Summary

  • RIPE NCC board oversight should be judged as an economic control mechanism, not as ceremonial association governance, because the board sits between member funding, executive discretion and a registry function that members cannot easily replace.
  • The central board question is who sets risk appetite: whether RIPE NCC behaves as a narrow ledger with strong service discipline or as a broader institution whose budget, legal posture and operational caution externalise cost onto resource holders.
  • Agenda control is the first hidden power, because risks that never reach the board as measurable trade-offs become management discretion rather than supervised institutional choices.
  • Budgets, reserves and legal spending reveal risk appetite before public speeches do; they show whether member funds protect registry continuity, expand process, defend legal boundaries or preserve institutional scope.
  • Executive discretion is necessary in transfers, sanctions handling, data-quality checks, RPKI, reverse DNS and member support, but it becomes legitimate only when the board receives category-level metrics, tail-risk evidence and appeal data.
  • The board should separate policy legitimacy from service performance: open community process can justify rules, but only oversight can test whether implementation is timely, narrow, measurable and proportionate.
  • Better board reporting would lower the price of registry uncertainty for small members, transfer counterparties, legacy holders, downstream customers and investors who currently price the registry through fragments, anecdotes and fear.

Oversight begins where the registry cannot be replaced

The economic case for RIPE NCC board oversight begins with a fact that is easy to understate: the registry cannot be replaced by an ordinary supplier decision. A Local Internet Registry account, a transfer request, a reverse-DNS delegation, a Resource Public Key Infrastructure relationship, a due-diligence response or a data-quality check may look like administrative workflow. Yet the institution behind those workflows operates the recognised registry relationship for Internet number resources across Europe, the Middle East and Central Asia. A member can complain, vote, delay, restructure, transfer resources or litigate in a hard case. It cannot simply buy an equivalent RIPE-region registry service from a rival provider.

That absence of easy replacement changes what a board is for. In a normal association, a board governs a membership service. It reviews management, approves budgets, sets strategic direction and represents a constituency that retains at least some exit power. In a regional Internet registry, the same formal duties sit above scarce operational inputs. RIPE NCC records who is recognised for IPv4, IPv6 and ASNs, supports the public database, runs registry services, facilitates resource transfers, operates RPKI and reverse-DNS functions, and maintains the portal and administrative processes that make the record useful. The board therefore supervises a dependency layer, not merely a club.

The official mechanics are plain. RIPE NCC's Executive Board page says members elect a seven-person board. It describes board functions that include representing the membership, guiding senior management, responsibility for the overall financial position, approval of the Activity Plan and Budget, appointment of management and calling General Meetings. Those are conventional governance verbs. Their economic significance is not conventional. Each verb can determine whether registry power remains narrow and observable or becomes diffuse, professionalised and difficult to challenge.

The deeper problem is an agency problem. Members fund the registry and depend on it, but executive staff hold the operational information. Staff see the queues, the sanctions clarifications, the data-quality friction, the transfer delays, the member-support bottlenecks, the legal exposures and the technical incidents before members do. The board is the mechanism meant to bridge that information gap. It should not process individual cases or convert every hard decision into politics. It should ensure that management's discretion is bounded by categories, metrics, reasons, service commitments and remedies.

This is why the board cannot be assessed mainly by whether it appears respectable. The question is not whether RIPE NCC has directors, meetings, minutes and financial documents. It does. The question is whether those institutions convert the registry relationship into a reviewable principal-agent arrangement. The member is the principal in a limited but economically serious sense: it pays, depends and bears consequences. Management is the agent in an operational sense: it runs the workflows. The board is the control surface between them.

The board is an economic control, not ceremonial governance

Board oversight often sounds soft because the word governance has been overused. In RIPE NCC's case, the board's function is hard economics. It decides what the institution treats as risk, which risks are carried inside the registry, which are pushed outward to members, and which are hidden inside professional vocabulary. A board that rewards institutional calm will produce one type of registry. A board that rewards narrowness, evidence and external cost reduction will produce another.

Risk appetite is the central choice. A registry can read its duty expansively: protect the community, preserve stewardship, build resilience, manage geopolitical pressure, strengthen the RIR system, deepen engagement, monitor members, improve data, expand services and defend the institution. Much of that language can be legitimate. It can also justify budget growth, legal defensiveness, broad compliance categories and more internal discretion. A registry can also read its duty narrowly: preserve uniqueness, keep the public record accurate, verify authority, prevent fraud, maintain secure services, process legitimate changes, comply with law and publish enough metrics for members to judge performance. That language can be legitimate too. It can also become too thin if it underfunds real resilience.

The board's task is not to choose slogans between narrow and broad. It is to make the trade-off explicit. The 2026 Activity Plan and Budget is a useful factual exhibit. It budgets EUR 41.140 million of income, EUR 41.125 million of costs, a small operating result, 202.1 full-time-equivalent staff and a working assumption of 20,000 contributing LIRs. It describes registry accuracy work, RPKI improvements, security architecture, compliance, legal review, external engagement, community activity, training, regional presence and the start of a new strategy period. This is not a tiny clerical bureau. It is a mature institution with many activities around the ledger.

