News

The Building Safety Act 2022 is the most significant overhaul of building and fire safety legislation in England in fifty years. For anyone responsible for designing, constructing, occupying, or maintaining a higher-risk building, it has reshaped what "compliance" actually means — and, in particular, what compliance software has to be capable of.

Despite a sizeable market of vendors now advertising themselves as "Building Safety Act ready," very few articles in the trade press actually set out what the legislation requires of the software itself. This piece does that. It is written for procurement leads, building safety managers, FM directors, accountable persons, and principal contractors who need to evaluate whether the platform they're being sold can actually evidence compliance with the Building Safety Regulator rather than just claim it can.

What the golden thread actually is, in law

The "golden thread of information" is not a marketing concept. It is a legal duty created by Section 88 of the Building Safety Act 2022, which introduces the requirement to keep and maintain prescribed information about Higher-Risk Buildings. Its commencement was staged, with the substantive duty coming into force on 1 October 2023, placing a responsibility on the relevant dutyholders to ensure that key building and fire safety information is easily accessible throughout the life cycle of a higher-risk building.

The detailed requirements sit in secondary legislation. The four statutory instruments that together define what the golden thread is and how it must be managed are:

• The Building (Higher-Risk Buildings Procedures) (England) Regulations 2023
• The Higher-Risk Buildings (Management of Safety Risks etc) (England) Regulations 2023
• The Higher-Risk Buildings (Keeping and Provision of Information etc.) (England) Regulations 2024
• The Building Regulations etc. (Amendment) (England) Regulations 2023

The 2024 Regulations are the ones that matter most for software procurement. Exactly what must be included is written out in Schedule 1 of The Higher-Risk Buildings (Keeping and Provision of Information, etc.) (England) Regulations 2024 — meaning that the content the system must hold is a closed, prescribed list, not a vendor's interpretation of one.

The concept itself originates from Dame Judith Hackitt's 2018 Independent Review of Building Regulations and Fire Safety, commissioned in the wake of the Grenfell Tower fire of 14 June 2017. The review concluded that information critical to safe design, construction, and management was systematically missing, inconsistent, or inaccessible across the sector, and that a digital, structured, persistent record was the only credible answer.

Which buildings are in scope

A higher-risk building (HRB) in England is, in broad terms, a building of 18 metres or seven storeys or more in height that contains at least two residential units. The detail sits in section 65 of the Act and the regulations made under it.

Importantly, while the legal duty applies only to HRBs, the Building Safety Regulator and Construction Leadership Council guidance both make clear that the golden thread is regarded as best practice for all buildings — and the operational expectations of insurers, lenders, and the new building safety regime are increasingly being applied to non-HRB stock as well. Procurement decisions made today should assume that the scope will widen, not narrow.

Who is responsible

The duty does not sit in one place. It moves through the lifecycle of the building and attaches to different parties at each stage:

During design and construction, the duty holders are the client, the principal designer, and the principal contractor, with duties derived from the Construction (Design and Management) Regulations 2015 and extended by the BSA. The client is ultimately responsible. The client dutyholder is responsible for providing the electronic facility for storing the Golden Thread and the procedures that allow access to and maintenance of it.

During occupation, the duty passes to the Accountable Person (AP) for each part of the building, with a Principal Accountable Person (PAP) overall. The AP/PAP must hold, maintain, update, and on request, provide golden thread information to the Building Safety Regulator, to residents, and to subsequent duty holders.

The penalties for failure are not theoretical. A breach of the Golden Thread requirements can result in criminal liability. For example, when an accountable person or principal accountable person stops being responsible for a higher-risk residential building or any part of it, and they do not transfer the Golden Thread of information to the new accountable person or principal accountable person, they can be prosecuted, leading to a fine and up to two years' imprisonment (or both).

What the software has to do — the eight legal requirements

The regulations and the Construction Leadership Council's Delivering the Golden Thread: Guidance for dutyholders and accountable persons, published on 27 August 2024, between them set out eight functional characteristics that a golden thread system must demonstrably provide. These are the eight questions any building owner should put to any platform they are evaluating.

1. Is the record digital, structured, and held as a single source of truth?

The Act and the guidance both make clear that the golden thread must be digital. Paper files and email chains do not meet the legal duty. The information must be in a logical, navigable structure rather than a dumping ground of attachments. Crucially, the system must be the single source of truth — meaning operational practices that rely on side-channel updates (email attachments, ad-hoc spreadsheets, WhatsApp threads) actively undermine compliance.

