- Why InsiderList?
  Automate all your MAR compliance requirements with our secure online platform.
  Learn more about why companies choose InsiderList
- Our story
  Discover how we built InsiderList's platform for effortless workflow automation.
  Explore our story
- More about us
- Read our latest Press
- Meet our Partners
- View our open Careers
- Discover
- Explore the platform
- e-Learning suite
- Workspaces (new)
- Workflow automation
- Confidential lists
- Insider lists
- Permanent insider lists
- PDMR / PCA lists
- Public companies
  We work with over 100 issuers across 12 exchanges and 28 different countries.
  Learn more about solutions for public companies
- Advisers
  We support banks, lawyers, accountants, and PR teams subject to MAR.
  Learn more about solutions for advisers
- Corporate services providers
  Our platform powers compliance teams for the world's largest corporate services providers.
  Learn more about solutions for CSPs
New
LSE RNS integration
Submit notices directly from your dashboard, prepopulated from the approved deal.
Learn more
360° dashboard
Digital signatures
Compliance wizards
Intelligent data capture
Smart contact database
Automated rules and validation
Reporting and analytics
Advanced security
Team collaboration
Detailed audit logs
International languages
User portals
- Articles and resources
- Read our latest articles, guides, and faqs, and access our free MAR insider list templates.
- Learn more about our resource database
- Case studies
  Learn how our clients automate their compliance with InsiderList.
  Learn more about our case studies
- Regulatory database
  Search and query our regulatory database for the latest in compliance.
  Learn more about compliance updates

Two lists, one platform: Insider and Confidential Lists explained

Not every list a compliance team maintains is an insider list, and not every confidentiality risk is a Market Abuse Regulation (MAR) risk.

25 May 2026

8 minutes

Introduction
Insider lists
Who has to keep one
What goes in it
Keeping it current and accessible
How InsiderList handles it
Confidential lists
When MAR doesn't apply but access still does
What a confidential list does
Who uses them
Project lists: confidential lists, delegated
How InsiderList handles them
Which list do you need? A quick reference
How InsiderList handles both on one platform

Introduction

Compliance teams at listed companies routinely run several different lists at once. Some are required by MAR and have a prescribed format down to the field. Others sit outside MAR entirely but still need real access control because the underlying information is commercially sensitive. That boundary between regulated and unregulated is the line that matters, and the rest follows from it.

Conflating the two is the most common mistake. Treat every list as a MAR insider list and you create disproportionate work where the regulation does not bite. Treat your insider list like an informal spreadsheet and you create real exposure where it does. Two distinct list types on one platform exist so the right structure sits around the right obligation, with nothing over-engineered and nothing left informal that should not be.

Insider lists

Insider lists are the formal record MAR requires from any listed issuer, and from anyone working on its behalf, of who has access to inside information at any given moment. Everything about them, from format to retention to update timing, is prescribed.

Who has to keep one

MAR Article 18 requires every issuer with securities admitted to trading on a UK regulated market, a multilateral trading facility (MTF) or an organised trading facility (OTF) to maintain an insider list. So do persons acting on the issuer's behalf or account, which captures advisers, banks, lawyers and PR firms working on a matter that touches inside information.

What goes in it

Each list runs in two parts. A permanent section covers individuals with continuous access to inside information, typically a small group such as the executive directors and the company secretary. An event-based or deal-specific section covers everyone else whose access is tied to a particular piece of inside information, from a specific transaction to an unannounced trading update.

ESMA (the European Securities and Markets Authority) prescribes the format. Each entry carries the same defined fields, including full name, function and reason for inclusion, the date and time access was obtained, and the personal details a regulator needs to trace the person if a market abuse investigation opens. A spreadsheet that is "basically the same" is not the same.

Keeping it current and accessible

Currency is the obligation that catches teams out. Insider lists must reflect who actually holds inside information at any given moment, which means updating them when access changes rather than at the end of the week when someone remembers. Records must be retained for at least five years, and the Financial Conduct Authority (FCA) can ask for the list "as soon as possible", which in practice means hours rather than days.

How InsiderList handles it

In InsiderList, the MAR insider list lives in the prescribed format from the moment it is created. Adding or removing a person updates the list and the audit trail in the same action, with timestamps the regulator will expect to see. Acknowledgements from each insider, recording that they understand their obligations and the consequences of breach, are tracked against their entry.

Confidential lists

Confidential lists do the same operational job for information that is sensitive but not yet inside information, and for organisations that sit outside MAR's scope altogether. No regulator prescribes the format, but the discipline still matters, and the same record can be promoted to a MAR-compliant insider list the moment the underlying information crosses the threshold.

