The Digital Operational Resilience Act (DORA) is EU legislation designed specifically for the financial sector. Its goal is to ensure that firms protect their ICT systems against disruptions, cyberattacks, and supplier failures. And since so many financial services run in the user's browser, server-side security alone is not enough. You need client-side visibility and control. cside delivers both and adds audit-ready reporting on top.
DORA requires financial institutions to withstand disruptions, cyberattacks, and supplier issues. Service delivery and financial markets cannot be at risk. Disruptions, attacks, or supplier failures can trigger a chain reaction. That's why DORA establishes a framework for ICT-risk management and incident reporting.
DORA sets rules for ICT risk management. That puts real responsibility on companies. They must test systems regularly and prove resilience; they remain accountable for oversight and recovery. Threat-Led Penetration Testing (TLPT) is mandatory every three years for 'significant entities'. Financial institutions must also control their IT providers. If things go wrong, incidents must be reported. DORA isn't just a suggestion. Non-compliance can lead to heavy sanctions for critical ICT providers: up to 1% of the average daily worldwide turnover per day, for six months.
If your business operates in the financial sector or services financial institutions in the EU, you must comply with DORA.
This includes third-party risks. All ICT systems supporting service delivery must meet requirements. A register of ICT providers is required, and contracts must include audit rights, access to relevant documentation, detailed performance monitoring, and exit plans. Major incidents must be reported under timelines set in the regulatory technical standards (RTS).
These days a lot of the online action takes place in the customer's browser. That comes with increased risks like malware or man-in-the-browser attacks, maintaining script integrity and session protection or data breaches. Even though DORA doesn't prescribe specific client-side controls, they are needed to fulfill risk-management and testing obligations.
Controls often run in the browser along with third-party scripts. You need to catch tampering (XSS, injection, tampering, session abuse) in real time. cside enforces approved paths before execution to strengthen protection and prevention. Logs and change records support annual testing and TLPT (for significant entities).
Data flows only to approved service-providers under appropriate contracts. cside continuously monitors third-party scripts and destinations, mapped to a provider register. You get exportable, time-stamped logs, and destination maps for audits and reporting.
cside alerts live on new endpoints, exfiltration attempts, or changes on critical pages. Everything is timestamped so you can assess and disclose to the authority under RTS timelines.
You need forensics when an incident lands. cside records what ran and where data went so teams can reconstruct events. You can export evidence for long-term retention and inspection.
You can't govern what you can't see: cside blocks unauthorized browser code that could change data. You can inspect what scripts ran, the fields that were touched and where data is sent, with exportable logs for oversight and accountability.
A customer logs into his online bank account. A compromised third-party analytics script quietly tries to exfiltrate data. Under DORA, this incident violates confidentiality and integrity and must be logged. If criteria for a major incident are met, it must be reported.
cside immediately blocks the script before it can run, prevents the transfer and sends alerts with detailed logs.
No data leaves the browser, immediate alerts with detailed evidence and ready for reporting.
Leading companies trust cside
Built for security teams who need visibility inside the browser, cside delivers proven defense against modern client-side attacks while supporting major compliance frameworks. Your trusted partner for regulatory compliance in the browser.
Visit our Trust Center
GDPR 
SOC 2 
PCI DSS We'd love to hear from you.
*This page describes product capabilities and how they may support your compliance program. It is not legal advice. Requirements vary by organization and jurisdiction.