How to calculate your TTPA Compliance risk?
Thinking like a lawyer and thinking like a compliance officer are deeply interlinked and related but fundamentally different.
As a lawyer you are always making an argument in front of a court of law. Will, the judge or jury follow my chain of arguments? You prepare for the battle.
As a compliance officer I have to answer a different question: How can I reduce and mitigate the risk? How can I avoid the battle?
In a way our job as compliance officers is to make things smaller and less threatening – long before the lawyer will have to think about how to defend us in court.
© Photo by Tim Gouw / Unsplash
How do you calculate risk?
So if we are supposed to make threats "smaller" how do we know what small and large actually mean. How do we measure the risk exposure?
The general formula for calculating risk exposure is:
Let's take a closer look at what that means:
- assets at risk
means how much is there to loose? The maximum penalty for non-compliance with the TTPA Regulation for political advertising is up to 6% of annual revenue – or for non-profit entities, like political parties or NGOs, up to 6% of their annual budget.
Naturally, if you represent a large corporations with millions or billions or annual revenue, the assets at risk are significantly higher, than if you work for a small NGO, where 6% of their annual budget – though a painful loss – is still a comparatively smaller loss.
How vulnerable are you?
Vulnerability measures how likely you are to make a mistake. In the context of TTPA, two factors drive this:
How many people in your organization publish content that could fall under the regulation
How frequently they publish
A political party with 2,789 regional chapters, each with a handful of activists posting daily on social media? That's maximum vulnerability. Thousands of people, no centralized approval, constant output. Every post is a potential compliance failure.
A corporation with a dedicated public affairs team running a handful of campaigns per year, all reviewed by legal before publication? That's minimal vulnerability. Few publishers, low frequency, controlled process.
You can score this on a simple matrix:
| Factor | Low (0-39%) | Medium (40-69%) | High (70-100%) |
|---|---|---|---|
| Number of publishers | <10 | 10-100 | 100+ |
| Publication frequency | Monthly | Weekly | Daily |
Now, we calculate the average of these two vulnerability percentages.
The political party: (90% + 90%) / 2 = 90%
The corporate public affairs team: (30% + 20%) / 2 = 25%
Two factors:
1. Reach:
How large is your audience? Content distributed to millions across multiple platforms carries different risk than flyers handed out at a neighborhood shopping mall.
2. Polarity:
How controversial is your agenda? The more polarizing your position, the more opponents you have who are motivated to report you. A complaint can trigger an official audit and investigation. If you're campaigning to introduce the death penalty for shoplifting, expect maximum scrutiny. If you're advocating for a bike lane near a school, probably not.
| Factor | Low (0-39%) | Medium (40-69%) | High (70-100%) |
|---|---|---|---|
| Reach | Local/hundreds | Regional/thousands | National/millions |
| Polarity | Consensus issues | Contested policy | Culture war topics |
Again, calculate the average of these two percentages to estimate your exposure
Low exposure:
(Example) A neighborhood initiative handing out a few hundred flyers for a new bike lane for school kids:
reach = low (10%) – just your neighbors and people on the street
polarity = low (20%) – only a weirdo will be offended by this.
result = (10% + 20%) / 2 = 15%
High exposure:
(Example) A national campaign advocating the death penalty for wearing skinny jeans:
reach = maximum (100%) if you run this nationwide on TV, print and social.
polarity = very high (90%). There are still many people who think wearing skinny jeans is somehow appropriate. 🤷🏼♂️
result = (100% + 90%) / 2 = 95%
Exposure is the factor most organizations underestimate.
You may have perfect compliance processes, but if your reach is massive and your positions divisive, you're a target.
Putting it all together
Let's run the math with some examples:
Example A: a small, controversial party
A small political party, arguing that solar energy should be abandoned and made illegal. They have an annual budget of 4,000,000€ and run TV and radio commercials, print ads and have hired a social media agency.
The Risk Assessment
| Factor | Amount | Note |
|---|---|---|
| Assets at risk | 240,000€ | potential fine of up to 6% of their annual budget (4.000.000€) |
| Vulnerability from amount of people involved |
70% | professional agencies and media providers, but also a few hundred members and activist. Difficult to educate and monitor. |
| Vulnerability from publishing frequency |
90% | multiple nation wide campaigns plus daily social media posts sum up quickly to a lot of content that might be covered under the TTPA as political advertising. |
| Vulnerability Total | 80% | |
| Exposure from reach | 90% | nationwide campaign will draw a lot of eyeballs |
| Exposure from polarity | 90% | wanting to make solar energy illegal sounds very controversial (and insanely stupid) |
| Exposure Total | 90% |
The Risk Exposure
Keep in mind that's the risk exposure for the political party, or in terms of the TTPA the "Sponsor" of that campaign.
Risk is different for each stakeholder!
The math becomes quickly different for other parties involved.
Say this party also publishes a professionally made newsletter, which it sends out with the help of an ESP (email service provider), like Brevo, Mailchimp or Klaviyo.
Here the "Assets at risk" is the annual revenue of the ESP. In the case of Brevo (formerly Sendinblue) that's a lot of money. They just announced that they have surpassed €200 million in 2025.
In terms of TTPA compliance, this means a maximum of up to €12 million in fines.
For them the risk exposure looks like this:
Example B: A small local initiative
A neighborhood parents' group wants a new bike lane near the local elementary school. Their annual budget is €12,000, mostly from donations and a small municipal grant. They hire a local marketing freelancer to design and print flyers and manage their Facebook page.
The Risk Assessment
| Factor | Amount | Note |
|---|---|---|
| Assets at risk | €720 | potential fine of up to 6% of their annual budget (€12,000) |
| Vulnerability from amount of people involved | 2 | one freelancer, easy to brief and monitor |
| Vulnerability from publishing frequency | 3 | weekly Facebook posts, occasional flyers |
| Vulnerability Total | 6 | |
| Exposure from reach | 2 | a few hundred neighbors and parents |
| Exposure from polarity | 1 | bike lanes for school kids? Nobody's enemy. |
| Exposure Total | 2 |
The Risk Exposure
Note:
We have yet to see what fines the national implementation laws will foresee and how this will work in practice. (In Germany the Politische Werbung Transparenz Gesetz (PWTG) has just been debated for the first time in the Bundestag, a few days ago.)
What does this mean for you?
The TTPA doesn't treat everyone equally — and it shouldn't worry everyone equally either. A €7 million risk exposure demands a compliance strategy. A €480 risk exposure demands common sense.
The hard part is knowing where you fall on that spectrum. And the rules are new, complex, and still being interpreted.
We'll keep breaking them down here. Subscribe to stay informed.
Related
Frequently Asked Questions
Implementing TTPA and not sure where to start?
We're talking to compliance teams, agencies, and political organizations across Europe to understand how they're approaching TTPA. If you're figuring this out too, let's talk.
We'll share what we've learned, answer your questions, and hear what challenges you're facing. No pitch. No obligations. Just a conversation.
