Transparency Within, Readability Beyond: Announcing the TYPO3 Compliance Officer Mandate

Do topics like regulation, compliance, governance, or legal obligations sound boring, intimidating, or unnecessarily bureaucratic to you? Then this article is precisely about changing that perception.

Because at their core, these topics are not really about paperwork, restrictions, or bureaucracy. They are about something much more fundamental: how an organization turns its values into real, understandable, and trustworthy systems.

Values only become meaningful when an organization is capable of demonstrating them in practice. This is exactly the purpose behind the new TYPO3 Compliance Officer mandate.

The 2026 TYPO3 Association Board election turned out to be unexpectedly historic. For the first time, Board candidates needed more than 50% support to be elected. After three election rounds, no candidate managed to secure the required majority for the final open seat, leaving the Board with six members instead of seven.

At first glance, this could look like a limitation. In reality, it created an opportunity.

During my previous Board member term, I was actively handling responsibilities related to ethical compliance, legal and regulatory monitoring, conflict of interest frameworks, trusted reporting mechanisms, and representation in European regulatory working groups. And these topics are not getting smaller. At the same time, it became increasingly clear that keeping all these operational responsibilities directly inside a smaller and intentionally lean Board would eventually create continuity and capacity challenges.

Rather than seeing this situation only as a constraint, it became an opportunity to rethink the structure itself. To preserve continuity on these topics while allowing the Board to remain intentionally lean and strategically focused, I proposed the creation of a dedicated Compliance Officer mandate outside the Board structure, including its scope, responsibilities, governance framework, reporting model, and operational boundaries. The Board unanimously decided to adopt the mandate.

Rules alone protect nothing.

A policy nobody follows is useless.
A process nobody understands is useless.
A framework that only exists on paper is useless.

Compliance is not the existence of rules. Compliance is the ability to demonstrate that the rules are actually applied. And demonstration requires evidence. Not assumptions. Not intentions. Not “trust me”. Evidence.

This is where transparency and readability become essential. Transparency means people inside the organization can see and understand how the system works. Readability means people outside the organization can understand and verify it too.

Ethical compliance is fundamentally about trust inside the organization. Not abstract trust. Practical trust. The kind of trust people need when they participate in a community, report a problem, raise a concern, disclose a conflict of interest, join a discussion, or simply want to believe that the organization is trying to act fairly and responsibly.

This is why ethical compliance is deeply connected to transparency. People should be able to understand how decisions are made. How conflicts of interest are handled. How mediation works. How reporting mechanisms function. What protections exist. What principles guide difficult decisions.

Inside the Association, this part of my mandate focuses on continuously improving these mechanisms in a pragmatic, constructive, and proportionate way.

This includes supporting conflict of interest policies and disclosure processes, strengthening mediation and trusted reporting mechanisms, improving clarity around procedures and governance expectations, supporting respectful and fair processes aligned with the Code of Conduct, and helping foster a culture of responsibility, inclusion, accessibility, and continuous improvement across the organization.

The objective is not to create heavy bureaucracy or unnecessary control. The objective is to make the system understandable enough that trust does not depend only on personal relationships, informal influence, or institutional memory hidden inside a few individuals.

But be aware: I am not the compliance cop. Other people and groups inside the organization are responsible for actively applying, enforcing, moderating, reviewing, or deciding within these processes. My role is to help ensure that the systems themselves remain fair, understandable, trustworthy, and continuously improving over time.

Legal compliance is fundamentally about understanding the world outside the organization before the world outside suddenly forces itself inside the organization. Laws evolve. Regulations evolve. Expectations evolve. And open source organizations are no longer immune to these evolutions.

Cybersecurity, accessibility, AI regulation, digital sovereignty, transparency obligations, supply chain security, procurement requirements, and governance expectations are becoming increasingly important for mature open source ecosystems. This is why legal compliance is deeply connected to readability.

Regulators, public institutions, partners, and external stakeholders must be able to understand how the organization operates. How responsibilities are structured. How risks are identified. How decisions are documented. How compliance efforts are maintained over time.

In the Association, this part of my mandate focuses on helping TYPO3 remain prepared, understandable, and structurally ready for these evolving expectations.

This includes monitoring legal and regulatory developments, analyzing their potential impact on the TYPO3 ecosystem, supporting implementation readiness, maintaining regulatory watch and institutional memory, coordinating around digital regulation topics, participating in European and international regulatory initiatives, and helping maintain appropriate documentation and evidence of compliance efforts where necessary.

The objective is not to transform TYPO3 into a corporate legal machine. The objective is to help open source remain sustainable, credible, and understandable in a world where digital ecosystems are increasingly expected to demonstrate responsibility, preparedness, and resilience.

Several important topics are already on my radar for the coming months.

One major focus will be the evolution of the Community Mediation Process and the ombudsperson framework. The current system already has solid foundations, but it also revealed important limitations around visibility, simplicity, predictability, and perceived independence, especially for situations involving leadership roles. One direction currently being explored is the introduction of a more independent external mediation provider together with clearer and easier reporting processes.

Another important focus will be the continuous improvement of the Conflict of Interest framework. The objective is not to create suspicion or bureaucracy, but to make governance processes clearer, more understandable, and easier to trust.

Legal compliance is also about staying connected to the discussions happening outside the organization before they become concrete obligations inside the organization.

This is why part of my work already involves participating in European open source policy discussions, regulatory working groups, and compliance-related events around topics such as the Cyber Resilience Act, digital regulation, and open source governance.

Over the last months, this included participating in Open Website Alliance discussions around CRA readiness, joining several Brussels events during EU Open Source Week, and presenting TYPO3’s stewardship experience at the Code and Compliance – FOSDEM edition event through a talk called CRA vs Your Calendar: Making Time for Compliance in Open Source Projects.

This mandate is only the beginning. I will regularly share updates about the activities, discussions, experiments, and improvements happening within this compliance scope over the coming months.

So stay tuned. More is coming.