The Digital Operational Resilience Act (DORA) is EU legislation designed specifically for the financial sector. Its goal is to ensure that firms protect their ICT systems against disruptions, cyberattacks, and supplier failures. And since so many financial services run in the user's browser, server-side security alone is not enough. You need client-side visibility and control. cside delivers both and adds audit-ready reporting on top.
DORA requires financial institutions to withstand disruptions, cyberattacks, and supplier issues. Service delivery and financial markets cannot be at risk. Disruptions, attacks, or supplier failures can trigger a chain reaction. That's why DORA establishes a framework for ICT-risk management and incident reporting.
DORA sets rules for ICT risk management. That puts real responsibility on companies. They must test systems regularly and prove resilience; they remain accountable for oversight and recovery. Threat-Led Penetration Testing (TLPT) is mandatory every three years for 'significant entities'. Financial institutions must also control their IT providers. If things go wrong, incidents must be reported. DORA isn't just a suggestion. Non-compliance can lead to heavy sanctions for critical ICT providers: up to 1% of the average daily worldwide turnover per day, for six months.
If your business operates in the financial sector or services financial institutions in the EU, you must comply with DORA.
This includes third-party risks. All ICT systems supporting service delivery must meet requirements. A register of ICT providers is required, and contracts must include audit rights, access to relevant documentation, detailed performance monitoring, and exit plans. Major incidents must be reported under timelines set in the regulatory technical standards (RTS).
These days a lot of the online action takes place in the customer's browser. That comes with increased risks like malware or man-in-the-browser attacks, maintaining script integrity and session protection or data breaches. Even though DORA doesn't prescribe specific client-side controls, they are needed to fulfill risk-management and testing obligations.
Controls often run in the browser along with third-party scripts. You need to catch tampering (XSS, injection, session abuse) in real time. cside enforces approved paths before execution to strengthen protection and prevention. Annual testing and TLPT, for significant entities, are supported with logs and change records.
Only approved service providers under appropriate contracts shall receive data. We continuously monitor third-party scripts and destinations, mapped to a provider register. On the other hand, you get exportable, time-stamped logs and destination maps for audits and reporting.
We provide alerts on new endpoints, extraction attempts, or changes on critical pages in real-time. Everything is timestamped so you can assess and disclose to the authority under RTS timelines.
Forensics can make a difference when an incident happens. We record what ran and where data went so your team can reconstruct events. You can keep evidence for long-term retention and inspection.
Governing what you can't see is impossible. Cside can block unauthorized browser code that can change data. You can inspect what scripts ran, the fields that were touched, and where data is sent, with exportable logs for oversight and accountability.
A customer logs into his online bank account. A compromised third-party analytics script quietly tries to exfiltrate data. Under DORA, this incident violates confidentiality and integrity and must be logged. If criteria for a major incident are met, it must be reported.
cside immediately blocks the script before it can run, prevents the transfer and sends alerts with detailed logs.
No data leaves the browser, immediate alerts with detailed evidence and ready for reporting.
Leading companies trust cside
Built for security teams who need visibility inside the browser, cside delivers proven defense against modern client-side attacks while supporting major compliance frameworks. Your trusted partner for regulatory compliance in the browser. We are your trusted partner for securing the last mile of the web.
Visit our Trust Center
GDPR 
SOC 2 
PCI DSS As your partner for web security, we want you to be able to reach us easily. Every customer gets 1:1 access to our team over Slack and Microsoft Teams. We respond in minutes, whether you have a feature request, questions, or ideas.
*This page describes product capabilities and how they may support your compliance program. It is not legal advice. Requirements vary by organization and jurisdiction.