The board therefore allocates member money across different theories of risk. Some spending clearly protects the registry function: database integrity, authentication, RPKI assurance, reverse DNS, portal security, transfer processing, sanctions compliance, continuity planning and record accuracy. Some spending supports the surrounding ecosystem: meetings, training, research tools, fellowships, government engagement, policy support and global coordination. Some spending protects the institution itself: legal capacity, facilities, management, finance, human resources, communications, reserves and risk systems. None of these categories is automatically wasteful. The oversight question is whether members can see the difference and whether the board can defend the mix.

Lu Heng's public notes on agency problems and registry cost discipline press a severe version of this argument. They claim that registries began as coordination bodies and acquired thicker governance functions around scarce resources; they also argue that mandatory registry charges should be tied more tightly to essential ledger functions. The board need not accept the full remedy to accept the economic warning. When an institution with limited exit uses member funds for a growing bundle of functions, the board is the body that must say which activities protect the ledger, which support the public environment, which primarily protect the office and which should be optional or re-scoped.

Ceremonial governance asks whether a board followed a process. Economic oversight asks what cost the process moved, to whom and why.

Agenda control is the first hidden power

The first power of a board is not the vote at the end of a discussion. It is the agenda that decides whether the discussion occurs at all. A registry board can be formally diligent while never seeing the economic issue in board language. A transfer delay can arrive as an operations note, not as market-cost data. A sanctions backlog can arrive as a legal-risk note, not as a service-continuity problem. A data-quality project can arrive as an accuracy programme, not as a compliance burden on small operators. A budget line can arrive as resilience, not as scope expansion.

Agenda control matters because management normally has more information than the board. This is not a criticism of management; it is a structural fact. The staff who run registry services know the volume of tickets, the delay categories, the failed transfer reasons, the sanctions matches, the data-quality patterns, the legal-review costs and the difference between a member-caused delay and a registry-caused delay. If those facts are not translated into board-level trade-offs, oversight becomes a comfort ritual. The board hears that work continues, risk is managed and members are served. It does not learn what the institution is making expensive outside the building.

The agenda should therefore force a recurring translation. For every major operational category, trustees should see four things: what registry function is being protected, what private cost is being imposed, what evidence shows the cost is necessary, and what metric will show improvement. Without that discipline, even high-quality papers become partial truths. Legal risk appears without market risk. Service volume appears without tail delay. Budget discipline appears without reliance-cost reduction. Policy implementation appears without aftercare.

RIPE NCC's Articles of Association provide a formal member backstop. They allow a group of members jointly entitled to cast at least 2% of possible votes to add subjects to the agenda if they send the required text on time, and a 10% group can require the board to convene a General Meeting under the stated procedure. These provisions matter because they prevent the agenda from being wholly internal. But member agenda rights are not a substitute for board curiosity. A busy member should not have to mobilise a percentage threshold before the board asks for transfer delay categories or legal-spending decomposition.

The board should also discipline consent agendas and closed sessions. Some matters are rightly confidential: personnel, security, litigation, unresolved disputes and sensitive member files cannot be fully public. But confidentiality over particulars should not hide categories of cost. A board can keep private legal advice private while still requiring public reporting on aggregate legal-spending categories. It can protect member identities while publishing transfer timing distributions. It can discuss sanctions exposure confidentially while explaining the difference between a confirmed prohibition, a possible match, a payment-channel problem and a member-response delay.

The best agenda is therefore not the longest agenda. It is the one that repeatedly brings discretion, cost and evidence into the same frame. If the board packet makes externalised cost visible before members complain, oversight is working. If the packet makes everything look orderly until a hard case explodes, the agenda is too narrow.

Budgets reveal risk appetite before speeches do

Budgets are where risk appetite becomes measurable. A board can speak about neutrality, service, accountability and community, but the budget shows what receives staff, systems, legal review, travel, reporting capacity, technical investment and managerial attention. In a member-funded registry, budget authorisation is the board's most concrete expression of institutional theory.

The 2026 charging scheme sets the annual contribution at EUR 1,800 per LIR account, with separate charges of EUR 75 for defined independent Internet number resource assignments and EUR 50 for defined ASN assignments, plus a EUR 1,000 sign-up fee. Those numbers are not the centre of this piece. Their importance here is that they finance a budget the board must approve and management must spend. A member-funded registry board should be able to answer not only what members pay, but what risk each major spending area reduces.

The budget includes direct registry activity, information services, external engagement and community work, and organisational sustainability. The official plan describes checking registration data for around 20,000 End Users with independent resources, aiming to complete 2,400 Assisted Registry Checks, strengthening internal consistency checks and continuing sanctions screening. It also describes RPKI infrastructure work, security tooling, ISO 27001-related activity, an ISAE 3000 Type 2 audit of RPKI, government and policy engagement, staff-related work and preparation for a new strategy period. These are materially different risk categories. Some reduce record risk. Some reduce cyber and service risk. Some reduce political and legal risk. Some reduce participation cost. Some may increase the institution's strategic footprint.

The board's duty is to separate resilience from bureaucracy. Resilience makes the ledger harder to corrupt, easier to rely on and less dependent on individual staff judgement. Bureaucracy makes the organisation larger, slower and more central without lowering uncertainty for the people who depend on it. The same line item can become either. A portal-modernisation project can lower support friction or create another interface that hides case status. A legal budget can clarify service boundaries or make caution the default answer. A compliance tool can protect lawful service or widen member anxiety. A community programme can widen participation or reward insiders who already know the process.

