ARTICLE
10 July 2025

How To Manage Insider Lists Effectively

K
Kinstellar

Contributor

Kinstellar logo
Kinstellar acts as trusted legal counsel to leading investors across Emerging Europe and Central Asia. With offices in 11 jurisdictions and over 350 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how and experience to champion your interests while minimising exposure to risk.
Explore Firm Details
Issuers in the European Union ("EU") and any persons acting on their behalf or for their account must maintain procedures for drawing up and updating insider lists...
European Union Finance and Banking
Petra Heindl
Your Author LinkedIn Connections

Issuers in the European Union ("EU") and any persons acting on their behalf or for their account must maintain procedures for drawing up and updating insider lists consistent with the EU's Market Abuse Regulation (MAR)1.

It is always the issuer who is fully responsible for complying with MAR and who, therefore, must always retain access to the insider list, even if a person acting on behalf of the issuer, such as an advisor, assumes the task of maintaining the insider list.

CIR 2022/12102 includes five standard templates for reporting the personal details of persons with access to inside information. Each template features the minimum information that must be collected as part of the record-keeping requirements to be compliant with MAR.

Click here to download the templates.

The following standard templates are available:

  • Project-/Event-based insider list (Annex 1 | Template 1)
  • Permanent insider list (Annex 1 | Template 2)
  • Insider list to be used by SME Growth Market (GM) issuers that should only identify those persons having access to inside information on a regular basis (Annex 2)
  • Project-/Event-based insider list (Annex 3 | Template 1) and permanent insider list (Annex 3 | Template 2) to be used by SME GM issuers where Member States require them to draw up and update an insider list, but requiring fewer personal data fields

Below we address key questions issuers commonly face in the course of administering these lists.

01. Who Qualifies as an "Insider"?

Each insider list:

  • MUST include one or more project-/event-based sections (linked to a specific deal, project, or event).
  • MAY include an optional permanent insider section (for individuals with constant access).

Project-/Event-based insiders

Persons who have actually accessed inside information due to their participation in an event or project—not those who potentially could access the information due to their role or technical permissions.

Example: An IT employee is to be listed only if the employee becomes demonstrably aware of the inside information through her/his work—not just because she/he could access e-mails or documents including inside information.

Consider managing possible access within the organisation by (i) using internal controls (e.g., file restrictions, encryption), or (ii) implementing a classification system for sensitive documents requiring special handling.

Consider listing only one contact person per external service provider (e.g., law firms, consultants). External providers must maintain their own insider lists for their staff.

If a person refuses to provide the personal data required for inclusion in the insider list, the issuer—being responsible for the completeness and accuracy of the list—is recommended to duly document the refusal. Such documentation may be taken into consideration by the national competent authority ("NCA") when assessing the imposition or mitigation of fines.

Permanent insiders

Persons who—due to the nature of their function or position—have access at all times to all inside information. This typically includes CEOs and in some cases CFOs, executive assistants, chairmen of the supervisory board, heads of legal/general counsel, CTOs.

Only list a person as a permanent insider if they have access to all inside information. If the person only knows about a specific piece of information, they are listed on a project-/event-based list instead.

Overusing the permanent list can reduce oversight and limit the list's effectiveness for investigations. The NCA may ask for proof of actual access.

The permanent insider section therefore does not relate to any specific piece of inside information. Once permanent insiders are listed as such, they are considered insiders for the entire duration that inside information exists in relation to the issuer.

02. How to Create an Insider List?

The insider list must be kept in electronic form. It is standard market practice to use automated software solutions or basic spreadsheets, depending on the number of insiders and their activities.

Consider maintaining the list in the official language of the relevant NCA or in English.

Insider lists should be divided into separate sections with each section corresponding to a specific piece of inside information.

Persons who have access to various distinct pieces of inside information without qualifying as permanent insiders must be included separately in each corresponding project-/event-based insider section.

Permanent insiders should be listed only in their dedicated section to avoid duplication in the project-/event-based section.

Since a variety of inside information can exist within an organisation at the same time, insider lists should precisely identify the specific inside information (which may include information relating to a deal, project, corporate or financial event, or financial statements).

