15/07/2026

NIS 2: Why loyalty databases have become a critical target

Compliance with the NIS 2 Directive, entering into force in October 2026, makes digital security a cornerstone of business continuity, turning this regulatory obligation into a guarantee of reliability for every business. In this landscape, loyalty databases represent a critical target due to the sensitive nature of the data they process. This is why Advice Group and its loyalty platform WEKIT are already compliant, ensuring the necessary protection to safeguard your data assets and shield your brand.

NIS 2: Why loyalty databases have become a critical target

In the contemporary business ecosystem, customer behavioral and transactional data represent one of the most valuable assets for any brand. Through Behavioral Loyalty strategies, companies manage to map purchasing habits, anticipate consumer needs, and build long-lasting, trust-based relationships. However, a greater centrality of data inevitably entails an equivalent responsibility in terms of protection. The European regulatory landscape is undergoing a radical transformation with the introduction of the NIS 2 (Network and Information Security) Directive. This new legislation on cybersecurity, whose mandatory compliance is set for October 2026, is not a simple extension of old bureaucratic requirements. It is a true revolution that directly impacts the supply chain and all technological platforms intended for data management, including loyalty program providers. For corporate Decision Makers – from CMOs to CIOs, all the way to Legal Counsel – understanding NIS 2 means protecting business operational continuity and, above all, defending the reputation of one's brand.

What is NIS 2 in simple words

NIS 2 is the new law created with the aim of raising cyber resilience levels across the European Union. Unlike the previous version, this directive drastically extends the scope of companies required to comply. The regulation divides the entities involved into two macro-categories, introducing an unprecedented penalties regime:

ESSENTIAL ENTITIES

This category includes large enterprises operating in sectors considered critical, with:

- more than 250 employees

- or a turnover exceeding 50 million euros (or a balance sheet total exceeding 43 million euros) operating in "highly critical" sectors. Public Administrations, providers of electronic communications networks, and trust services are also part of this group.

PENALTIES FOR ESSENTIAL ENTITIES

The penalties provided for in case of non-compliance can reach 10 million euros or 2% of the annual global turnover.

IMPORTANT ENTITIES

These are generally medium-sized enterprises operating in sectors considered critical, with:

- a number of employees between 50 and 249,

- a turnover below 50 million euros (or a balance sheet total below 43 million euros). Large enterprises from other sectors not defined as "highly critical" also fall into this category.

PENALTIES FOR IMPORTANT ENTITIES

For this category, penalties reach up to 7 million euros or 1.4% of the annual global turnover.

NIS 2 and the direct responsibility of management

A crucial aspect for management concerns the introduction of the direct responsibility of governing bodies:

  • The Board of Directors is considered negligent if it does not allocate an adequate budget or does not formally approve cybersecurity plans.
  • Directors (CEOs and Managers) risk personal administrative sanctions and suspension from managerial functions should they fail to implement the approved measures.

The constraint for companies: The law establishes a clear and unavoidable principle: every company has an obligation to verify that its suppliers are NIS 2 compliant. Choosing a non-compliant technology partner means exposing the entire company to severe legal, financial, and reputational risks.

Why loyalty databases are a critical target

Why should a Marketing Director or a CIO worry about NIS 2 when designing a Loyalty strategy? The answer lies in the very nature of the data processed.

Modern loyalty databases no longer contain just simple personal details (names, emails, residence, etc); they instead safeguard a fundamental asset for the corporate CRM: transactional history, purchasing habits, tastes and preferences, qualitative data in response to quizzes and surveys, and much more. This level of detail makes loyalty databases and connected infrastructures an extremely attractive and critical target for cybercriminals.

A cyberattack that breaches data collected through a loyalty program does not just cause technical damage, but directly impacts the "Customer Trust" that the brand has spent years building. If the consumer does not perceive the loyalty program as safe and reliable and, consequently, does not consider the platform on which it was designed to be secure, they will stop participating in the initiative and will promote negative word-of-mouth, which will directly impact brand reputation.

Advice Group and the WEKIT loyalty platform meet the security and cyber-resilience standards required by NIS 2

Faced with such a stringent regulatory scenario, the choice of technology partners can no longer be based exclusively on platform features and aggressive pricing.

The evaluation of infrastructural security must be put in the foreground.

At Advice, we have adopted all the prevention measures provided for by the regulation.

NIS 2 COMPLIANCE

  • SIEM Protocol (Security Information and Event Management):Centralized monitoring and real-time analysis of all security events to instantly detect any anomaly or threat attempt.
  • SOC Management (Security Operations Center): A team of experts dedicated to the continuous control of the infrastructure 24/7, capable of ensuring proactive risk management and timely responses to cyber incidents.
  • MFA Authentication (Multi-Factor Authentication): A rigorous access standard to ensure that only authorized personnel can operate on the systems, drastically reducing the risk of unauthorized access.

AN ECOSYSTEM OF INTERNATIONALLY RECOGNIZED GUARANTEES

  • ISO 27001 Certification (Information security management systems).
  • ISO 9001 Certification (Quality management systems).
  • Full GDPR Compliance for the maximum protection of consumer privacy.

STRUCTURED CYBERSECURITY PREVENTION

Given the significant volume of behavioral information that we analyze and manage every year, we had to adopt a structured cybersecurity prevention strategy aimed at locking down the technical architecture and the behavioral data managed within the platform:

  • Data Security and Encryption: Information security is based on AES-256 end-to-end encryption algorithms, applied to both data at rest and data in transit, protected via rigorous TLS protocols.
  • Daily database backups and automated recovery tests: to guarantee the integrity of the information assets collected and stored in the DWH.                                                               
  • OAuth2 Authentication and Access Control: Access to the platform leverages OAuth2 authentication protocols, which manage multi-factor identification and regulate operations in a role-based manner. This allows for a rigorous and differentiated activation of permissions relative to the actual level of operations granted to the user within the platform.
  • Immutable Logs: Every single security event, access, data modification, or activity carried out by users is strictly recorded in immutable logs. This unalterable history is constantly analyzed by the SIEM system to highlight anomalous behavior patterns in real time and nip potential attack attempts in the bud.
  • Vulnerability Assessment and Penetration Test: Prevention is also done through simulation. We plan and execute periodic Penetration Tests and Vulnerability Assessments on the infrastructure, also upon request from our clients. These are indispensable checks to identify and promptly correct critical issues before they can be exploited externally.

With Advice Group and WEKIT, your loyalty program and your customers' data are safe

October 2026 is the deadline set for NIS 2 compliance by companies and suppliers. It is not just an obligation but also an opportunity to identify market operators who have the interests of consumers at heart first and foremost, and therefore those of their client companies.

Those who do loyalty for a living know that trust is not a program, but an ecosystem of choices and responsibilities that allow trust to be generated among the actors involved.

Our choice was a structural adjustment with respect to cybersecurity and technological resilience issues that is even higher than what is required by NIS 2. Advice and the WEKIT platform are compliant, trustable, and ready to securely manage your customers' data within every engagement and loyalty activity. With Advice Group and WEKIT, your loyalty program and your customers' data are safe.

YOUR DATA IS SAFE, YOU ARE IN SAFE HANDS.


You may be interested in