What has changed
Since 1 January 2026, the United Arab Emirates has been operating under a new capital markets framework. Federal Decree-Law No. 32 and No. 33 of 2025 replaced the Securities and Commodities Authority (SCA) with a newly established Capital Market Authority (CMA), bringing with it a materially expanded approach to market abuse, disclosure, and corporate governance. Entities subject to the laws have until 1 January 2027 to regularise their status, and compliance teams at listed companies on the Dubai Financial Market (DFM) and Abu Dhabi Securities Exchange (ADX) should not be treating this as a passive waiting period.
One obligation that will draw close attention from the CMA is the management of insider registers: who holds material non-public information (MNPI), when they received it, and what controls exist to prevent it from being misused.
New requirements
Listed companies in the UAE have long been required under SCA rules to maintain what is commonly referred to as an insiders register: a record of all board members, senior executives, and employees who have access to MNPI about the company. Alongside the register itself, companies must manage closed periods, the windows, typically 15 days before the end of a financial period, during which anyone on the register is prohibited from trading in the company's securities.
Federal Decree-Law No. 33 of 2025 (FDL33) goes further. It expressly prohibits not only direct trading by persons in possession of insider information, but also indirect dealings, capturing a wider range of conduct across the information chain. It introduces clearer rules on what constitutes an insider trading offence, expanded disclosure obligations for issuers, and a strengthened enforcement toolkit for the CMA, including materially higher penalties than those available under the former SCA regime. Implementing regulations are still being issued, which means the detailed rules are still taking shape. That is not a reason to wait. It is a reason to ensure your existing controls are solid before those rules arrive.
Practical steps in maintaining an insider register
In principle, the obligation is straightforward: know who has access to sensitive information, record it, maintain it, and be able to demonstrate it to the regulator on request, or upload it directly on the relevant portal (for example, the DFM insider portal). Issuers often struggle with keeping up to date with changes to the register.
Consider what a deal or corporate transaction actually involves. Outside legal counsel, financial advisers, auditors, bankers, and often a number of internal executives across more than one function will all receive information that is not yet public. Each of those individuals needs to be on the register from the moment they receive it. When the transaction closes, or is abandoned, or their involvement ends, the register needs to reflect that too. Doing this in a shared document passed between the company secretary and legal teams, with version control managed by email, is not a process that holds up under regulatory scrutiny.
It is also not a process that scales. A busy DFM-listed company managing several projects at once, a potential acquisition here, a financing round there, a regulatory situation being handled by external counsel, is running multiple overlapping insider populations at any given time. Keeping a single permanent register of insiders is one thing. Maintaining accurate, date-stamped records for each of those situations simultaneously, across a team that is already stretched, is considerably harder.
Permanent insiders and project-specific records: understanding the difference
It is worth clarifying for companies approaching this from a UAE context: FDL33 does not prescribe project-specific insider lists as a separate, mandatory obligation. That requirement exists explicitly under the EU's Market Abuse Regulation (MAR), which imposes a detailed, format-specific list for each deal or piece of inside information. UAE law currently does not go that far, but it is still considered relevant to maintain project lists from as a measure of good practice.
What FDL33 does require is a defensible record of who held MNPI, and when. In practice, that is very difficult to demonstrate if your permanent register conflates standing insiders with individuals brought in temporarily for a specific transaction. When a company faces regulatory scrutiny over a particular situation, say an unannounced acquisition that was later alleged to have leaked, the question the CMA will ask is whether the company can account for exactly who knew what, and from what point. A register that mixes permanent insiders with transaction-specific ones, without distinguishing between the two, rarely answers that question cleanly.
Separating permanent insiders from those added for a specific reason, and maintaining clear records of when each individual's access began and ended, is therefore sound practice rather than a formal obligation. Companies that do it are better placed to respond to regulatory enquiries. Those that do not tend to discover the gap only when they need to close it quickly.
Why the transition window is relevant now
FDL33 came into force on 1 January 2026. Implementing regulations and supervisory guidance are being issued progressively. The transition period runs until 1 January 2027. Legal commentary from international firms advising on the new regime is consistent on one point: capital markets participants should treat this period as an opportunity to reassess existing structures and practices, not as a pause before action is required.
Regulators rarely announce the first time they test a new obligation. When the CMA begins exercising its expanded enforcement powers, companies with audit-ready insider management records will be in a different position from those relying on a spreadsheet that was last updated when someone remembered. Closing that gap is largely a question of process design, and process design takes time.
Building something you can stand behind
Managing an insiders register well comes down to a few clear requirements.
First, access must be recorded the moment it occurs. Not retrospectively, not at the end of the week. A time-stamped entry is the piece of evidence that places an individual inside or outside the register at any given point. A record that cannot be dated cannot be used in your defence.
Second, notifications to individuals must be documented. When someone is added to an insider list, they should receive written confirmation that they hold MNPI and are subject to trading restrictions. When they are removed, they should be notified of that too. Both notifications, and the acknowledgements, need to be on file.
Third, the audit trail must be complete. If the CMA asks who held sensitive information about a specific situation, on a specific date, the answer should come from a system with a documented history, not from someone's memory or a search through email chains.Fourth, third parties count. External advisers, lawyers, banks, financial PR firms who receive MNPI must appear on the register. Their inclusion is the issuer's responsibility, not theirs.
A note on language
InsiderList is available in Arabic, and our team includes professionals with direct experience working with UAE-listed companies. If you are reviewing your insider management process ahead of the CMA's implementing regulations, or simply want to understand how a purpose-built platform handles the obligations described above, we are happy to walk you through it.
InsiderList is insider register management software used by listed companies across the UK, Europe, USA and the UAE. This article is for general information purposes and does not constitute legal advice. For advice specific to your situation, consult a qualified UAE-regulated legal adviser.
