Leading Italian Bank Credem Group Modernizes Cybersecurity to Meet NIS2 and DORA Requirements

Credem Group is one of Italy’s most established banking institutions, operating nearly 600 branches across 19 regions and supporting more than 6,700 employees. As banking services have gone digital, cybersecurity has become inseparable from business continuity.

“For banks, cybersecurity is crucial because our services are now delivered digitally,” explained Francesco Puccioni, Head of Cybersecurity Operations at Credem Group.

With a distributed workforce and mounting regulatory obligations under NIS2 and DORA, Credem needed to modernize its cybersecurity. The bank consolidated its antivirus, endpoint detection and response (EDR), firewall management, and device control on the AI-native CrowdStrike Falcon® cybersecurity platform.

This story explores how one of Italy’s leading financial institutions simplified endpoint security operations, improved detection quality, and reinforced resilience with CrowdStrike.

Credem’s environment spans across Italy, with 10,000 endpoints supporting daily banking operations. As its digital services expanded, so did the volume and complexity of security events. Interconnected systems and third-party service providers increased the attack surface, while the adoption of generative AI introduced new operational considerations.

Prior to deploying CrowdStrike, Credem managed separate antivirus and EDR solutions. Maintaining and updating multiple systems required coordination across tools and manual correlation of alerts. Security analysts were often required to piece together fragmented data from different consoles during active investigations.

Alert noise created additional strain. False positives consumed valuable SOC time and increased the risk of delayed response. The security team recognized that managing separate point solutions was limiting efficiency and visibility.

In 2023, as its previous EDR contract expired, Credem evaluated the security market. The objective was to identify the strongest endpoint protection capabilities available while aligning with long-term resilience and regulatory requirements.

The bank selected a number of Falcon platform modules for endpoint security, gaining unified endpoint protection through a single lightweight sensor and centralized console.

“We consider CrowdStrike the ideal best-of-breed partner to help us protect our endpoints from any potential issues,” Puccioni said.

The consolidation eliminated the operational burden of maintaining separate antivirus and EDR systems. Instead of manually correlating events across multiple platforms, the SOC gained unified visibility into endpoint activity.

Investigations that previously required days of analysis could now be completed in minutes. In addition, automated correlation reduced the likelihood of human error during high-pressure situations and allowed analysts to focus on confirmed threats.

Operationally, lifecycle management became simpler. Policy updates and monitoring occurred within one platform, reducing friction across the environment.

Detection quality improved alongside speed. Through continuous policy tuning and refinement, false positives declined significantly. Analysts spent less time investigating benign activity and more time responding to genuine threats.

Of 4,525 suspicious events identified the first year, 149 were confirmed malicious and stopped by the Falcon platform before impacting the business. In other words, a critical event was neutralized approximately every two days on average. Each confirmed threat was identified and contained before it could escalate into a broader security incident.

Containment was a critical advantage. When malicious activity was detected, affected endpoints could be automatically isolated, preventing lateral movement across the network. In a regulated banking environment, rapid isolation helps limit operational disruption and reduce exposure.

Credem gained another layer of protection by enforcing strict governance over data movement. The Falcon platform module enabled the security team to monitor and regulate transfers involving USB drives and other removable storage devices. This helped prevent data exfiltration and protect sensitive customer information.

“The platform module enabled us to retain full control over data in transit to and from mass storage systems, including portable storage and USB drives,” Puccioni said. “It also facilitated the enforcement of policies that ensured we maintained strict control over corporate data.”

For Credem, cybersecurity investment is closely tied to resilience and regulatory compliance. Frameworks such as NIS2 and DORA require demonstrable capabilities in detection, response, and business continuity. Reducing investigation time, lowering false positives, and strengthening containment directly support those objectives.

By consolidating endpoint security on the Falcon platform, Credem also reduced tool sprawl while improving detection accuracy and operational efficiency. Automation lowered the risk of human error during time-sensitive investigations, while unified visibility strengthened the SOC’s ability to respond consistently across the organization’s nationwide footprint.

“We are extremely satisfied with our partnership with CrowdStrike,” Puccioni said. “Not only with their solutions but the company behind it, particularly their support and timely remediation capabilities.”

Looking ahead, Credem is focused on expanding its control framework across cloud workloads, containers, SaaS applications, and infrastructure as code. As its digital ecosystem continues to evolve, the bank intends to build on its endpoint security foundation while maintaining the operational simplicity achieved through platform consolidation.

With unified visibility and faster containment in place, Credem has strengthened how it defends its digital banking operations, reinforcing security as a core pillar of its long-term strategy.