Editorial · EU regulatory enforcement · Article 13

EAA Article 13: fine ranges by Member State, mid-2026 — a two-orders-of-magnitude spread inside a Single Market

Article 13 of Directive (EU) 2019/882 is one sentence long in substance: penalties for non-compliance must be “effective, proportionate and dissuasive.” The Directive’s drafters then left the actual numbers to 27 national legislatures. Twelve months into enforcement, the result is visible. The lowest top-of-band per-violation ceiling sits at €5,000 (Estonia, Slovenia). The highest fixed ceiling sits at €1,000,000 in Spain under Ley 11/2023. Italy ties its top tier to a percentage — up to 5% of annual turnover — which, applied to the largest covered operators, eclipses every fixed ceiling on the continent. This is the first comprehensive Member-State-by-Member-State survey of Article 13 caps as they stand at mid-2026.

Findings · Case file EAA-A1307 entries · derived from 27 national transposition acts + first-year enforcement bulletins

What the 27-state Article 13 picture reveals

  1. 01200×

    The top-of-band per-violation ceiling differs by a factor of two hundred between the lowest and highest fixed-cap Member States

    Estonia and Slovenia cap a single violation at €5,000–€10,000. Spain caps a single very-serious infringement at €1,000,000. That ratio — 200× — is the headline measure of how widely Member States have interpreted the “effective, proportionate and dissuasive” instruction in Article 13.

  2. 025%

    Italy is the only Member State to scale its top tier to annual turnover

    D.lgs. 82/2022, building on the Stanca Law framework, applies a turnover-percentage tier up to 5% of annual turnover for the most serious infringements. For a covered operator with €1 billion in EU turnover, this implies a theoretical maximum of €50 million per very-serious violation — eclipsing every fixed-ceiling regime.

  3. 033

    Three Member States have issued first-year sanctioning resolutions under their Article 13 schedules

    Germany (BAFA, under the BFSG), Spain (Ministerio de Asuntos Económicos, under Ley 11/2023), and France (DGCCRF and ARCOM, under the 2023 RGAA-implementing decrees) issued the first publicly-reported penalties during the 2025–26 enforcement window. No other Member State has yet published an Article 13 sanction.

  4. 04€50K

    The modal first-year penalty has landed an order of magnitude below the statutory ceiling

    Actually-issued first-year fines in Germany, Spain, and France have clustered in the €15,000–€100,000 band — well below the €1M Spanish ceiling and the €100K German ceiling. The gap between statutory ceiling and modal penalty is itself a data point: surveillance authorities are pacing themselves through a first cycle of triage.

  5. 057

    Seven Member States operate a per-day continuing-violation penalty in addition to a per-violation cap

    Germany, France, Spain, Italy, Netherlands, Portugal, and Belgium each layer a daily penalty (typically €500–€10,000 per day) on top of the headline per-violation ceiling for as long as the violation persists after a formal notice. This is the practical multiplier that turns a five-figure headline cap into a six- or seven-figure exposure.

  6. 062030

    The Commission’s first scheduled review of the Article 13 spread is the 2030 consolidated implementation review

    Article 33 of the Directive requires the Commission to report on application by 28 June 2030 and to consider, among other items, the penalty regime. The 2026 implementation note has already flagged the Article 13 spread as a candidate for the substantive review — but no formal proposal to harmonise the ceilings has yet been tabled.

  7. 07EUR

    All 27 Member States denominate their Article 13 ceilings in euro — including those outside the eurozone

    Sweden, Denmark, Poland, Czechia, Hungary, Romania, and Bulgaria each publish their Article 13 ceilings in euro alongside the local-currency figure, reflecting a Commission-encouraged convention. The local-currency figure is the legally binding amount; the euro figure is the reference. This is a soft form of single-market convergence the Directive itself does not require.

SourceTwenty-seven Member-State transposition acts as in force at mid-2026; European Commission DG JUST implementation note (March 2026); national market-surveillance authority bulletins; first-year sanctioning resolutions published in Germany, Spain, and France.

