Three recent developments under the Market Abuse Regulation (Regulation (EU) No 596/2014) ("MAR") warrant attention.
- On 8 May 2026, the ESMA published an update to its Questions and Answers on MAR (the "Q&A") clarifying the annual audit obligation under Commission Delegated Regulation (EU) 2016/957 (the "RTS on STORs").
- On 16 April 2026, the Court of Justice of the European Union ("CJEU") ruled in Case C-229/24 (TK, OP v Riksåklagaren - Brännelius) that information must be disclosed in the specific manner prescribed by MAR and its implementing regulation before it ceases to qualify as "inside information".
- On 12 June 2026, Regulation (EU) 2026/1291 (the "New ITS"), introduces revised insider list templates that apply to all MAR issuers from 5 July 2026.
Stor audits: internal auditors permitted
Article 16(2) of MAR requires persons professionally arranging or executing transactions ("PPAETs") and trading venues to establish effective arrangements, systems and procedures to detect and report suspicious orders and transactions ("STORs"). Article 2(5)(b) of the RTS on STORs further requires those persons to conduct an annual audit of those arrangements, systems and procedures.
Two questions had been left open by the text of the RTS on STORs: whether the annual audit must be conducted by an external auditor, and how the "internal review" mentioned in the same provision relates to the audit requirement. The Q&A addresses both questions directly.
On the audit, ESMA confirms that the RTS on STORs does not explicitly specify whether the annual audit should be external or internal. PPAETs and trading venues may therefore conduct the required annual audit either internally or externally. Where the audit is carried out internally, ESMA expects it to be performed by an independent function. On the internal review, ESMA clarifies that the reference to an "internal review" in Article 2(5)(b) should be understood as a complementary exercise to the audit - not as an alternative to it or a substitute for it.
What counts as valid public disclosure of inside information?
The facts of Brännelius case
On 14 May 2018, a municipal contracting authority in Umeå, Sweden sent letters to a number of tenderers, including a listed company (the "Issuer"), notifying them that the contract would not be awarded to them. TK and OP, employees of a firm that assisted the Issuer in the tender process, received or became aware of this information and subsequently sold shares in the Issuer before the Issuer made a public disclosure. Swedish prosecutors charged TK and OP with insider dealing under MAR. The central question referred to the CJEU by the Högsta domstolen (Swedish Supreme Court) was whether the letters sent to the tenderers by the contracting authority constituted "public" disclosure of the relevant information, such that the information had ceased to be inside information by the time TK and OP traded.
The ruling
The CJEU held that, in order for information to be considered to have been "made public" - and thereby to have ceased to be inside information within the meaning of Article 7(1)(a) of MAR - it is necessary for public disclosure to have taken place in the manner and in compliance with the requirements laid down in Article 17 of MAR and Article 2(1) of Regulation (EU) 2016/1055 (the "Implementing Regulation"), which sets out the technical means for appropriate public disclosure of inside information.
The Court therefore rejected the argument that disclosure to a defined, limited group of recipients - even under a statutory procedure such as public procurement notification - satisfies the MAR standard of public disclosure. Equally, information that is theoretically obtainable on request, or that has been communicated in a context that falls outside the specific channel and technical means prescribed by MAR and the Implementing Regulation, does not cease to be inside information for these purposes.
Insider list templates: simplified and harmonised
On 12 June 2026, Regulation (EU) 2026/1291 introduced revised insider list templates that repeal and replace Commission Implementing Regulation (EU) 2022/ for the purposes of Article 18 of MAR, as amended by Regulation (EU) 2024/2809 (the "Listing Act").
The principal change is the extension of the alleviated format to all insider lists drawn up under Article 18(1) of MAR, irrespective of whether the issuer is admitted to trading on an SME growth market. Previously, under Regulation (EU) 2022/1210, a more detailed and burdensome format was required for standard issuers, while the alleviated format was reserved strictly for SME growth market issuers. Under the New ITS, a single harmonised template applies to both categories of issuer, reflecting the Listing Act's broader objective of reducing administrative burdens on public market issuers.
The New ITS also introduce the following changes to the content and structure of insider lists.
Reduction of personal data fields
The obligation to record personal telephone numbers and personal home addresses is removed entirely from the templates. Furthermore, the requirement to record a birth surname has been restricted; it is now only required if it differs from the individual's current surname, rather than being a mandatory standalone field for everyone. The company name and address for third-party service providers are also no longer required to appear as a separate field in the template itself, being instead captured within the function and reason field. Issuers that have encountered reluctance from insiders to provide this level of personal information will find the revised requirements materially easier to administer.
Third-party service provider contact person
The New ITS codify at EU level the approach whereby, where a legal person acts on behalf of or on the account of an entity and has access to inside information, that entity is required to include in its insider list the details of only one natural person acting as a contact person for the third-party service provider, rather than listing every individual at the service provider with access to the relevant inside information.
Treatment of permanent insiders
Under the previous framework, the permanent insiders' section contained a single field recording the date and time of inclusion. The New ITS replace this structure by introducing separate "Obtained" and "Ceased" fields to log the specific start and end timestamps of an individual's permanent insider status. This allows the template to function dynamically as a continuous historical log, preserving a complete audit trail of permanent access over time within a single record without requiring the deletion of historical entries when a person's permanent status ends.
Share on