Budget oversight should therefore use functional tests. Does this spending reduce delay, uncertainty, fraud, outage risk, legal ambiguity, data-quality defects or member effort? Does it reduce reliance cost for small members as well as large ones? Does it produce evidence members can see? Does it make the board better informed next year? If not, is the activity still justified as a public-good function, and should it be financed through the compulsory registry fee?

The answer may often be yes. A registry with RIPE NCC's region cannot be run as a bare database. It needs legal capacity, security, compliance, support, outreach and policy competence. But "not bare" is not the same as "ever broader". Budget discipline is the board's way of telling management that the institution's relevance comes from making the registry dependable, not from making the office indispensable.

Legal spending needs a public theory of restraint

Legal spending is the board's most delicate budget line because legal capacity protects both the ledger and the institution. RIPE NCC must comply with Dutch and EU law, handle sanctions and banking exposure, maintain contracts, support policy work, respond to disputes, run arbitration procedures, defend services, assess new regulation and protect critical infrastructure. A registry without legal competence would be fragile. A registry whose legal posture is not bounded can become defensive in ways that externalise cost.

The 2026 budget sets Legal at EUR 1.3 million and six FTEs, up from the prior budget of EUR 1.2 million and five FTEs. The legal section describes a strong and accountable framework for services, compliance with applicable legislation, limiting exposure to liability, supporting RIPE community discussions and monitoring new law. Those are legitimate aims. The board's harder task is to ask how legal work is categorised and what theory of restraint governs it.

The restraint issue exists because the contractual relationship is asymmetric. The Standard Service Agreement requires members to comply with RIPE policies and procedures, provide accurate information and assist with audits and security checks. It provides for suspension of services and deregistration under closure procedures in defined circumstances. It also excludes broad categories of damages except in cases such as willful misconduct or gross negligence, and limits RIPE NCC liability to the member's service fee for the relevant financial year. That may be legally understandable for a membership association. Economically, it means board oversight must substitute for remedies that may be narrow relative to downstream reliance.

Legal capacity should therefore be reported in categories that members can understand without exposing legal advice. Ordinary corporate work is different from sanctions compliance. Member disputes are different from policy support. Litigation is different from contract maintenance. External-government engagement is different from RPKI assurance. Establishing or operating regional entities is different from defending the existing ledger. The board should know and members should see, at a suitable level, which legal costs protect the record, which costs manage unavoidable law, which costs arise from member disputes, which costs support institutional expansion and which costs defend the RIR model more broadly.

The reason is not suspicion for its own sake. A low-liability, high-dependence registry must be strongest where it protects accuracy, legality, security and due process. It should be weakest where legal capacity could insulate broad discretion from member discipline. If counsel's safest answer is always more delay, more documentation or less disclosure, the board must ask safe for whom. A decision that lowers RIPE NCC's corporate exposure may raise transaction cost, member uncertainty or service risk outside the institution.

Legal spending also shapes tone. Members receiving a notice about sanctions clarification, data-quality review, transfer documentation or payment default read not only words but power. A board that wants a calm registry should require legal language to be precise, proportionate and cure-oriented. The aim is not to make enforcement weak. It is to prevent legal caution from becoming the institution's unreviewed risk appetite.

Reserves are insurance only when their purpose is bounded

Reserves are another place where board oversight turns finance into institutional design. A registry should hold reserves. It operates critical services, faces legal and geopolitical shocks, relies on member revenue, serves countries with banking and sanctions risk, and must be able to preserve continuity through disruptions. A registry that spends every euro received may be accountable in the narrow cash sense but fragile in the operational sense. The board is right to treat continuity as a financial obligation.

The danger is that reserves can insure either the ledger or the full institutional bundle. The Standard Service Agreement describes the Clearing House as a tax-free financial reserve for RIPE NCC financial stability and states that the General Meeting decides each year whether the financial result is added to or deducted from the reserve or redistributed among members. That gives members a formal role. The board still has to define what reserve adequacy means.

A reserve measured only against total institutional expense can blur the question. Members need to know how many months of narrow registry continuity are protected: registration records, public database services, RPKI, reverse DNS, essential portal functions, support for high-consequence cases, security, disaster recovery, data escrow and core staff. They also need to know how much reserve is meant to protect broader activity: meetings, training, external engagement, regional initiatives, policy support, measurement platforms and institutional coordination. Both may be valid. They are not the same insurance product.

The Joint RIR Stability Fund, noted in RIPE NCC's budget materials as a possible reserve-funded contribution to mitigate regional and global disruptions or threats to the RIR system, illustrates the boundary problem. Supporting wider registry stability can be prudent. One registry's collapse can affect confidence in the whole system. But a board should be explicit when members' reserves insure the wider RIR order rather than only RIPE NCC's local services. The theory may be defensible. It should not be implicit.

Reserve discipline also affects management incentives. A large reserve can protect continuity and lower panic. It can also reduce immediate pressure to cut costs, narrow scope or return funds. A thin reserve can keep the institution responsive but increase vulnerability to litigation, cyber incidents, payment shocks and geopolitical disruptions. The board's role is to keep both dangers visible.

