What training is mandatory for UK employers by sector?

What "mandatory" actually means

There's no single law that lists "mandatory training" for UK employers. The phrase is used to cover three different categories:

1. Training required by general UK legislation — applies to almost every employer
2. Training required by sector-specific regulation — applies to employers in regulated industries
3. Training required to perform a specific role legally — applies to specific roles within a workforce

Confusion between these categories is the most common source of compliance failure. A care home doesn't just need general health and safety training; it needs Care Certificate competencies, infection control, safeguarding adults, and Mental Capacity Act training.

Training every UK employer must provide

These apply to almost every employer with employees, regardless of sector or size.

Health and safety induction

Required under the Health and Safety at Work Act 1974. Covers:

• General workplace hazards
• Fire safety and evacuation procedures
• Reporting incidents and near-misses
• First aid arrangements
• Mental health awareness (increasingly seen as part of HSE compliance)

Refresher: usually annual for safety-critical roles, every 2–3 years for general office staff.

Fire safety

Required under the Regulatory Reform (Fire Safety) Order 2005. Covers:

• Identifying fire risks
• Use of fire-fighting equipment (extinguishers, blankets)
• Evacuation procedures
• Role of fire wardens

Refresher: typically annual, with fire drills at least every 6 months.

Manual handling

Required under the Manual Handling Operations Regulations 1992 for any role involving lifting, carrying, pushing, or pulling loads.

Refresher: every 2–3 years, more often in roles with intensive manual handling.

Equality, diversity, and inclusion

While not explicitly mandated, EDI training is the practical defence to Equality Act 2010 discrimination claims. Without documented training, an employer cannot claim the "all reasonable steps" defence under section 109(4).

Refresher: at least every 2 years, immediately after material policy changes.

Data protection (UK GDPR)

Required under UK GDPR Article 39(1)(b) for staff who process personal data — which in practice means almost all office workers. Should cover:

• Lawful bases and consent
• Data minimisation and accuracy
• Subject rights (especially SARs)
• Breach reporting
• Retention and disposal

Refresher: annually.

Sector-specific mandatory training

Healthcare (NHS and private)

The Core Skills Training Framework (CSTF) sets the baseline:

• Equality, diversity, and human rights
• Health, safety, and welfare
• Conflict resolution
• Fire safety
• Infection prevention and control
• Information governance and data security
• Moving and handling
• Preventing radicalisation
• Resuscitation
• Safeguarding adults (levels 1–3 depending on role)
• Safeguarding children (levels 1–3 depending on role)

Plus role-specific clinical competencies: medication management, mental capacity, end-of-life care, manual evacuation, etc.

Refresher: most CSTF subjects are annual.

Education

Driven by the Department for Education's statutory guidance:

• Keeping Children Safe in Education (KCSiE) — annual update for all staff, with sections specific to safeguarding leads
• Prevent duty — counter-terrorism awareness
• Child protection — at safeguarding-lead level for designated staff
• Fire safety, manual handling, mental health awareness
• First aid at appropriate level for the setting
• Role-specific qualifications — SENDCo, paediatric first aid for early years staff

Refresher: KCSiE is annual; child protection lead training is every 2 years.

Construction

• CSCS card — Construction Skills Certification Scheme, required for almost all site-based roles
• Site Safety Plus — different levels for operatives, supervisors, and managers
• Working at Height training under the Work at Height Regulations 2005
• Asbestos awareness — mandatory annually for any role that might disturb asbestos
• Manual handling — given the physical nature of the work
• Plant operator training — CPCS or similar for specific equipment

Refresher: most CSCS-aligned training is every 3–5 years; asbestos awareness annually.

Financial services

Driven by FCA and PRA regulations:

• Senior Managers and Certification Regime (SM&CR) — fitness and propriety, code of conduct
• Anti-money laundering (AML) — mandatory for any firm handling client funds
• Financial promotions — for client-facing staff
• Continuing professional development (CPD) — minimum hours per year for regulated individuals
• Vulnerable customers — Consumer Duty implications

Refresher: AML annually; CPD continuous; SM&CR materials reviewed at least annually.

Retail and hospitality

• Food hygiene — Level 1 for all food handlers, Level 2 for those preparing food, Level 3 for managers
• Allergen training — Natasha's Law compliance for prepacked-for-direct-sale food
• Licensing — Personal Licence training for venues serving alcohol
• Age-restricted products — for staff selling alcohol, tobacco, knives, etc.
• Fire safety — particularly in licensed premises and hotels

Refresher: food hygiene every 2–3 years; allergen training annually.

Care (adults and children)

• Care Certificate — 15 standards covering communication, dignity, privacy, equality, safeguarding, basic life support
• Mental Capacity Act 2005 / Deprivation of Liberty Safeguards (DoLS)
• Safeguarding — typically Level 2 for all staff, Level 3 for designated leads
• Infection prevention and control
• Medication management for qualified staff
• Moving and handling people (different from general manual handling)

Refresher: most subjects annually; Care Certificate is once on induction, with ongoing competency assessment.

Transport and logistics

• Driver CPC for HGV drivers — 35 hours every 5 years
• Tachograph training for relevant vehicle classes
• Manual handling for warehouse staff
• Forklift / lift-truck operation under specific certification

Refresher: Driver CPC tracked over rolling 5-year periods; equipment certifications typically every 3 years.

Tracking and evidencing

Mandatory training is only mandatory if it's documented. For each course:

• Date completed
• Course title and provider
• Outcome (pass/fail or competency assessment)
• Certificate or evidence of completion
• Renewal date

This becomes the audit trail for HSE inspections, CQC inspections, Ofsted visits, FCA reviews, and tribunal claims. Missing records are read as missing training.

When training is not delivered

Failure to provide mandatory training can result in:

• HSE prosecution for safety-critical breaches
• CQC enforcement in care settings
• Ofsted downgrades in education
• FCA penalties in financial services
• Tribunal awards in discrimination or unfair dismissal claims that hinge on the "all reasonable steps" defence
• Civil liability if untrained staff cause harm

The cost of a well-organised training programme is invariably less than the cost of a single major incident.

Putting it into practice

A robust training-management approach:

1. Maps mandatory training to each role using a competency matrix
2. Tracks completion dates and renewal cycles per employee
3. Sends automated reminders before expiry
4. Stores certificates and evidence in the employee record
5. Reviews the matrix annually against legal and sector changes
6. Reports compliance status for inspections and audits
7. Identifies gaps before they become liabilities

Training is operationally cheap and audit-relevant. The discipline is in the matrix and the calendar — once those are in place, the rest is execution.