- Low-use outlets
- Energy-saving temperature reductions
- Changes in building use or occupancy
Changes in building use or occupancy can significantly affect system risk, particularly during extended periods of low use.
As a result, Legionella risk management remains a key focus of health and safety compliance.
Who Needs a Legionella Risk Assessment?
Many organisations in the UK are legally required to carry out a Legionella risk assessment if they control premises with water systems.
This includes:
- Employers
- Landlords
- Managing agents
- Duty holders responsible for premises
Typical premises include offices, schools, care homes, healthcare settings, hotels, gyms, leisure facilities, and rental properties.
Domestic owner-occupied homes are generally exempt unless there are additional risk factors such as complex systems or vulnerable occupants.
Who is Responsible for Legionella Compliance?
Responsibility sits with the duty holder – the person or organisation that has control of the premises or water system.
This may be:
- An employer
- A building owner
- A landlord
- A managing agent
The duty holder can appoint others to help manage the risk, but legal responsibility cannot be delegated.
What Are the Legal Duties in 2026?
In the UK, Legionella control is primarily governed by:
- The Health and Safety at Work etc, Act 1974
- The Control of Substances Hazardous to Health Regulations (COSHH)
- Approved Code of Practice L8 (ACOP L8)
- HSG 274 Parts 1-3
These require duty holders to:
- Identify and assess the risk
- Prevent or control the risk
- Maintain records
- Review controls regularly
Failure to comply can result in enforcement action, prosecution, and reputational damage.
In some systems, sampling may be used to verify that control measures are effective. Our article on what water sampling your business may need explains when testing is appropriate.
What Makes a Legionella Risk Assessment “Suitable and Sufficient”?
A compliant Legionella risk assessment should be:
- Site-specific
- Based on a physical inspection
- Carried out by a competent assessor
- Proportionate to the level of risk
Generic templates or purely desk-based assessments rarely meet this standard, particularly for complex or higher-risk sites.
How Often Should a Legionella Risk Assessment be Reviewed?
There is no fixed expiry date, but guidance recommends review when:
- There are significant changes to the water system
- The building use changes
- Control measures are no longer effective
- There is reason to believe the assessment is no longer valid
As a sensible benchmark, many organisations review assessments every two years, or sooner for higher-risk environments.
If your assessment hasn’t been reviewed recently, we can help you check whether it’s still valid.
What Happens After the Risk Assessment?
The risk assessment is not the end of the process – it is the starting point.
The findings of a Legionella risk assessment should directly inform how the water system is monitored, maintained, and managed on an ongoing basis.
This includes:
- A written scheme of control
- Routine monitoring and inspection
- Flushing regimes
- Temperature checks
- Cleaning and maintenance schedules
- Staff training and record keeping
Without follow-up action, even a well-written assessment has little practical value.
Common Misconceptions about Legionella Risk Assessments
A few persistent myths still cause confusion:
- “We don’t need one because we’ve never had a positive result”
- “A temperature check log is enough”
- “Our system is too small to be a risk”
Legionella risk assessments are about prevention, not reacting to incidents or test results.
Getting Professional Support
Competent assessment and ongoing advice help ensure that controls are proportionate, practical and defensible in the event of inspection or audit.
Working with experienced water hygiene specialists can also help identify efficiencies, avoid unnecessary work, and keep documentation aligned with current guidance.
Contact our team to arrange a Legionella risk assessment or review for your site.