The best reserve policy would separate purposes. One layer for core registry continuity. One for cyber and disaster recovery. One for legal contingency, with categories. One for payment and sanctions disruption where lawful service should continue despite blocked collections. One for wider system-stability commitments. One for ordinary working capital. If members see these layers, they can judge whether reserves are insurance against real shocks or insulation from fiscal scrutiny.

Board oversight should not treat reserve criticism as anti-resilience. Nor should it treat reserve accumulation as automatically prudent. Insurance is legitimate when the insured risk is named, bounded and reviewed.

Executive discretion is necessary but must be reviewable

No serious registry can run without executive discretion. Staff must evaluate transfer documents, interpret service agreements, classify support cases, handle sanctions matches, run data-quality reviews, respond to security incidents, prioritise engineering work, manage RPKI and reverse DNS, interact with members and implement policies whose wording cannot anticipate every fact pattern. A board that tried to approve each operational decision would damage the registry. Micromanagement is not accountability.

But discretion becomes legitimate only when it is reviewable. The board should know how management uses discretion by category, not merely through anecdotes or escalated complaints. Transfers are one example. Completed-transfer statistics are useful, but the board should also see how many requests were opened, how many were incomplete, how many required repeated document rounds, how many were delayed for sanctions clarification, how many were withdrawn, how many were refused and how long cases took at median and tail percentiles. Staff-response time and member-response time should be separated where possible. A 90-day case caused by missing member documents is different from a 90-day case waiting for internal risk review.

Data-quality work is another example. The 2026 plan's ambition to check around 20,000 End Users with independent resources and complete 2,400 Assisted Registry Checks may strengthen the ledger. It also creates a large surface for member anxiety. The board should see how many checks were cooperative, how many found routine corrections, how many found serious defects, how many led to service consequences, how many were delayed by non-response, how often members disputed findings and whether services remained stable while facts were reviewed.

Sanctions handling requires the same discipline. RIPE NCC operates under legal constraints and cannot treat sanctions as optional. But the board should distinguish confirmed prohibition, possible match, ownership clarification, payment-channel problem, high-risk country classification, staff escalation and ordinary member delay. Each category carries a different risk. If the board sees only "sanctions workload", it cannot know whether law, banking, risk appetite or internal process is driving member uncertainty.

RPKI and reverse DNS should be included because they make registry discretion operational. A transfer, closure, dispute or documentation problem can affect the usefulness of certificates, ROAs or reverse delegations if the process is not carefully bounded. The board should receive aggregate data on high-consequence changes: notices, revocations, restorations, transition delays, incidents, member-caused defects and registry-caused defects. The aim is not to publish sensitive technical details. It is to ensure that operational trust services do not become invisible leverage.

Reviewability also requires reasons. Management should be able to explain hard decisions in terms of rule category, evidence gap, legal constraint, member cure path, continuity effect and appeal route. If those categories are weak, the board should not wait for a scandal. Weak categories are an early sign that executive discretion is running ahead of institutional design.

The board's information right is the member's first protection

A board cannot supervise what it does not require management to measure. That makes the board's information right the member's first protection. Members may vote on board seats, charging schemes and major documents. But between meetings, their practical protection is that board members demand information management would not otherwise publish.

Good board information has three traits. It is granular enough to reveal trade-offs. It is aggregated enough to protect confidentiality. It is stable enough to compare over time. A report saying "member satisfaction remains high" is too soft. A dashboard showing ticket categories, response times, completion rates, tail delays, escalation counts, appeal outcomes and repeated complaint causes is harder to ignore. A report saying "legal risk is managed" is too broad. A report separating sanctions, member disputes, policy support, litigation, contract review, external engagement and new-entity work lets the board ask better questions. A report saying "RPKI is resilient" is incomplete without incident, restoration and high-consequence administrative-action data.

The board should be careful about Net Promoter Score and similar experience metrics. Surveys can be useful, and the 2026 plan refers to member input through surveys and metrics such as NPS and Customer Effort Score. But experience scores can become propaganda if they are not tied to service evidence. A member whose routine ticket was answered quickly may rate the experience well. That says little about the tail case where a transfer is delayed by corporate-history questions, a sanctions match or an RPKI transition problem. Board oversight should treat satisfaction as a signal, not a substitute for operational proof.

The information right should also extend to alternatives. Management recommendations should identify what was considered and rejected. If a legal approach is chosen, what less restrictive approach was available? If a budget line increases, what service metric justifies it? If a data-quality campaign expands, what member burden is expected? If a policy implementation imposes new documentation, what process time will be measured? If a report cannot be made public, what aggregate version can?

This matters because asymmetric information can make the board too dependent on institutional framing. Staff may be sincere and still self-protective. Counsel may be correct about exposure and still incomplete about external cost. Technical teams may be right about security and still underestimate business friction. Communications teams may be skilled at explaining the institution and still avoid hard evidence. The board's role is to ask for the missing side of each trade-off.

Members should therefore judge board candidates not only by biography or community standing, but by information discipline. Do they know what to ask? Do they understand registry economics well enough to distinguish ledger protection from office protection? Do they ask for denominators, tail risks and failed cases, not only successful outputs? A board member's most important contribution may be a better question.

