Information security Policy
At Nexi, we are committed to ensuring the highest standards of information security. Our Group Security Policy, approved by the Board of Directors, is based on international regulations and recognized best practices. It is designed to protect the confidentiality, integrity, availability, and authenticity of data, while continuously strengthening our overall security posture to support the trust of clients, employees, partners, shareholders, and regulators.
We have clearly defined roles and responsibilities across the organization, ensuring that every employee understands their role in safeguarding information. Accountability is embedded in our processes, and effective escalation paths are in place to address security matters promptly. Regular training equips our people with the knowledge and tools needed to uphold strong security practices.
Our Group Chief Information Security Officer (CISO) is responsible for defining and overseeing Nexi’s cybersecurity strategy, program and framework, ensuring alignment across all business areas and geographies.
We take a proactive approach to threat detection and prevention through advanced monitoring, continuous risk assessment, and early warning systems. Our structured incident response framework ensures that any event is managed swiftly and effectively, with clear responsibilities assigned throughout the organization. Insights gained from incidents are used to enhance our security framework and drive continuous improvement.
Supply chain security is also a key priority. We maintain ongoing oversight of third-party providers and include specific contractual clauses to ensure the security of services, including clear exit strategies. Our third-party engagements are governed in alignment with Nexi’s information security standards.
Information security Program
Nexi has implemented robust information security management programs to safeguard its digital infrastructure and ensure operational resilience across all business areas. These programs include a comprehensive set of initiatives designed to prevent, detect, and respond to cyber threats, while maintaining the continuity and integrity of critical services.
Key components include:
- Detailed and regularly tested plans address a wide range of risk scenarios — including cyber threats — to ensure the resilience and rapid recovery of essential services in the event of disruptions.
- Regular vulnerability assessments are conducted using a risk-based approach to proactively identify, evaluate, and remediate security weaknesses in applications, systems, and infrastructure.
- Employees are empowered and encouraged to promptly report incidents, vulnerabilities, or suspicious activities through a well-defined escalation process, enabling swift investigation and response.
- All employees receive ongoing training to build awareness of cybersecurity threats, promote safe digital behaviors, and reinforce individual responsibilities in protecting sensitive information.
To ensure effectiveness, the program is subject to regular internal audits that assess alignment with the Nexi Information Security Framework. In addition, independent external audits — including certifications and assessments such as ISO/IEC 27001, PCI DSS, and ISAE 3402. Certifications are renewed annually, reinforcing continuous improvement and offering strong assurance to both the company and its clients in terms of compliance, reliability, and risk management
In the last fiscal year, Nexi recorded zero major security breaches and data breach, demonstrating the effectiveness of its multi-layered security strategy, continuous monitoring, and commitment to ongoing improvement.