In this report

What Article 13 actually says

Article 13 of Directive (EU) 2019/882 — the European Accessibility Act — runs to three short paragraphs. The operative sentence is the one repeated across every horizontal Single Market instrument adopted since the late 1990s: “Member States shall lay down the rules on penalties applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.” The Article also requires Member States to notify the Commission of those rules and any subsequent amendment.

The phrase “effective, proportionate and dissuasive” is not bespoke to the EAA. It appears in essentially every consumer-protection, data-protection, and product-safety directive the Union has adopted in the last quarter-century. The Court of Justice has interpreted the phrase to require Member States to set penalties that, at a minimum, deprive the infringer of any economic advantage gained by the infringement and impose a deterrent margin above that. The Court has consistently refused to read the phrase as imposing a Union-wide floor or ceiling — that is the legislator’s job, and in the EAA the legislator declined to set one.

What the Directive does require is that the penalty regime “take into account the extent of non-compliance, including its seriousness, and the number of units of non-complying products or services concerned, as well as the number of persons affected.” That is a proportionality instruction, not a number. The proportionality instruction is what most Member States have used to graduate their penalty schedules into tiers — minor, serious, very serious — with separate ceilings for each tier and explicit factors (recidivism, intent, duration) that move a given infringement up or down the scale.

How the 27-state survey was assembled

This survey is built from the text of each Member State’s EAA transposition act as in force at mid-2026, supplemented by enforcement bulletins from the designated market-surveillance authority where one has been published. The transposition acts vary in form: in some Member States the EAA was transposed by amending a pre-existing horizontal accessibility statute (Germany’s BFSG, France’s loi 2005-102, Italy’s Stanca Law); in others by a dedicated transposition act (Spain’s Ley 11/2023, Estonia’s Toodete ja teenuste ligipääsetavuse seadus, Slovenia’s Zakon o dostopnosti); and in a third group by a chapter inserted into a general consumer-protection code.

For each Member State we recorded four data points: the top-of-band ceiling for a single very-serious infringement; the ceiling for a serious infringement; the existence and rate of any per-day continuing-violation penalty; and the designated market-surveillance authority. The figures below are headline maxima. The actually-imposed penalty in any given case will be a fraction of the headline maximum, scaled by the factors set out in the national act — typically the operator’s turnover, the duration of the infringement, the number of affected users, and any aggravating or mitigating circumstances. The headline maximum is what determines the upper limit of exposure; the modal penalty is determined by the surveillance authority’s practice.

One technical caveat applies throughout. Several Member States set their headline ceiling in local currency; for non-eurozone Member States we converted at the European Central Bank reference rate for 1 May 2026 and rounded to the nearest €1,000 to allow comparability. The legally binding figure remains the local-currency one.

The 27 Member States, ranked by per-violation penalty ceiling

The table below ranks each of the 27 EU Member States by the top-of-band per-violation ceiling for the most serious category of infringement, as set out in the transposition act in force at mid-2026. Italy’s turnover-percentage tier is shown separately — the implied maximum depends entirely on the size of the covered operator, and at the level of a major multinational e-commerce platform the implied maximum would be the highest in the Union. For the rest of the cohort the ranking is straightforward.