Operational metrics should travel upward without becoming propaganda

Operational metrics are useful only if they make performance harder to decorate. A board dashboard should not be designed primarily to show that RIPE NCC is busy, productive or trusted. It should show whether the registry is lowering the cost of reliance for those who depend on it.

For registration services, the board should see update volumes, processing times, authority-verification categories, incomplete-request rates, document-round counts, closure reasons, reopened cases and dispute flags. For transfers and mergers, it should see opened requests, completed requests, withdrawn requests, refused requests, requests affected by waiting periods, requests requiring sanctions clarification, inter-RIR coordination delays, legacy-document issues, corporate-history issues and tail processing times. For member services, it should see support categories, first-response times, resolution times, escalation patterns and repeated friction points.

For RPKI and reverse DNS, the board should see availability and incident data, but also administrative-transition data. How often do transfers create ROA transition issues? How many certificate problems follow account changes? How often are revocations or restorations tied to procedure rather than pure technical failure? How quickly are reverse-DNS delegations updated after recognised changes? What guidance reduces member-caused errors? These questions do not turn the board into an engineering team. They show whether operational trust follows the registry record predictably.

For legal and compliance, the board should see volumes and categories rather than only budget totals. How many sanctions checks produced possible matches? How many were resolved quickly? How many blocked service? How many payment problems reflected banking restrictions rather than member refusal? How many court or regulatory demands arrived? How many member disputes reached arbitration or another formal path? How many required external counsel? How many legal hours supported policy, contracts, litigation, compliance, regional entities or wider Internet-governance work?

For data-quality campaigns, the board should see burden and benefit together. A campaign that finds serious defects may justify its cost. A campaign that produces many routine corrections and little harm may justify simpler self-service tooling. A campaign that creates many escalations may indicate unclear notices or disproportionate evidence demands. Without metrics, the same campaign can be described as accuracy, compliance, service or pressure depending on the speaker.

Metrics should also be public in summarised form. Internal dashboards are not enough. Members and market participants do not need case files, legal advice or private identity documents. They do need enough aggregate evidence to know whether the registry is predictable. A buyer of IPv4 space, a small hoster, a sponsoring LIR, a legacy holder, a lender and a downstream customer all price uncertainty differently if RIPE NCC publishes category-level performance. The board should decide what can be made public by default, not only what must remain private.

Propaganda reports celebrate work performed. Oversight reports reveal cost reduced, discretion narrowed and mistakes corrected.

Conflicts of interest are a design problem, not only a personal failing

Conflict-of-interest governance is often written as if the problem is personal misconduct. A board member has an employer, a consulting relationship, a customer, a policy role, a supplier connection, a market position or a public stance. They should disclose, recuse where necessary and avoid using office for private gain. Those rules are necessary. They are not sufficient.

In a registry, conflicts are also structural. The board is elected by members who are themselves part of the affected economy. Some members are large incumbents, some are cloud or hosting providers, some are brokers or address-market participants, some are small access networks, some are public or research institutions, some are legacy holders, some are sponsoring LIRs and some may be heavily involved in community processes. A board member can be honest and still bring a worldview shaped by their place in that economy. The board as a whole can be competent and still overweight the concerns of insiders who know how RIPE NCC works.

The design problem is to prevent any one constituency's cost from becoming the institution's default sense of reasonableness. A large operator may treat a documentation requirement as minor because it has counsel and staff. A small operator may treat the same requirement as a significant burden. A legal adviser may see disclosure as risk. A market participant may see non-disclosure as an opacity rent. A long-time community figure may see policy process as broadly legitimate. A late-entering holder may see it as difficult to enter and dominated by familiar voices.

The board should therefore manage conflicts by categories as well as recusal. It should ask who benefits from each budget or policy posture, who pays fixed costs, who can absorb delay, who gains from opacity, who gains from complexity and who is absent from the discussion. It should require impact notes for high-consequence decisions that identify affected groups even when no board member has a formal conflict. It should seek independent challenge on matters where board and management culture may align too comfortably.

Committee composition matters. A finance committee dominated by people comfortable with institutional continuity may underweight the fixed-cost burden on small members. A governance committee drawn mainly from established community participants may underweight barriers to new candidates. A risk committee focused on cyber and legal exposure may underweight risk created by the registry's own opacity. The answer is not quota politics. It is cognitive diversity around the registry's economic effects.

Conflicts also arise between institutional identity and member interest. Board members may feel responsible for defending the RIR system, the RIPE community, the office, staff morale and external reputation. They should. But those duties can conflict with the need to limit the institution. A board that identifies too strongly with the office may view criticism as danger rather than information. In a high-dependence registry, that is itself a conflict of perspective.

Good conflict design does not assume bad people. It assumes that power changes perception. It builds disclosure, recusal, challenge, category reporting and member-facing evidence so that perspective does not harden into hidden policy.

The board should separate policy legitimacy from service performance

RIPE's open policy culture is a real asset. Public mailing lists, meetings and consensus-based policy work are better than closed rulemaking. They allow technical specialists, operators, researchers and non-members to contribute. But policy legitimacy and service performance are different controls, and the board should not let one substitute for the other.

