Open source is in a state of profound change in 2025. Many things that have been taken for granted over the past two decades - clear licensing models, community-driven development, a black-and-white understanding of "free" versus "proprietary" - are disappearing or being redefined. At the same time, the importance of digital sovereignty is increasing rapidly.

Companies, authorities and public institutions have to come to terms with where their data is located, how independent their technology decisions really are and what role open source plays in this. It is precisely at this interface that we at punkt.de have been operating for many years. And rarely has the dynamic been as noticeable as in 2025.

From class reunion to strategic stage:
TYPO3 on the upswing

Anyone who has been part of the TYPO3 community for many years will remember the time before 2015-2020: T3CON was a class reunion. Familiar, technically deep, but small. the picture is different in 2025. There were people at the conference who had had no contact with TYPO3 just a few years ago. Karim Marucchi, CEO of Crowd Favorite, deeply rooted in the WordPress world, spoke about digital sovereignty and open source governance. The fact that personalities from completely different ecosystems are suddenly taking a serious interest in TYPO3 shows that our CMS is no longer just a tool - it's infrastructure.

The ITZBund, Materna and other major players were also present on all days. That is a qualitative leap. TYPO3 is being considered strategically. Not as an alternative, but as a foundation. The Government Site Builder (GSB) relies on TYPO3 in its new version. The relevance of open source "made in Germany" is growing - and we are part of an ecosystem that will be more mature in 2025 than ever before.

The Government Site Builder 11 is officially listed by the ITZBund as the federal government's standard solution and is based on the open source CMS TYPO3 from version 11 onwards - a clear commitment by the federal administration to open infrastructure.

If you would like to find out more, you will find further insights in the TYPO3 environment and in our cooperation with other agencies around GSB and public projects, e.g. in the article "1_Forge: Three agencies, one alliance - for strong TYPO3 projects at eye level".

Automation becomes sovereign: our path with n8n and CIB seven

2025 was a year of consistent automation for us - but with a clear requirement: we only automate where we can retain data sovereignty. This is a conscious departure from the current trend of using Make, Zapier or other SaaS integrators everywhere. Not because these tools are bad - on the contrary, they are often great. But they require company processes, access data and internal data systems to be stored in a third-party cloud.

As customers increasingly used Make, we were faced with the question: How can we offer the same flexibility without sacrificing sovereignty? The answer for us was a combination of tools: n8n as a central automation platform and CIB seven as a way of mapping more complex processes on a sovereign workflow engine. We host both tools ourselves - and that changes the game.

One example: our press work is now largely automated. Once a week, a current stock of articles is transmitted from our internal sources to services such as PresseBox - error-free, traceable and completely processed on our servers. Small, but symbolic: we save time, gain quality and keep all data in-house.

We once summarized this attitude - automation yes, but only with data sovereignty - in our blog as follows: "Automation only works sustainably if the company retains sovereignty over the data."

In doing so, we had to expand our own understanding of open source. Because n8n is not "classic open source". The Sustainable Use License restricts certain types of use - in particular operation as a commercial SaaS service. I was skeptical at first. For me, open source is more than just a license text. But the n8n model convinced me: it protects against exploitation by cloud giants, but leaves all the degrees of freedom you need for real sovereignty. This hybrid thinking is an important building block for the future - and a personal learning from 2025.

Jan Oberhauser, the founder of n8n, puts it in a nutshell in the context of the fair code movement: we need to find models "in which everyone wins - users, the community and companies". The Sustainable Use License is just such an attempt: the source code remains accessible and expandable, but purely commercial remarketing without a return flow to the project is limited.

Movement in the communities: WordPress, Akeneo, Pimcore

Hardly any other year has shown so clearly how fragile open source governance can be. The conflict between Matt Mullenweg (Automattic) and WP Engine deeply unsettled many customers. The final rift escalated at the end of 2024, but the repercussions rolled through the market in 2025: the threat to revoke trademark rights, the temporary removal of WP Engine customers from update channels, the public exchange of blows. No matter how you assess the details - such a power imbalance would simply not be possible in many other open source projects. TYPO3 & Co. have a clear advantage here: governance is distributed. No single player can lock out entire user groups.