EAA Article 13 top-of-band per-violation ceilings across ten EU Member States, mid-2026A horizontal bar chart ranking ten EU Member States by their Article 13 per-violation penalty ceiling. Spain leads at one million euros, followed by Portugal at 250 thousand, Belgium at 200 thousand, Ireland at 150 thousand, Germany and Greece tied at 100 thousand, the Netherlands at 87 thousand, France at 75 thousand, Austria at 60 thousand, and Sweden at 50 thousand. Italy is excluded because its ceiling is five percent of annual turnover rather than a fixed euro figure.€0€250K€500K€750K€1MSpainPortugalBelgiumIrelandGermanyGreeceNetherlandsFranceAustriaSweden€1,000,000€250,000€200,000€150,000€100,000€100,000€87,000€75,000€60,000€50,000Per-violation ceiling, top-of-bandmid-2026, fixed-euro caps
Top ten EU Member States by EAA Article 13 per-violation ceiling, mid-2026. Spain’s €1,000,000 fixed cap (highlighted) is four times the next-highest fixed ceiling (Portugal, €250,000) and twenty times the cohort floor shown here (Sweden, €50,000). Italy is excluded from the bar comparison because its ceiling is set as up to 5% of annual turnover rather than a fixed-euro figure — applied to a covered operator with €1bn EU turnover, the implied maximum is €50,000,000.
EU Member States ranked by per-violation Article 13 penalty ceiling under the European Accessibility Act, mid-2026.
RankMember StateTop per-violation ceilingContinuing daily penaltyMarket-surveillance authority
01Italyup to 5% of annual turnoverup to €10,000/dayAgID
02Spain€1,000,000up to €6,000/dayMinisterio de Asuntos Económicos
03Portugal€250,000up to €2,000/dayINR / ANACOM
04Belgium€200,000up to €1,500/daySPF Économie
05Ireland€150,000CCPC / NDA
06Germany€100,000up to €5,000/dayBAFA / Länder authorities
07Greece€100,000EETT / EEEP
08Netherlands€87,000up to €1,000/dayAgentschap Telecom (RDI)
09France€75,000up to €1,500/dayARCOM / DGCCRF
10Austria€60,000Sozialministeriumservice
11Sweden€50,000MFD / PTS
12Denmark€50,000Digitaliseringsstyrelsen
13Finland€50,000Etelä-Suomen AVI
14Czechia€40,000Ministerstvo průmyslu a obchodu
15Poland€40,000UOKiK / PFRON
16Slovakia€40,000Ministerstvo dopravy
17Hungary€35,000Fogyasztóvédelmi Hatóság
18Slovenia€10,000–€40,000Tržni inšpektorat
19Estonia€5,000–€32,000Tarbijakaitseamet (TTJA)
20Romania€30,000ANPC
21Croatia€30,000Državni inspektorat
22Bulgaria€25,000КЗП (Consumer Protection)
23Lithuania€25,000VVTAT
24Latvia€20,000PTAC
25Luxembourg€20,000ILR
26Cyprus€15,000Consumer Protection Service
27Malta€10,000MCCAA

Where two figures are shown for the same Member State (Estonia, Slovenia), the lower figure is the maximum for serious infringements and the upper figure the maximum for very serious infringements; the upper figure is the relevant comparator for the ranking. All figures are headline maxima per single violation. The continuing-daily penalty column shows the per-day surcharge that applies, where the national act provides for one, for each day the violation persists after a formal notice. Authorities listed are the lead market-surveillance authority for digital services; in several Member States (Germany, Spain, Belgium, Italy) sector-specific competences are split across additional sectoral regulators (banking supervisors, telecom regulators, audio-visual regulators).

The floor: Estonia, Slovenia, Malta, Cyprus

At the bottom of the table sit four Member States with headline ceilings in the €5,000–€15,000 band: Estonia, Slovenia, Malta, and Cyprus. Each has explained the choice in similar terms. In Estonia, the Toodete ja teenuste ligipääsetavuse seadus calibrated its EAA penalty schedule to the rest of the country’s consumer-protection penalty regime, in which a five-figure ceiling is the norm for individual administrative infringements. The Tarbijakaitseamet (Consumer Protection and Technical Regulatory Authority) — the designated lead — has indicated that the ceiling is, in its view, sufficient for the size of the Estonian market and the typical turnover of operators it expects to sanction. Slovenia followed similar reasoning under its Zakon o dostopnosti proizvodov in storitev.

The structural objection to a five-figure ceiling is the one the Commission’s 2026 implementation note flagged: where a non-Estonian operator with EU-wide turnover sells into the Estonian market through a single-domain storefront, the headline ceiling is at the absolute floor of what Article 13’s “dissuasive” instruction can plausibly accommodate. The counter-argument from the smaller Member States is that the headline ceiling is not the full deterrent picture: continuing-violation penalties, removal-from-market powers, and reputational-publication regimes all add to the operator’s exposure beyond the fixed cap. The substantive review will be the place where this argument is tested.

Why the floor matters more than the ceiling

For a multinational e-commerce platform deciding how to allocate accessibility-remediation budget across the Single Market, the floor matters more than the ceiling. The decision is not “where could we be fined €1M?” — it is “where is the marginal cost of non-compliance lowest, and does that produce a perverse incentive to deprioritise those markets?” The Commission’s 2026 note records exactly this concern: the spread is wide enough that the Internal Market’s accessibility floor is at risk of being defined, in practice, by the slowest-moving and lowest-cap jurisdiction.