2. Does it cover the lifecycle, end to end?

The duty attaches across design, construction, occupation, refurbishment, and demolition. A platform that handles only inspection during occupation, or only as-built records at handover, addresses one slice of the duty. The system selected by the client at the design stage should be capable of carrying the record through to and beyond Gateway 3, the BSR completion certificate that hard-stops registration and occupation of an HRB.

3. Is the information accurate, current, and live?

The regulations require the record to be kept "up to date." That implies that the platform must support and be operationally used for, real-time data capture on site, not retrospective data entry weeks after the fact. Mobile capture of inspections, installations, and defects at the point of work is the only credible way to satisfy this in practice. The system must also support change control: capturing not just the current state but the history of how the current state was arrived at.

4. Is it secure, with controlled access?

The golden thread should not be vulnerable to cyber attacks that can greatly harm the privacy and security of the building and its residents. To this end, systems holding the golden thread should be General Data Protection Regulation (GDPR) compliant. In procurement terms, this means asking for ISO/IEC 27001 alignment or certification, Cyber Essentials, documented encryption standards (TLS 1.2 or higher in transit; AES-256 at rest is the current expectation), UK data residency, tenant isolation in multi-tenant architectures, BPSS or equivalent personnel vetting for staff with production access, and an annual independent penetration testing programme. Anything less is an inadequate custodian for safety-critical information about residential buildings.

5. Does it provide an audit trail?

The record must show who did what, when, and why. Every entry must be attributable to a named user, timestamped, and immutable in the sense that historical states are preserved rather than overwritten. Photographic evidence should be tied to specific assets and locations. This is the difference between a system that produces evidence that survives a regulatory audit and one that produces evidence that gets challenged.

6. Is it accessible to the right people?

The information must be accessible to those who need it, including residents, regulators, subsequent duty holders, and other accountable persons. That means the system needs granular, role-based access control: read-only access for residents, full access for the AP/PAP, controlled access for contractors, and complete access for the BSR on request. A platform that cannot grant time-bounded, audited, read-only access to a third party is incompatible with the duty.

7. Is it transferable on change of ownership?

When the AP or PAP changes — sale, refinancing, change of management company, novation — the golden thread must transfer in full to the incoming party. That requires the platform to support a defined export and handover process, and the contract with the vendor must guarantee data portability. A platform that locks the record into a proprietary format the customer cannot extract is a procurement risk, and arguably a non-compliance risk.

8. Does it support Mandatory Occurrence Reporting?

Once the building is in occupation, the AP must operate a Mandatory Occurrence Reporting (MOR) system to report specified safety occurrences and near-misses to the Building Safety Regulator. MOR records must be captured, stored, and surfaced as part of the wider golden thread. A platform that does not support structured incident capture and reporting workflows is missing a required capability.

What this means for procurement

If you are buying a fire safety compliance platform in 2026 in the UK, the right standard to hold it to is not "does it have a nice mobile app" or "does it produce a tidy PDF report." Those are table stakes. The right standard is: can this platform, in the form we will operationally use it, evidence compliance with Section 88 of the Building Safety Act 2022 and the secondary regulations made under it, to the satisfaction of the Building Safety Regulator and to the AP/PAP who will inherit it?

The questions to take into every demo are the eight above. Ask each vendor to walk you through them, with their actual product, against a realistic building scenario. If the answers come back as "we're working on that," or "that's on the roadmap" or "we handle that through a partner," score accordingly. The duty is operational today.

Further reading

• Building Safety Act 2022, particularly Sections 65 (definition of HRB) and 88 (golden thread duty).
• The Higher-Risk Buildings (Keeping and Provision of Information etc.) (England) Regulations 2024, particularly Schedule 1.
• Delivering the Golden Thread: Guidance for dutyholders and accountable persons, Construction Leadership Council, 27 August 2024.
• Independent Review of Building Regulations and Fire Safety: Final Report (the Hackitt Review), May 2018.
• Building Safety Regulator guidance, published by the Health and Safety Executive.

Bolster Systems is a UK-headquartered fire safety and building compliance platform, trading since 2014, used by 700+ approved companies, including Manchester University NHS Foundation Trust. The platform is designed around the golden thread principles set out in the Building Safety Act 2022, hosted entirely in UK AWS regions, holds Cyber Essentials and ISO 9001 certification, is approved on G-Cloud 13, and operates an ISO/IEC 27001-aligned information security management system with certification audit in progress.