But WordPress is just one example. Akeneo has effectively frozen its Community Edition and is increasingly focusing on its SaaS and Enterprise model. In practice, this means that new features land first (or exclusively) in the hosted versions and in the Enterprise Edition, while the Community Edition remains largely in maintenance mode and the focus is clearly shifting to the "Serenity" SaaS approach.

This year,Pimcore switched to its own POCL licence - a move that sounds to many like a departure from true open source, but at the same time is intended to minimize the legal risks of classic copyleft licences. From version 2025.1, the Community Edition is no longer under GPLv3, but under the Pimcore Open Core License (POCL), which promises full source code visibility and customizability, but makes a clear distinction between community use and commercial use.

And now comes the uncomfortable part:

It would be too easy to criticize these projects. The fact is that the demands placed on modern digital products have increased enormously. Architecture, security, scalability, compliance - it all costs money. And to be honest: The open source community rarely makes a sufficient contribution to ensuring that large projects can be further developed in a financially sound manner.

Anyone protesting now should ask themselves whether they have contributed enough in recent years to prevent commercialization. I myself look back with pride on TYPO3 and the founding of TYPO3 GmbH in 2016. That was foresight. It was the community's answer to the question:

How do we secure the future of our project without selling out?

These governance structures are in place today - and other systems will have to follow suit.

For 2026, I would like to see clear pricing structures and transparent onboarding models. We understand that systems must incur costs, but the welcoming culture of the "old open source" world must be maintained. This year, we tried to enter the enterprise world with some long-standing open source systems, such as Sylius, Elastic and n8n.

It was an absolute jungle of tariffs. After five phone calls, conversations and documents, we still had no price and no sense of welcome - just uncertainty.

Agencies in particular need the opportunity to try out new tools without immediately ending up in the enterprise lock-in. Otherwise, Europe will not adapt these tools on a broad scale.

The TYPO3 ecosystem is a good example of how things can be done differently: the mixture of association, limited company and a broad agency network makes it clear who pays for what - and yet the core of the system remains open and community-driven.

Europe is regulated - and that's a good thing

Regulation is an irritating word in the tech industry. Many companies see NIS2, CRA, the Accessibility Act or GDPR tightening as a burden. We experience this every day: initial reactions to EU laws often sound like excessive demands or "Brussels bureaucracy". But the more I look into these topics professionally, the clearer I see that Europe has a strategic advantage here that we should communicate much more confidently.

I have had a number of discussions with American experts this year. The picture is clear: the USA envies European regulation. Not because it is convenient - but because it creates protection, clarity and sovereignty. While data trading, profiling and platform power are largely unregulated in the US, Europe offers reliable guardrails that create trust.

NIS2 forces companies to take a serious look at their own IT security. The directive creates a uniform framework for cybersecurity in numerous critical sectors and significantly expands the scope of application - including many SMEs. The Cyber Resilience Act ensures that software - whether open source or proprietary - must finally meet minimum standards, such as security by design, regular updates and clear responsibilities. The Accessibility Act elevates accessibility from a "nice-to-have" to the status of a quality feature. And above all, there is the European self-image of understanding digital sovereignty as a location factor.

Many see this as a burden. I see it as an opportunity.

Also because, as punkt.de, we have set out to comply with ISO 27001 ourselves. Not because a customer demanded it, but because we want to show it: We take security and sovereignty seriously. For us, the topic of regulation is not a burden - it is a driver for the future.

If you want to delve deeper, you will find regular insights into regulation, sovereignty and practical examples in our blog - from SMEs to the public sector.

In our blog article "Digital sovereignty: conscious decisions instead of dogma", I have provided a more detailed classification of why we understand digital sovereignty not as a renunciation, but as a conscious decision.

My outlook: 2026 will be a year of clarity

2025 was a year of change. 2026 will be a year of clarity. Next year, we will see much more clearly which open source projects have their governance under control - and which do not. We will see which license models work and which alienate the community. We will see which EU regulations trigger real innovation - and where adjustments need to be made.

Personally, I am looking forward to actively shaping these discussions. For me, open source means: keeping options. Taking responsibility. And remaining sovereign - technically, strategically and legally.

As punkt.de, we will continue to consistently pursue our path in 2026:

It's a good time to rethink technology. And it's a great time to take responsibility.