News
June 11, 2025
As app usage increases, so does the risk of digital fraud and attacks aimed at stealing data or cloning official brand apps. Failing to prevent fraud puts a company’s brand protection at risk and can expose it to heavy fines and legal liability. In this article, we analyse the risks to a company if it does not warn its customers about malicious apps, the sectors legally obliged to inform users, and how to protect the brand and customers.
In recent years, European supervisory authorities have tightened information and security requirements in order to protect consumers.
PSD2 (the Payment Services Directive): banks and payment service providers (PSPs) must notify customers when an ICT incident may compromise their financial interests. Failure to do so, or a delay, may result in fines from the Bank of Italy, in addition to the obligation to immediately reimburse unauthorised transactions (Articles 73–74 PSD2).
EECC (telecommunications operators and messaging services): if a ‘particular and significant threat’ is identified (e.g. a smishing campaign or fake apps), the provider must promptly inform users of the necessary countermeasures (Article 40, paragraph 3). AGCOM may impose fines in the event of non-compliance.
GDPR: any data controller must inform data subjects ‘without undue delay’ if a data breach poses a high risk to their rights and freedoms. Failure to do so may result in fines of up to €20 million or 4% of global turnover, in addition to corrective measures by the Data Protection Authority.
DORA, the Digital Operational Resilience Act, which came into force on 17 January 2025 for the financial sector, extends and harmonises reporting obligations for ‘major ICT incidents’. Failure to notify the relevant supervisory authorities (e.g. the National Banking Authority) may result in significant administrative and, in serious cases, operational sanctions.
NIS2 directive identifies ‘essential’ and ‘important’ entities (in the energy, transport, healthcare, digital and public administration sectors, for example) and requires them to implement adequate technical and organisational measures. If an incident impacts the services provided to users, customers must be informed under penalty of fines of up to €10 million or 2% of global turnover (for essential entities) and up to €7 million or 1.4% (for important entities).
While not all companies have the same regulatory obligations, the following areas must implement mandatory prevention and communication activities for users:
Reference standard: PSD2 art. 96.
Obligations:
Inform customers of risks and incidents that may affect their financial interests.
Publish and provide guidelines on ICT risk management and security behaviours (awareness).
Reference standard: DORA art. 19.
Obligations:
Management and timely notification of ICT incidents to the relevant authorities.
Customers must be informed of mitigation measures.
Reference standard: EECC (European Electronic Communications Code), art. 40, paragraph 3.
Obblighi:
In the event of a ‘particular and significant threat’ (e.g. smishing campaigns or counterfeit apps), they must ‘appropriately inform potentially affected users about the protective measures’.
Reference standard: The NIS2 Directive (2022/2555), implemented in Italy by Legislative Decree No. 3/2024.
Obligations:
Implement suitable technical and organisational measures to guarantee the continuity of services.
Reference standard: IVASS Regulation 44/2019.
Obligations:
Prepare anti-fraud and customer due diligence (KYC) procedures.
In the event of a ‘particular threat’ (e.g. fraud relating to fake policies or fake apps), inform customers how to protect themselves.
Reference standard: GDPR art. 34.
Obligations:
Inform interested parties (customers and users) of the data breach within 72 hours of discovery if there is a “high risk” to the rights and freedoms of those parties.
Even in areas where obligations are not explicitly detailed, it is essential to adopt a continuous prevention strategy that integrates application security and awareness measures. Here are some recommended best practices:
A cyber-awareness programme aimed at users
Send periodic communications with practical advice:
‘Download the app only from the official store (Google Play or the App Store).’
‘Do not share OTPs or credentials with third parties.’
Use simple, clear language consistent with the brand identity to reduce the risk of spoofing or phishing attempts imitating the brand’s official graphic styles.
Implement an incident response and customer care procedure
Define a playbook involving the Security Operations Centre (SOC), Compliance and Customer Care:
If an incident exceeds a predetermined threshold (e.g. impacting a minimum number of users or an economic amount), formal notices will be sent to customers within 24–48 hours.
Prepare standard communication templates that have already been approved by legal, containing:
A brief description of the incident.
Practical instructions on how the company will mitigate the damage (e.g. app update, support contact details, etc.).
References to industry regulations that justify the notice.
Maintain a fraud register and produce periodic reports
Maintain a structured register of fraudulent activities (type of attack, entry channel and economic impact), in accordance with EBA/ENISA standards.
Measure KPIs (e.g. fraud rate, percentage of false positives, average resolution time) and share them with supervisory authorities where applicable, to demonstrate the company’s ‘diligence’.
Conduct a contractual review with third-party vendors
Include contractual clauses obliging vendors to immediately notify you of any vulnerabilities or incidents in published apps.
Conduct security audits to identify potential backdoors or vulnerabilities.
For many companies, including fintechs, telcos and those offering mobile-first services, passive monitoring is no longer sufficient. This is where AppSentry comes in: the Mobisec solution for detecting “rogue mobile apps” and continuously monitoring official apps in all mobile stores.
Rogue mobile app detection automatically analyses the code, graphics and certificates of apps published on official and unofficial stores to look for modified or wrapped APKs that could undermine legitimate apps.
Real-time app security: AppSentry provides immediate alerts when a suspicious version of an app is detected, enabling you to launch preventive communication campaigns and take down the unofficial application.
Brand protection: thanks to detailed reports and intuitive dashboards, you can demonstrate compliance with regulators (PSD2, EECC and NIS2) and reassure stakeholders and users that the company is continuously monitoring the threat landscape.
Reduced potential sanctions: demonstrating the adoption of AppSentry as part of a structured app security programme significantly reduces the risk of disputes with supervisory authorities because it is recognised as a measure of ‘diligence’ and ‘best practice’, as endorsed by ENISA and EBA.
In short, failing to take preventive measures is not a minor oversight. European regulations, ranging from PSD2 and DORA to EECC and NIS2 and including the GDPR, impose information and incident response obligations. Fines can reach tens of millions of euros, not to mention the reputational and customer relationship damage.
Investing in a structured app security programme and specific tools, such as AppSentry, can transform regulatory obligations into a competitive advantage.
Protect your customers from fake APKs, smishing and in-app phishing.
Demonstrate attention and transparency towards users to strengthen brand protection.
Reduce the risk of fines by demonstrating that you have adopted recognised market solutions.
A proactive anti-fraud approach protects your reputation and consolidates trust in the brand. AppSentry offers continuous protection that integrates seamlessly with corporate compliance policies, enabling companies to focus on growth safe in the knowledge that they are covered by the highest standards of app security and brand protection.