A policy can be legitimate in process and costly in implementation. A transfer rule may have passed through open discussion and still create more documentation rounds than expected. A data-quality rule may have a sound purpose and still overload small members. An RPKI change may be technically justified and still need careful notice, cure and restoration metrics. A sanctions-related procedure may be legally necessary and still require clear categories to prevent fear. A charging scheme may be approved by members and still require future analysis because the vote was close or the distributional burden changed.

The board's role is not to rewrite the policy process. It is to demand implementation evidence. Before a high-consequence policy is implemented, the board should receive an operational impact note: what systems change, what staff burden is expected, what member burden is expected, what service categories are affected, what appeal or complaint paths exist, what metrics will be published and when the board will review outcomes. After implementation, the board should require a post-implementation review that compares expected and actual effects.

This separation protects the RIPE community as well as members. If the board treats community consensus as the end of the inquiry, the community may unknowingly write rules that impose hidden costs. If the board sends measured implementation evidence back into the policy environment, the community can adjust with better information. The feedback loop should be: community develops policy, RIPE NCC translates it into operational plan, the board tests risk and measurability, management implements, metrics return, policy is refined if needed.

The same distinction applies to member votes. A General Meeting vote can approve a charging scheme or document. It does not remove the board's duty to monitor effects. Members may approve a budget without knowing whether a legal or data-quality line later expands in practice. They may elect board members without seeing every operational metric. Voting is a control point; oversight is continuous.

The board should also resist mandate creep through policy vocabulary. Words such as stewardship, stability, community and resilience can be legitimate. They can also wash broader institutional ambition into operational practice. A board should ask: what is the specific ledger harm being prevented? What evidence shows this control is needed? Does the measure preserve uniqueness and accuracy, or does it shape market conduct? If it shapes market conduct, has the community and membership seen that explicitly?

Policy legitimacy says a rule has a pedigree. Service performance says the rule works without disproportionate cost. A registry board must care about both.

Appeals and complaints test whether oversight is real

Appeals and complaints are the stress test of board oversight. It is easy for a registry to look accountable when services work and members are quiet. The real test is what happens when an administrative decision harms a member's commercial timetable, resource status, service continuity or trust in the record.

RIPE NCC's legal materials describe arbitration and dispute mechanisms. The public arbitration page says an Arbiters Panel exists for dispute settlement and for evaluation of requests for Internet number resources, with parties first trying to resolve disputes themselves before formal arbitration. The Articles of Association state that the Executive Board may propose new arbiters or changes to the arbitration procedure, while General Meeting approval is required for those arbiters, dismissals or procedure changes. This architecture matters because it creates a formal route beyond staff discretion.

But formal routes are only part of the test. Members need to know what categories can be appealed or complained about, how reasons are stated, what happens while review is pending, how long review takes, how often outcomes change and whether services remain stable while facts are disputed. A review path that exists in documents but is slow, costly, poorly known or ineffective does not discipline executive discretion enough.

The board should therefore receive aggregate appeal and complaint data. How many formal arbitration requests were filed? What broad categories did they involve? How many informal complaints or escalations occurred before formal review? How many involved transfers, closures, payment, sanctions, RPKI, reverse DNS, data quality, audits or account access? How long did resolution take? How often did RIPE NCC change its position? How often was the member's defect cured? How often did the issue reveal unclear documentation or communication?

The board should also require interim-continuity principles. A disputed transfer denial should not create unnecessary uncertainty about the current holder's existing services. A billing or documentation problem should not disturb unrelated operational services where a narrower remedy is available and law permits. A sanctions review should distinguish investigation from confirmed prohibition. A data-quality check should preserve the last verified operating state unless there is clear fraud, legal compulsion or security risk. The board should know when continuity was preserved and when it was not.

Complaint data is not embarrassing if it is used well. A complaint that reveals unclear guidance is a service improvement. An appeal that reverses a decision is proof that review can work. A refused appeal with clear reasons may strengthen the ledger. A pattern of similar complaints is early evidence of process design failure. Silence, by contrast, can mean satisfaction, fear, cost or resignation. The board should not treat low formal appeal volume as automatic proof that discretion is accepted.

Oversight is real when members can lose a case and still understand why, when management can defend a hard call with evidence, and when the board can see whether hard calls form a pattern.

Small members need legibility, not paternalism

Small members are often invoked in registry debates as if they need protection from complexity. That is true in part, but the framing can become paternalistic. Small operators do not need the board to decide for them what their business model should be. They need the registry relationship to be legible enough that they can make rational decisions with limited staff.

Legibility means plain categories, predictable timelines, standard evidence requests, visible service expectations, clear appeal paths and budget explanations that do not require insider vocabulary. A small regional ISP should be able to understand what a data-quality notice asks, how to cure a defect, what services continue while the issue is open and where to escalate. A small hoster buying address space should be able to understand the likely transfer timeline and common documentation problems. A legacy holder should be able to understand what service relationship is required for RPKI or reverse DNS without feeling that historical recognition is being converted into institutional leverage.

Legibility is economic. A large operator can buy interpretation through counsel, consultants and staff. A small operator buys interpretation by giving up management time. A vague notice can cost it a week. A delayed transfer can cost it a customer. A complicated budget proposal can be ignored because it is too costly to model. A technical mailing-list discussion can pass unnoticed because there is no one available to follow it. The result is not lack of interest; it is rational allocation of scarce attention.

