TYPO3 Association Joins the Open Regulatory Compliance Working Group

The European Cyber Resilience Act (CRA) is a new regulation introduced by the European Union to improve the cybersecurity and long-term security maintenance of digital products and software made available on the European market.

Because modern software heavily relies on open source components, the CRA also introduced, for the first time in European legislation, the concept of an open-source software steward: an organization that supports and sustains an open source project over time through governance, infrastructure, release management, security coordination or funding. Within the TYPO3 ecosystem, this stewardship role is fulfilled by the TYPO3 Association.

Over the past months, this new regulatory landscape has significantly increased the amount of time and attention required to monitor European digital regulation, understand its implications for open source ecosystems, and identify practical ways to prepare for upcoming obligations.

In practice, stewardship increasingly means working across three different dimensions:

• Staying informed: Watching the landscape and turning noise into useful information
• Influence and defend the community's interests: Showing up in the right space so that your project is not a passive recipient
• Implement and communicate: Making things real inside the project and explaining what you do

We quickly realized that no open source project should try to navigate these topics alone. Finding reliable information, practical expertise, and collaborative spaces became essential.

This is precisely why the Open Regulatory Compliance (ORC) Working Group progressively became an important resource for us. Hosted by the Eclipse Foundation, ORC brings together open source foundations, manufacturers, vendors, researchers and industry stakeholders working on practical approaches to regulatory compliance for open source ecosystems.

Over the past months, we have already relied on several ORC resources, discussions and working sessions to support ongoing compliance-related activities within the TYPO3 ecosystem and to better understand how other organizations are approaching similar challenges. The quality of the shared resources, the practical focus of the discussions and the direct access to highly knowledgeable experts working daily on CRA and open source compliance topics quickly proved extremely valuable.

ORC also provides something that is increasingly important in the current regulatory landscape: A place where open source organizations can exchange concrete experience, challenge assumptions and collectively build realistic interpretations of complex regulatory requirements.

After following and participating in several discussions and initiatives around CRA readiness and open source compliance, joining the ORC Working Group as an official member became a natural next step for the TYPO3 Association.

Compliance and regulatory readiness will not be solved overnight. For open source stewards, this is a long-term effort involving governance, security, communication, documentation and collaboration across many different actors.

The good news is that the open source ecosystem is not facing these challenges alone. Across Europe and beyond, many organizations and communities are actively working together to build practical, sustainable and realistic approaches to regulatory compliance for open source software.

The TYPO3 Association is proud to support and contribute to this collective effort through its membership in the Open Regulatory Compliance Working Group.