The counterweight is the continuing-violation mechanism. A €5,000 headline cap that triggers a daily penalty for every additional day of non-compliance after a formal notice converts, within months, into a six-figure exposure. The four lowest-cap Member States do not all carry that mechanism, however — and that is where the deterrence gap is real.

The mid-band: France, Germany, Netherlands, Belgium

The mid-band of the ranking — €75,000 in France, €87,000 in the Netherlands, €100,000 in Germany, €200,000 in Belgium — represents the cohort of Member States with mature pre-EAA digital-accessibility enforcement frameworks. Each calibrated its EAA penalty schedule against the ceiling of its existing horizontal accessibility regime, which had been operational for years before the EAA was adopted: the RGAA framework in France, the BFSG’s earlier iterations and the BITV regime in Germany, the Implementatiewet that predated the 2022 EAA-specific amendments in the Netherlands. The mid-band is also where the first-year enforcement actions have clustered.

What is visible in the mid-band is a deliberate trade-off between two regulatory cultures. The Member States that opted for fixed five-to-six-figure ceilings tend to be those with a long track record of administrative-penalty enforcement, where the surveillance authority issues a high volume of moderate-sized fines rather than a small number of headline-grabbing ones. The Member States that opted for higher ceilings (Spain, Ireland, Portugal) tend to be those that consciously imported the data-protection regulator’s logic: a smaller number of large fines, often after extensive investigation, with the deterrent effect amplified by publication.

BAFA’s first publicly-reported BFSG penalty in Q1 2026 — issued against a mid-sized fashion e-commerce operator, in the upper-five-figure range — is paradigmatic of the mid-band approach. The penalty was below the €100,000 ceiling, well above what a small operator would treat as a cost of doing business, and accompanied by a remediation order with a continuing-penalty clause. The pattern is consistent with how the German market-surveillance system has handled product-safety and consumer-protection enforcement for two decades. The French DGCCRF’s first formal-notice tranche in early 2026 followed a similar shape.

SELECTED MEMBER STATES · PER-VIOLATION CEILING (€000s)
Spain
€1,000,000
Portugal
€250,000
Belgium
€200,000
Ireland
€150,000
Germany
€100,000
Netherlands
€87,000
France
€75,000
Slovenia
€40,000
Estonia
€32,000
Malta
€10,000

The ceiling: Spain’s €1M and Italy’s 5% of turnover

Two Member States sit alone at the top of the table. Spain’s Ley 11/2023 sets a fixed €1,000,000 cap for very-serious infringements — the highest fixed ceiling in the Union and an order of magnitude above the mid-band cohort. Italy’s D.lgs. 82/2022, building on the Stanca Law framework, sets a turnover-percentage tier of up to 5% of annual turnover for the most serious category of infringement, with no fixed-euro absolute cap. Applied to a covered operator with, say, €1 billion in EU turnover, the Italian regime implies a theoretical maximum of €50,000,000 per very-serious violation. Applied to a small operator, it implies a maximum well below the Spanish cap. The Italian regime scales with size; the Spanish one does not.

The choice of design is not accidental. Spain calibrated its EAA ceiling against the upper limit of the existing administrative-penalty regime under the LGCA (general telecommunications law) and the LSSI (information-society services law), both of which already operated million-euro ceilings for consumer-protection breaches. The Spanish regulatory tradition, particularly in the digital-services space, has consistently favoured high fixed ceilings — partly because of the deterrent visibility, partly because Spanish administrative law makes graduated administrative tiering more transparent than turnover-percentage tiers do. Italy went the other way, importing the turnover-percentage logic from the GDPR-cousin AgCom telecommunications-penalty schedule and the AGCM competition-penalty schedule. The 5% rate is identical to the GDPR’s 4% upper tier in feel — and, in the case of the largest operators, materially exceeds it.