The board should therefore ask for small-member impact notes on major operational and budget changes. Not every change requires a full distributional analysis. But any change affecting fees, data-quality checks, transfers, RPKI, reverse DNS, closure, sanctions communication or service access should identify likely fixed costs. How many member actions are required? What documents must be collected? How much time is expected? Is there self-service tooling? Are instructions available before the member is under time pressure? Is there a safe way to ask questions without triggering escalation fear?

Lu Heng's note on RIPE NCC phishing emails illustrates the psychology. Fraudulent messages could exploit fear because some members perceive the registry as having existential authority over their business. The cure is not only security awareness. It is predictable institutional language. When legitimate RIPE NCC notices are calm, specific, cure-oriented and visibly bounded, members are less vulnerable to panic. When procedures are measurable and public, a fake demand is easier to recognise.

Legibility also lowers hidden cross-subsidy. If small members must hire intermediaries merely to understand the registry, opaque procedure becomes a private tax. The board should want the opposite: intermediaries should add commercial value, not sell access to institutional folklore.

Crisis oversight should preserve the ledger before expanding the mandate

Crisis is when boards most often widen institutional power. A cyber incident, sanctions shock, court order, disputed transfer, political pressure, banking disruption, fraud pattern or regional registry crisis can make ordinary limits feel too slow. In that moment, a registry board may be tempted to approve broader controls, larger budgets, more legal discretion and less disclosure. Some emergency action may be necessary. The question is what principle governs it.

For RIPE NCC, the crisis principle should be ledger preservation before mandate expansion. Preserve the public record. Preserve RPKI and reverse-DNS continuity where lawful and technically safe. Preserve data integrity. Preserve member communication. Preserve evidence. Preserve appeal paths. Preserve the distinction between confirmed risk and possible risk. Only then decide whether broader institutional action is required.

This principle matters because crisis language can easily become permanent. A sanctions workload can justify wider compliance architecture. A fraud case can justify broader documentation demands. A security incident can justify more centralised controls. A political intervention can justify more external engagement. A dispute can justify more legal budget. Each response may be reasonable in the moment. The board's duty is to prevent emergency reasoning from becoming ordinary mandate without later review.

The 2026 plan's references to security architecture, applicable Dutch and EU regulations, political risks, sanctions monitoring, RPKI assurance and RIR-system stability show the range of issues the board must supervise. These are real risks. The region includes war, sanctions, banking constraints, cyber threats, state interest in Internet infrastructure and members operating under very different legal and economic conditions. A board that ignored those risks would fail.

But a board can fail in the opposite direction by making the office larger than the risk. Crisis oversight should ask: what is the narrowest measure that preserves uniqueness, accuracy, continuity and lawful operation? What sunset review applies? What metric will show whether the measure worked? What cost was imposed on members? What can be disclosed after the crisis passes? What new discretion was created, and who can review it?

The board should also separate registry continuity from institutional preservation. Protecting the ledger may require redundancy, escrow, service continuity planning and inter-RIR cooperation. Protecting every existing programme, office structure or external role is a different claim. In crisis, the registry's core function should become more visible, not less. Members should be able to see what is essential and what is optional.

Strong crisis boards do not prove strength by expanding power quickly. They prove strength by keeping the registry's role narrow when fear makes breadth attractive.

Better board reporting lowers the price of registry uncertainty

Registry uncertainty has a price. It appears in discounted IPv4 transactions, larger escrow demands, slower M&A closings, extra legal reviews, broker spreads, working-capital buffers, delayed customer deployments, leased workarounds, risk premiums for sensitive jurisdictions and small operators' reluctance to challenge unclear notices. RIPE NCC may not see all these prices directly. That is precisely why board reporting matters.

Better reporting would reduce uncertainty in several markets at once. A transfer market with published timing distributions and failure categories prices settlement more accurately. A legacy holder with clear service-boundary data can decide whether to enter a contract, sell, lease or maintain status. A sponsoring LIR with data-quality metrics can support End Users more predictably. A lender or acquirer can judge whether address records are operationally stable. A small operator can plan staff time around known cure paths. A downstream customer can distinguish ordinary registry maintenance from serious resource risk.

The board should therefore publish a recurring oversight report distinct from marketing, annual storytelling or dense budget material. It would not disclose private files. It would summarise the categories that matter to reliance: transfer performance, data-quality outcomes, Assisted Registry Check results, sanctions and payment categories, RPKI and reverse-DNS continuity, member support performance, complaint and appeal data, legal-spending categories, reserve-purpose mapping, policy implementation reviews and service incidents. It would state what improved, what worsened, what is still not measured and what the board asked management to change.

Such a report would strengthen the board's own authority. Members elect directors, but they cannot assess oversight quality if the board's work is visible mainly through minutes and formal approvals. A report that shows board questions, management answers and measurable follow-up would make oversight tangible. It would also improve candidate accountability. Future board candidates could be judged against the same evidence: what metrics they think are missing, what risk appetite they prefer and what costs they believe the registry should internalise.

