UKNF on insider lists: Recommendations concerning MAR and digitization of compliance

On 17 December 2025, the Office of the Polish Financial Supervision Authority (UKNF) published a significant position statement addressing one of the most burdensome obligations for issuers of securities- the drawing up of lists of persons having access to inside information (so-called “insider lists”). 

This document casts new light on the technical aspects of Article 18 of the Market Abuse Regulation (MAR), introducing an interpretation conducive to the digitalization of compliance processes.

Distributed model- no more data duplication?

Previously, many issuers maintained extensive spreadsheets containing the full sensitive data of insiders, which created risks related to GDPR. The UKNF confirmed that maintaining the list in a distributed form is admissible. 

This means that for the list itself, basic data (name, surname, function) suffices, while the detailed private data required by law (e.g., addresses, national identification numbers) may be stored in separate systems, for instance, in the issuer’s HR systems.

However, caution must be exercised. The supervisory authority imposes a strict condition: the implementation of organizational arrangements must guarantee that, upon the request of the KNF, a complete list is generated and completed without delay.

The method of keeping the list must not negatively affect the timing of its submission. Crucially, the issuer must possess this data “at all times”- attempting to obtain it only upon receiving a request from the regulator is impermissible.

Electronic insider statements? UKNF confirms admissibility

A second key aspect of the position statement is the liberalization of the approach to the form of confirmation of obligations by insiders (Article 18(2) MAR). Citing the autonomy of EU law and the principle of proportionality, the UKNF indicated that the requirement for the person on the insider list to acknowledge their duties “in writing” does not mandate the use of a traditional written form or a qualified electronic signature.

Confirmation made in electronic form (e.g., an email from a dedicated address, a scan of a handwritten signed acknowledgement) is considered effective, provided that this form objectively allows for the identification of the person making the declaration and confirms that they have acknowledged their legal and regulatory duties and are aware of the sanctions.

This is a step towards a modern, dynamic interpretation of provisions, accounting for technological realities.

New UKNF guidelines in practice: what must securities issuers do?

The UKNF position statement offers an opportunity to streamline internal processes, but also necessitates a revision of existing MAR procedures. Technical facilitations do not exempt issuers from liability for data completeness and reporting timeliness. Errors in this regard may result in severe administrative sanctions provided for in Article 30 of the Market Abuse Regulation.

We recommend an immediate verification of your procedures regarding the flow of inside information for compliance with the new guidelines, particularly regarding the integration of HR systems with insider lists and the archiving of electronic acknowledgements.

Do you have doubts about the compliance of your procedures with UKNF guidelines?

Our law firm supports securities issuers in adapting MAR procedures to the latest interpretations of the regulator.

We will help you verify how you maintain insider lists, implement a distributed model compliant with the GDPR, and streamline the processes of obtaining and archiving electronic statements. Contact us to avoid risk and operate in line with supervisory expectations.