- Why InsiderList?
  Automate all your MAR compliance requirements with our secure online platform.
  Learn more about why companies choose InsiderList
- Our story
  Discover how we built InsiderList's platform for effortless workflow automation.
  Explore our story
- More about us
- Read our latest Press
- Meet our Partners
- View our open Careers
- Discover
- Explore the platform
- e-Learning suite
- Workspaces (new)
- Workflow automation
- Confidential lists
- Insider lists
- Permanent insider lists
- PDMR / PCA lists
- Public companies
  We work with over 100 issuers across 12 exchanges and 28 different countries.
  Learn more about solutions for public companies
- Advisers
  We support banks, lawyers, accountants, and PR teams subject to MAR.
  Learn more about solutions for advisers
- Corporate services providers
  Our platform powers compliance teams for the world's largest corporate services providers.
  Learn more about solutions for CSPs
New
LSE RNS integration
Submit notices directly from your dashboard, prepopulated from the approved deal.
Learn more
360° dashboard
Digital signatures
Compliance wizards
Intelligent data capture
Smart contact database
Automated rules and validation
Reporting and analytics
Advanced security
Team collaboration
Detailed audit logs
International languages
User portals
- Articles and resources
- Read our latest articles, guides, and faqs, and access our free MAR insider list templates.
- Learn more about our resource database
- Case studies
  Learn how our clients automate their compliance with InsiderList.
  Learn more about our case studies
- Regulatory database
  Search and query our regulatory database for the latest in compliance.
  Learn more about compliance updates

Insider and Confidential Lists explained

Not every list a compliance team maintains is an insider list, and not every confidentiality risk is a Market Abuse Regulation (MAR) risk.

25 May 2026

8 minutes

Introduction
Insider lists
Confidential lists
Which list do you need?

Introduction

Compliance teams at listed companies routinely run several different lists at once. Some are required by MAR and have a prescribed format down to the field. Others sit outside MAR entirely but still need real access control because the underlying information is commercially sensitive. That boundary between regulated and unregulated is the line that shapes everything else.

Conflating the two is the most common mistake. Treat every list as a MAR insider list and you create disproportionate work where the regulation does not bite. Treat your insider list like an informal spreadsheet and you create real exposure where it does. Understanding what each list is for, and what each one demands, is the cleaner starting point.

Insider lists

Insider lists are the formal record MAR requires from any listed issuer in the EU and UK, and from anyone working on its behalf, of who has access to inside information at any given moment. Everything about them, from format to retention to update timing, is prescribed.

Who has to keep one

MAR Article 18 requires every issuer with securities admitted to trading on a UK regulated market, a multilateral trading facility (MTF) or an organised trading facility (OTF) to maintain an insider list. So do persons acting on the issuer's behalf or account, which captures advisers, banks, lawyers and PR firms working on any transaction or situation that touches inside information.

What goes in it

Each list runs in two parts. A permanent section covers individuals with continuous access to inside information, typically a small group such as the executive directors and the company secretary. An event-based or deal-specific section covers everyone else whose access is tied to a particular piece of inside information, from a specific transaction to an unannounced trading update.

ESMA (the European Securities and Markets Authority) prescribes the format. Each entry carries the same defined fields: full name, function and reason for inclusion, the date and time access was obtained, and the personal details a regulator needs to trace the person if a market abuse investigation opens. A spreadsheet that is "basically the same" is not the same.

Keeping it current and accessible

Currency is the obligation that catches teams out. Insider lists must reflect who actually holds inside information at any given moment, which means updating them when access changes rather than at the end of the week when someone remembers. Records must be retained for at least five years, and the Financial Conduct Authority (FCA) can ask for the list "as soon as possible", which in practice means hours rather than days.

In InsiderList, the MAR insider list lives in the prescribed format from the moment it is created. Adding or removing a person updates the list and the audit trail in the same action, with timestamps the regulator will expect to see. Acknowledgements from each insider, recording that they understand their obligations and the consequences of breach, are tracked against their entry.

Confidential lists

Confidential lists do the same operational job for information that is sensitive but not yet inside information, and for organisations that sit outside MAR's scope altogether. No regulator prescribes the format, but the discipline is no less real, and the same record can be promoted to a MAR-compliant insider list the moment the underlying information crosses the threshold.

When MAR does not apply but access still does

Not all sensitive information is inside information. A merger discussion that has not yet reached the threshold of being precise and price-sensitive, a strategic review that may or may not result in market-moving action, a customer dispute, a personnel issue, a piece of pre-initial-public-offering (pre-IPO) planning at a private company: all of this is commercially sensitive, all of it warrants controlled access, and none of it triggers MAR.

What a confidential list does

A confidential list records who has been granted access to a defined piece of sensitive information, when they were added and when their access ended. Format is not prescribed because no regulator prescribes it, but the discipline is no less important. Confidentiality undertakings, ethical walls and non-disclosure agreements (NDAs) are only as good as the record of who is inside them.

Who uses them

Audiences for confidential lists are wider than for insider lists. Private companies use them. Listed companies use them for information that is sensitive but not yet inside information, with the option of converting the record into a MAR-compliant insider list if the situation moves across the threshold. Advisers use them to track who in their own organisation is working on a confidential matter for a client.

Delegating access management with Workspaces

On larger deals and projects, routing every access change through compliance creates delay at the front and gaps in the record at the back. InsiderList Workspaces addresses this by letting compliance delegate day-to-day list maintenance to the person closest to the work, whether that is a deal lead, a project manager or a team head. That person can add and remove members from their own list; compliance retains full visibility across every workspace, with the same audit trail and notification workflow. The delegation is structured, not loose.

In InsiderList, confidential lists run with the same access controls, audit trail and notification workflow as insider lists, without the prescribed-format constraints that do not apply. If a confidential list later becomes an insider list because the underlying information has crossed the threshold, the record can be migrated rather than rebuilt, so there is no need to reconstruct who knew what and when under regulator pressure.

Which list do you need?

Most teams know the regulatory boundary in principle and still spend time relitigating it in practice. Settling it comes down to three questions: what kind of information is at stake, who needs to control access in real time, and what format the record has to be in if a regulator asks.

Categories shift over time. A confidential list can convert to a MAR insider list the moment the underlying information crosses the threshold. Picking the right structure is a decision about today's access dynamics, not a permanent label, and the platform leaves room to change tomorrow.

One login, one audit trail, one place to look when something needs to be produced. Each list type has its own structure, but the controls around them are common: timestamped entries, acknowledgements from each person added, a complete change history, and exports formatted for whichever audience needs them, including the FCA.

To see how InsiderList handles both, book a demo or read more on our insider list feature page. For more on when sensitive information becomes inside information, see our guide to making that call.

Articles