When MAR doesn't apply but access still does

Not all sensitive information is inside information. A merger discussion that has not yet reached the threshold of being precise and price-sensitive, a strategic review that may or may not result in market-moving action, a customer dispute, a personnel matter, a piece of pre-initial-public-offering (pre-IPO) planning at a private company: all of this is commercially sensitive, all of it warrants controlled access, and none of it triggers MAR.

What a confidential list does

A confidential list records who has been granted access to a defined piece of sensitive information, when they were added and when their access ended. Format is not prescribed because no regulator prescribes it, but the discipline matters all the same. Confidentiality undertakings, ethical walls and non-disclosure agreements (NDAs) are only as good as the record of who is inside them.

Who uses them

Audiences for confidential lists are wider than for insider lists. Private companies use them. Listed companies use them for information that is sensitive but not yet inside information, with the option of converting the record into a MAR-compliant insider list if the situation moves across the threshold. Advisers use them to track who in their own organisation is working on a confidential matter for a client.

Project lists: confidential lists, delegated

A project list is a confidential list scoped to a specific piece of work, with day-to-day maintenance delegated to the person running it. Where standard confidential lists are typically owned by the compliance function at the centre, a project list moves the access management closer to where access is actually being granted.

This matters in practice for the way deals and projects actually run. A capital markets transaction, an internal investigation, a strategic project with several workstreams: the project lead knows in real time who is joining the team, who is being looped in for a single question, and who has stepped off. Routing every access change through compliance creates delay at the front and gaps in the record at the back. Routing it through the project lead, on a list with the controls and audit trail compliance needs, removes both.

Delegation here is structured, not loose. A project lead has the rights to add and remove people on their list and only their list. Compliance retains oversight of every project list, with visibility into who is on each one, when entries change, and what the audit trail says. That model preserves the central control compliance is accountable for while putting the day-to-day work in the hands of the person who actually has the information.

How InsiderList handles them

InsiderList runs confidential lists with the same access controls, audit trail and notification workflow as insider lists, without the prescribed-format constraints that do not apply. Delegated project variants share the same controls, with permissioned ownership for the project lead and full visibility for compliance. If a confidential list, delegated or not, later becomes an insider list because the underlying information has crossed the threshold, the record can be migrated rather than rebuilt, which removes the worst case of having to reconstruct who knew what and when under regulator pressure.

Which list do you need? A quick reference

Most teams know the regulatory boundary in principle and still spend time relitigating it in practice. The decision usually comes down to three questions: what kind of information is at stake, who needs to control access in real time, and what format the record has to be in if a regulator asks.

Your situation	List type	Why
People in your organisation, or your advisers', hold inside information about a listed issuer	Insider list	Required by MAR Article 18, in ESMA's prescribed format, retained for five years and disclosable to the FCA on request
Information is commercially sensitive but does not meet the inside-information threshold	Confidential list	No MAR obligation triggered, but the access record matters for NDAs, ethical walls and the option to escalate later
Access to a specific deal or workstream needs to be managed at speed by the people running it	Project list (a delegated confidential list)	Day-to-day maintenance sits with the project lead; compliance retains oversight on every list

Categories shift over time. A confidential list, delegated or not, can convert to a MAR insider list the moment the underlying information crosses the threshold. Picking the right structure is a decision about today's access dynamics, not a permanent label, and the platform leaves room to change tomorrow.

How InsiderList handles both on one platform

One login, one audit trail, one place to look when something needs to be produced. Each list type has its own structure, but the controls around them are common: timestamped entries, acknowledgements from each person added, a complete change history, and exports formatted for whichever audience needs them, including the FCA.

In practice, the question "what kind of list do I need here?" stops being a workflow obstacle. Compliance can set up the right structure for the situation in front of them, rather than forcing a sensitive-but-not-inside matter into a MAR template or running an unregulated confidential matter in a spreadsheet that no one trusts. Where a confidential list needs to escalate to a MAR insider list because the information has crossed the threshold, the migration happens in place with the access history intact. Where a project lead needs to maintain a list themselves, the delegation is structured, with compliance oversight preserved.

Two list types on the platform reflect the regulatory boundary MAR draws. A delegated variant within the confidential model reflects the way deals and projects actually run. Together they give compliance teams the structure that fits the obligation in front of them, without forcing one workflow onto another.

To see the list types side by side, book a demo or read more on our insider list feature page. For more on when sensitive information becomes inside information, see our guide to making that call.

Articles

Leading compliance teams use InsiderList.

Schedule a product demo to see why.

Get a demo

LSE RNS integration