The report should include mistakes. A board that reports only success will not be believed by sophisticated readers. Mistakes are valuable when they are categorised, corrected and prevented from recurring. A delayed class of transfers, unclear sanctions communication, a service incident, an RPKI transition problem or a repeated complaint category should be written plainly. The point is not self-denunciation. It is credibility.

Official materials already contain many pieces: board minutes, activity plans, charging schemes, financial reports, trust information, sanctions transparency and service documents. The missing layer is economic synthesis. Members need to see how board oversight connects money, legal risk, operational discretion and external cost. Without that synthesis, the registry's information remains scattered and the market continues to price uncertainty through private channels.

Transparency reduces risk only when it answers the question people are actually trying to price.

The board should limit mandate creep before members have to

Mandate creep rarely announces itself as ambition. It arrives as a service improvement, a security need, a legal concern, a community expectation, a resilience programme, a policy implementation, a regional initiative, a measurement tool or a governance commitment. Each step may be defensible. The cumulative effect can still be a registry that does more, costs more and decides more than the narrow coordination function originally required.

The board is the right body to prevent that drift because management has natural incentives toward capability. Competent staff want to solve problems. Legal teams want robust frameworks. Technical teams want better systems. Community teams want wider participation. External-engagement teams want policy relevance. Finance teams want stability. None of these motives is bad. But the sum can turn a registry into a broad institution financed by a membership relationship that members cannot easily replace.

Mandate discipline should be explicit. For each new or expanded activity, the board should require a classification. Is it essential to the ledger? Is it essential to security or continuity? Is it legally required? Is it a member service that should be funded by the general fee? Is it a public good that should be funded by sponsorship, grants or optional contributions? Is it institutional positioning? Is it a response to a temporary crisis? What would be lost if it were not done?

The classification should not be hidden in internal deliberation. Members do not need every discussion, but they need the board's theory. If RIPE NCC funds measurement platforms, training, policy engagement, regional presence or global coordination through the general budget, the board should say why compulsory registry fees are the right funding base. If an activity primarily benefits a subset of users, the board should consider whether the funding model should reflect that. If a broad external role protects the registry's legal environment, the board should explain the connection to member service.

This discipline is especially important because "community" can be an elastic word. The RIPE community is open and valuable. It is not identical to the fee-paying membership, the downstream customer base, the transfer market, national governments, legacy holders or all users affected by registry decisions. A board that treats community demand as sufficient mandate may unintentionally turn participation by the most engaged into authority over the least represented.

The goal is not to shrink RIPE NCC into fragility. A registry can be under-scoped as well as over-scoped. The goal is to make every expansion pay rent in evidence. If the activity protects the registry, show how. If it lowers member cost, measure it. If it serves a broader public good, state why the fee base should carry it. If it cannot meet any of those tests, the board should stop it or fund it differently.

Members should not have to impose mandate discipline only through close charging votes or protest. A serious board applies it before the invoice arrives.

The question for members before the next vote

The practical question before the next board cycle is not whether RIPE NCC is trustworthy in a general sense. General trust is too vague. The better question is whether board oversight makes registry power narrower, more observable and more accountable each year.

Members should ask board candidates how they define risk appetite. Should RIPE NCC prioritise a ledger-first posture, with strict accuracy and security but restrained market discretion? Should it pursue a broader stewardship posture, with stronger institutional capacity and wider public engagement? If candidates answer with only "stability" or "community", they have not answered. Stability for whom, at what cost and with what evidence?

Members should ask how candidates read the budget. Which activities are core registry continuity? Which are public goods? Which are institutional overhead? Which should be optional? What legal-spending categories should members see? What reserve purposes should be separated? How should the board test whether staffing or tooling reduces external cost rather than internal discomfort?

Members should ask what information candidates would demand from management. Transfer denominators, tail delays, incomplete-request rates, sanctions categories, data-quality outcomes, RPKI and reverse-DNS transition metrics, appeal data, complaint categories and post-policy reviews should be ordinary board material. A candidate who cannot name missing metrics may not be ready to supervise an information-rich institution.

Members should ask how candidates will separate policy legitimacy from implementation performance. Open process matters. So do outcomes. A rule that survives mailing-list debate can still impose hidden cost when implemented. The board should require impact notes, aftercare and public metrics for high-consequence policies.

Members should ask how candidates think about limits. What should RIPE NCC not do, even if the work sounds useful? When should a function be sponsored rather than funded through registry dues? When should legal risk be accepted rather than pushed onto members through delay? When should a crisis measure expire? When should the board tell management that the correct answer is a narrower process, not a larger programme?

The board packet is where these answers become real. A line about a budget increase, a legal memo, a sanctions workload, a transfer metric, an RPKI audit, an Assisted Registry Check target, a reserve contribution or a new initiative may look ordinary. Each line asks whether the board will protect the ledger and the people relying on it, or whether it will let the institution make itself safer by making the market less certain.

RIPE NCC does not need theatrical distrust. It needs a board that treats oversight as economic control. That means fewer comforting abstractions and more measurable restraint: clearer agendas, decomposed budgets, bounded reserves, categorised legal spending, reviewable executive discretion, public service metrics, meaningful appeals and explicit limits on mandate creep.

The registry's strongest future is not to look sovereign, larger or harder to question. It is to be so narrow, auditable and well supervised that members, counterparties and downstream users do not have to price fear into the ledger.