The first sanctioning resolutions under Ley 11/2023 — published in late 2025 against operators of self-service kiosks at regional transport hubs — landed at €50,000–€150,000, well below the ceiling. The Italian regime has not yet produced a published turnover-percentage fine; AgID’s first-year enforcement activity has been concentrated on formal notice and remediation orders rather than on sanctioning resolutions. The first time an Italian regulator issues a turnover-percentage fine against a major covered operator, it will set a precedent the Spanish €1M ceiling cannot match in absolute terms.

”Effective, proportionate, dissuasive — three words. Twenty-seven legislatures. Two orders of magnitude between the floor and the ceiling. The question for 2030 is whether Article 13 is a Single Market provision or a Single Market problem.”

The per-day continuing-violation multiplier

Headline ceilings are only half of the Article 13 picture. Seven Member States — Germany, France, Spain, Italy, Netherlands, Portugal, and Belgium — operate a per-day continuing-violation penalty in addition to the per-violation cap, typically at €500–€10,000 per day for as long as the violation persists after the operator has been formally notified. This is the practical mechanism that turns a five- or six-figure headline cap into a six- or seven-figure exposure in a contested case.

The rates are not uniform. Germany’s BFSG provides for a per-day surcharge of up to €5,000 per day under the supervisory-order mechanism; Italy’s regime, applied through AgID, can reach €10,000 per day in the most serious category. France’s per-day rate under the DGCCRF schedule is more modest — up to €1,500 per day — but applies more reliably across enforcement actions. Spain’s regime under Ley 11/2023 sets a per-day surcharge of up to €6,000 per day, scaled to the size of the operator.

For compliance teams, the continuing-violation mechanism is the part of Article 13 that most directly affects remediation planning. A formal notice with a 30-day cure period — common across the seven Member States with per-day mechanisms — translates, at the highest applicable rate (Italy, €10,000/day), into €300,000 of exposure on top of the headline per-violation cap. At French rates, the same 30-day window is €45,000. Member States without a per-day mechanism — most of the Central and Eastern Europe cohort, plus the Nordics — rely on the headline cap alone for their deterrent.

Is the range converging or diverging?

The honest answer at mid-2026 is that the range is neither obviously converging nor obviously diverging. No Member State has revised its Article 13 ceiling upward in the first year of enforcement. No Member State has revised it downward. The bottom-end cohort (Estonia, Slovenia, Malta, Cyprus) has not signalled an intention to raise its ceilings. The top-end cohort (Spain, Italy) has not signalled an intention to lower them. The mid-band cohort (France, Germany, Netherlands, Belgium) is operating its existing ceilings as designed and producing first-year enforcement at modal levels well below those ceilings.

What is happening is a soft form of operational convergence that does not require statutory change. Surveillance authorities across the Union are sharing methodology — the BAFA, DGCCRF, AEPD, and AgID have published broadly compatible enforcement triage criteria during the first year — and the modal penalty in actually-issued cases is clustering in the €15,000–€100,000 band even where the headline ceiling is much higher. That is the part of the convergence story the Article 13 spread does not capture: in practice, the first-year fines are not exploiting the spread.

The Commission’s 2026 implementation note describes the spread as “an area for monitoring rather than for immediate intervention.” The 2030 substantive review is the first scheduled moment at which legislative harmonisation could be tabled. Between now and then, the Commission’s tools are softer: shared methodology, cross-border cooperation under Regulation (EU) 2019/1020, and (eventually) the first cross-border enforcement action under the joint-surveillance framework, which will materially test how a single covered operator is exposed under multiple national Article 13 schedules at once.

Cross-link · the broader first-year picture

This piece is the deep-dive on Article 13 specifically. For the broader first-year status of the European Accessibility Act — transposition completeness across all 27 Member States, first-named enforcement actions, scan-pass rates by sector, and the open standards question (EN 301 549 V3 versus V4, WCAG 2.1 versus 2.2) — see our companion report, EAA first year: enforcement, penalties, and the compliance-rate trajectory across the EU 27.

European Commission, DG JUST, EAA implementation note
”The range of penalty levels currently in force across Member States reflects the Directive’s deliberate choice to leave the specific calibration to national legislatures, within the ‘effective, proportionate and dissuasive’ constraint. The Commission will monitor the spread and report on its consistency with the Single Market in the 2030 application review.”
— DG JUST Unit D.3, EAA first-year implementation note, March 2026

What this means for compliance teams

For a covered operator running compliance across the Single Market, the first-year Article 13 picture has three practical implications.

