The risk of relying on one permanent insider list under MAR

A permanent insider list saves admin, but treated as your only list it creates two opposite risks: some insiders never get recorded, others get restrictions they never needed. Here is how to avoid both.

8 July 2026

4 minutes

permanent insider list

Introduction

A permanent insider list exists to remove the administrative burden associated with re-adding permanent insiders to every project-based insider list. This was the intention of the guiding regulations under MAR. It was not designed to be used as a “catch-all” list for individuals who may occasionally have access to inside information. Only those who, by virtue of their role or function, have regular and ongoing access to all inside information should be included. All other individuals should be added to the relevant project-specific insider list only when they obtain access to that particular inside information. As discussed below, relying on a single permanent insider list creates additional compliance challenges, obscures who had access to specific information at a particular time, and risks undermining the accuracy and purpose of the insider-list regime.

What the Permanent List Is Actually For

Article 18 of the Market Abuse Regulation (MAR) requires issuers to keep insider lists recording everyone with access to inside information. Commission Implementing Regulation (EU) 2016/347 added the permanent insider section as a shortcut for one narrow group: people who, by the nature of their role, have continuous access to all inside information within the company, so their details do not need re-entering on every event-based list they happen to appear on. Recital 4 of that regulation states the purpose directly, which is to avoid duplicative entries for the same individuals across multiple lists. Nothing in that wording makes the permanent section a replacement for event-based lists. It exists to spare a small, genuinely continuous group repeat paperwork, and that is the whole of its job.

The Primary Risk: Event-Based Lists That Never Get Created

Treating the permanent list as sufficient on its own is the failure that does the most damage, and it is also the easiest to fall into. A compliance team builds the permanent list, populates it with the board and a handful of senior managers, and starts operating on the assumption that coverage is complete. That assumption holds right up until a live transaction pulls in people nowhere near permanent-insider status: an external lawyer instructed for the deal, a junior analyst modelling the numbers, a PR adviser briefed ahead of an announcement. None of them has continuous access to everything the company knows. Each of them has access to one specific piece of inside information, for exactly as long as the deal runs, and MAR requires every one of them on an event-based list recording the date and time they gained and lost access, a list that exists only for that matter and closes when it does.

Where the permanent list is doing duty as the only list a company keeps, those names never get added anywhere. Nothing in the permanent section captures who knew what, when, or for how long, on any given transaction, because it was never designed to. If a National Competent Authority later asks who had access to a specific deal and when, a company relying solely on its permanent list has no record that answers the question, only a general roster that was never meant to. ESMA, the European Securities and Markets Authority, has been clear that the permanent section is supplementary, sitting alongside event-based lists rather than standing in for them. A regulator investigating a leak asks for the list covering the specific event. A permanent list is not an answer to that question, however well it is maintained.

This is the failure worth guarding against first, because it stays invisible until the moment a regulator asks for the record that was never created. A permanent list can look complete, current and well maintained on its own terms while an entire deal's worth of access goes unrecorded beside it. Fixing this means treating every new piece of inside information as its own trigger: the moment a transaction begins, an event-based list opens for it, independent of who is already sitting on the permanent list.

The Secondary Risk: A Permanent List That Grows Too Wide

A second failure runs the other way, over-populating the permanent list by adding anyone who touches sensitive information reasonably often, on the reasoning that it is simpler to include people than to keep deciding, deal by deal, whether they belong on an event-based list instead. This solves an administrative headache and creates a regulatory one in its place.

Permanent insider status is not a lighter version of appearing on an event-based list. It is a heavier one. A permanent insider is presumed to have access to all inside information at all times, which is exactly why the trading restrictions attached to that status are wider and more persistent than those applied to someone named on a single deal list for a fortnight. Add people who do not genuinely have continuous, company-wide access, and you have handed them a standing restriction the facts do not support, a position that is harder to defend under scrutiny than the alternative: a company that can show it thought carefully about who genuinely warrants permanent status, and kept everyone else on event-based lists matched to the access they actually had.

Keeping the Permanent List to Its One Job

Both failures trace back to the same habit, which is treating the permanent list as a single, static answer to a question MAR asks fresh every time inside information exists. Over-reliance skips the event-based list a deal requires, and it is the costlier mistake, because it leaves a gap a regulator can find with a single question. Over-inclusion skips the individual judgement a name requires before it goes on the permanent list, and while it causes less regulatory exposure, it still hands out restrictions that were never earned.

Neither problem is solved by working harder within the wrong structure. Keep the permanent list narrow (or don't keep one at all), reserved for the small group whose access to everything is genuinely continuous. Let every specific matter run on its own event-based list, opened the moment access starts and closed the moment it ends. That discipline, applied consistently, is what keeps the permanent list doing the one job it was built for, and nothing more.

InsiderList is built for exactly that gap: every list, permanent and event-based, lives on one platform with its own audit trail, so a new event-based list can be created the moment a transaction begins rather than waiting for someone to notice one is missing. The permanent list stays reserved for the people who genuinely warrant it, every deal gets its own list from day one, and the record of who was on which list, and when, is there if a regulator ever asks for it.

For more on where the permanent list's remit ends, read our guide to understanding permanent insider lists under MAR, or start with the fundamentals in our basic guide to insider lists under MAR.

Leading compliance teams use InsiderList.

Schedule a product demo to see why.