If the reason for inclusion in the insider list is "Project X," the project should be briefly described for the purpose of clear identification, and not merely identified by its project code name.

The exact date and time when a person was granted access to the inside information is to be recorded, not the actual moment of becoming aware of the information.

Where a group of individuals is exposed to inside information (e.g., the supervisory board, project team), each member of the group is to be considered individually. Avoid referring in the list to the group as such.

The insider list must record when each member gained access to the inside information. This is typically when the information arises (e.g., a formal decision of the competent body), applying equally to each group member. However, if a member is absent (e.g., due to illness or vacation), their later access should be recorded in the list accordingly.

Timing is everything—especially for compliance: An insider list must only be created once information is officially classified as inside information. However, keeping a confidential list in advance (for information likely to become inside information at a later stage)—though not legally required—can help in complex cases where it requires a longer period for a piece of information to become sufficiently specific and involve a large number of insiders, such as takeover negotiations.

For example, the Austrian Financial Market Authority generally does not assume that the inclusion of a project in the insider list implies that the information was already considered inside information at that point in time. For persons listed early, no date or time of access is recorded until the information officially qualifies as inside information.

03. Are You Updating Your Insider Lists on Time?

An update is required when:

  • A new person gains access to inside information (e.g., a new employee of the issuer joins the project team);
  • Someone no longer has access (e.g., an employee ceases working for the issuer)
  • The reason for someone's inclusion changes (e.g., external counsel of the issuer joins the issuer's legal department);
  • The inside information is disclosed or becomes irrelevant (e.g. project ends).

Updates must be made promptly. Delays are only permissible under special circumstances—for example, in cases of doubt or when obtaining legal advice.

Tracking updates is crucial. When using spreadsheets, each version of the list must be saved. Every time a change is made (e.g., someone is added/removed), the old version must be kept and the new version must include (i) what changed, (ii) why it changed, and (iii) when exactly the change occurred.

In fast-moving situations, you may need to update the list several times a day.

Temporary absences due to vacation or short-term illness do not trigger an obligation to update the insider list.

04. Do You Notify Insiders and Explain Their Responsibilities?

Everyone responsible for an insider list is personally responsible to inform the individuals recorded in the list.

When someone is added to an insider list for the first time, the issuer must ensure that they:

  • acknowledge in writing their legal and regulatory obligations and
  • understand the penalties for insider dealing and unlawful disclosure.

As insider lists are tied to specific events or deals, employees must be notified each time they are added to a new list—even if they have been listed before. Repetition of the instruction may be required, in particular if the legal basis or applicable sanctions have changed significantly since the last instruction.

Electronic confirmation is accepted by most NCAs, provided that it can be evidenced at a later time in its unchanged form.

It is further recommended that insiders be expressly informed of their obligation to treat inside information as confidential. This includes, for example, securing relevant documents, maintaining effective information barriers (Chinese walls), and ensuring that electronic communications are transmitted only via encrypted systems or directed exclusively to designated recipients.

05. How to Retain Insider List?

It is required to keep each version of the insider list—originals and all updates (versions)—for at least five years from the date they were created or last modified. The data must be stored in such a manner that, at any time during the retention period, it can be demonstrated who had access to insider information and when. After the end of five years, versions are generally safe to be deleted.

These records shall be readily available and submitted without undue delay to the NCA if requested by the NCA during an investigation.

Insider lists contain personal data and are therefore subject to data protection regulations. They must, in particular, be treated with strict confidentiality. Given the sensitive nature of the data, encryption is recommended. Access, therefore, should be limited to those responsible for maintaining the insider list or expressly assigned to this task (e.g., management, compliance staff), and the lists must only be accessible on a need-to-know basis.

Footnotes

1. Regulation 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC.

2. Commission Implementing Regulation (EU) 2022/1210 of 13 July 2022 laying down implementing technical standards for the application of Regulation (EU) No 596/2014 of the European Parliament and of the Council with regard to the format of insider lists and their updates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Petra Heindl
Petra Heindl
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More