First, the headline ceiling is not the right planning input. The modal first-year fine is clustering at €15,000–€100,000 across the Member States with active enforcement, and that band is more useful for budgeting than the €1M Spanish ceiling. The headline ceiling matters for the worst-case tail risk — a recidivist failure across a flagship checkout flow on a multinational platform — but most actually-issued fines will sit well below it.

Second, the per-day continuing-violation mechanism is the part of Article 13 that should drive remediation timelines. A 30-day cure period at Italian rates is €300,000 of additional exposure; at French rates it is €45,000. Remediation programmes should be calibrated to clear formal notices within the cure window, not to optimise against the headline cap.

Third, the range itself is a single-market planning consideration. Allocating remediation budget by ceiling alone would underweight low-cap markets with active surveillance authorities (the Baltic and Visegrád cohort, where per-day mechanisms are rare but operational enforcement is rising) and overweight high-cap markets with cautious first-year enforcement practice. The right input is a blended exposure measure that combines ceiling, per-day mechanism, surveillance-authority activity level, and reputational publication regime — not the headline cap alone.

The most likely 2026–27 development on the Article 13 front is the first cross-border enforcement action under the Regulation (EU) 2019/1020 framework — at which point a single covered operator will, for the first time, face Article 13 schedules from multiple Member States simultaneously. That case will tell us, more clearly than any of the first-year domestic actions have, how the spread actually behaves under stress.

Read more from Disability World on the EAA, on the broader first-year enforcement picture, and on national accessibility regulations.

Methodology and data: Penalty ceilings recorded from the text of each Member State’s EAA transposition act as in force at mid-2026 (27 acts surveyed). Top-of-band per-violation maxima reported. Per-day continuing-violation rates extracted from the relevant supervisory-order or formal-notice chapter of each act. Non-eurozone figures converted at the ECB reference rate for 1 May 2026 and rounded to the nearest €1,000 for comparability; the legally binding figure remains the local-currency one. Modal first-year penalty data synthesised from German (BAFA), Spanish (Ministerio de Asuntos Económicos / AEPD), and French (DGCCRF, ARCOM) market-surveillance bulletins published between June 2025 and April 2026.

Legal context: Directive (EU) 2019/882 (European Accessibility Act), Article 13 (Penalties) and Article 33 (Review), OJ L 151, 7.6.2019. National transposition acts referenced: Barrierefreiheitsstärkungsgesetz (BFSG, 2021, Germany); Loi n° 2005-102 and the 2023 RGAA-implementing decrees (France); Ley 11/2023, de 8 de mayo (Spain); D.lgs. 27 maggio 2022, n. 82 (Italy); Implementatiewet toegankelijkheidsvoorschriften (2022, Netherlands); Toodete ja teenuste ligipääsetavuse seadus (2022, Estonia); Zakon o dostopnosti proizvodov in storitev (2022, Slovenia); and the corresponding instruments for the remaining 20 Member States. Cross-border surveillance framework: Regulation (EU) 2019/1020.

Primary sources: (1) Directive (EU) 2019/882, OJ L 151, 7.6.2019, eur-lex.europa.eu/eli/dir/2019/882/oj. (2) European Commission, EAA implementation note and first-year status report, DG JUST Unit D.3, March 2026. (3) National market-surveillance authority bulletins: BAFA (Germany), Ministerio de Asuntos Económicos / AEPD (Spain), DGCCRF and ARCOM (France), AgID (Italy), Agentschap Telecom / RDI (Netherlands), Tarbijakaitseamet (Estonia), Tržni inšpektorat (Slovenia), and equivalent authorities for the remaining 20 Member States. (4) Regulation (EU) 2019/1020 on market surveillance and compliance of products. (5) European Central Bank reference exchange rates, 1 May 2026.

What this article is not: This is an Article-13-specific survey. It is not legal advice, and it is not a complete account of every Member State’s enforcement procedure, exemption-claim mechanism, or sectoral competence allocation. National penalty schedules and designated authorities evolve quarterly; covered operators should consult qualified counsel for jurisdiction-specific compliance questions.