Editorial · EU regulatory enforcement

EAA first year: enforcement, penalties, and the compliance-rate trajectory across the EU 27

The European Accessibility Act — Directive (EU) 2019/882 — became enforceable across the Union on 28 June 2025, six years after adoption and three years after the Member-State transposition deadline. Twelve months in, the first wave of fines has landed, the Commission has named the laggards behind on transposition, and automated scan data has produced the first comparable compliance picture for EU-facing e-commerce. The headline: penalty ceilings now range from €5,000 in Estonia to roughly €1 million in Spain, transposition is formally complete in all 27/27 Member States but operationally uneven, and fewer than half of large EU e-commerce properties pass an automated WCAG 2.1 AA scan at the level the EAA implicitly requires. This is the first-year status report.

Findings · Case file EAA-Y106 entries · derived from Commission, national authorities, and scan data, mid-2026

What the first year of EAA enforcement shows

  1. 0127/27

    All 27 Member States have formally transposed Directive (EU) 2019/882 by mid-2026

    Formal adoption is complete. Operational readiness — designated market-surveillance authority, published complaint mechanism, penalty schedule in force — lags formal adoption in seven Member States.

  2. 02€5K–€1M

    Top per-violation penalty ceilings span two orders of magnitude across the Single Market

    €5,000 floors in Estonia and Slovenia, approx. €75,000–€100,000 ceilings in France, Germany, and the Netherlands, up to €1 million in Spain (Ley 11/2023), and turnover-percentage tiers up to 5% of annual turnover in Italy.

  3. 033

    Three Member States produced the first publicly-reported EAA enforcement actions

    Germany (BAFA), Spain (Ministerio de Asuntos Económicos), and France (ARCOM and DGCCRF) issued the first sanctioning resolutions and formal-notice tranches during the 2025–26 window — concentrated on e-commerce checkout flows and self-service kiosks.

  4. 04< 50%

    Fewer than half of major EU e-commerce properties pass an automated WCAG 2.1 AA scan at mid-2026

    The same rolling sample sat at 30–40% before the 28 June 2025 deadline. National coverage now ranges from roughly 30% in late-transposing Member States to 70% in the consumer-banking and regulated-transport segments.

  5. 05< 10 / €2M

    The microenterprise carve-out exempts services-side undertakings under 10 staff or €2M turnover

    Article 4(5) services-side exemption does not extend to products. Article 14’s disproportionate-burden defence carries the burden of proof and a five-year documentation requirement — and has not yet succeeded at the level of a whole-platform exemption.

  6. 06V3 → V4

    EN 301 549 V3.2.1 is the referenced harmonised standard; V4 (with WCAG 2.2) is in late-stage drafting

    V3.2.1 incorporates WCAG 2.1 Level AA. V4 — incorporating WCAG 2.2 — is expected to be referenced by the Commission within 18 months, with a transition period. French and German authorities are already treating WCAG 2.2 conformance as good-faith evidence.

SourceEuropean Commission DG JUST implementation note (March 2026); national market-surveillance authority bulletins (BAFA, AEPD, ARCOM, AgID, Tarbijakaitseamet); ETSI EN 301 549 drafting status; consolidated automated-scan dataset across approximately 4,000 EU-domain e-commerce properties, mid-2026.

In this report

What came into force, and when

The European Accessibility Act sets a harmonised minimum accessibility standard for a defined list of products and services placed on the EU market. Adopted on 17 April 2019 and published in the Official Journal as Directive (EU) 2019/882, it required Member States to transpose its provisions into national law by 28 June 2022, and required covered economic operators to comply with the substantive requirements from 28 June 2025. The five-year run-up was intentional: the Directive’s drafters knew it touched product lines (e-readers, smartphones, ATMs, self-service terminals) with multi-year hardware refresh cycles, and service categories (banking, e-commerce, e-ticketing, audio-visual media, electronic communications) where existing accessibility regimes varied widely.

The legal architecture is a directive, not a regulation: it sets the outcome each Member State must achieve and leaves the implementing mechanism — designated authorities, penalty schedules, complaint pathways, exemption procedures — to national legislatures. This is the source of most of the unevenness now visible at one year. The substantive requirements are common; the enforcement apparatus is not.

The covered scope is broad. On the products side: computers and operating systems, smartphones, smart-TV equipment, self-service terminals (ATMs, ticketing machines, check-in kiosks), e-readers, and consumer banking terminals. On the services side: consumer banking services, electronic communications, e-commerce, e-books and dedicated software, audio-visual media access components, transport e-ticketing and information services, and emergency communications via the European single emergency number 112. The Annex I functional requirements map closely — though not identically — to WCAG 2.1 Level AA for digital services, with the harmonised technical specification provided by EN 301 549 V3.x, which the European Commission referenced as the presumptive standard during 2024–25.

Transposition status: formally 27/27, operationally uneven

Top per-violation EAA penalty ceilings by Member State, mid-2026A horizontal-bar chart comparing the top per-violation penalty ceilings under the European Accessibility Act in seven EU Member States, on a logarithmic euro scale. Estonia 32,000 euros, Slovenia 40,000 euros, France approximately 75,000 euros, Netherlands approximately 87,000 euros, Germany 100,000 euros, Spain up to 1,000,000 euros. Italy is set as a percentage of turnover, up to 5 percent, and is shown separately.Top per-violation EAA penalty ceilingSelected EU Member States, mid-2026 · log scale, euros€10K€50K€100K€500K€1MEstonia€32KSlovenia€40KFranceapprox. €75KNetherlandsapprox. €87KGermany€100KSpainup to €1,000,000Italyup to 5% of annual turnover (not a € ceiling)Source: national transposition acts and market-surveillance authority bulletins, mid-2026.
Top per-violation penalty ceilings under the European Accessibility Act span two orders of magnitude across the Single Market — from a €32,000 ceiling in Estonia and €40,000 in Slovenia, through approximately €75,000–€100,000 in France, the Netherlands, and Germany, up to €1 million in Spain. Italy’s ceiling is set as a percentage of annual turnover (up to 5%) and is not directly comparable on a euro scale.

By the 28 June 2022 deadline, only a minority of Member States had transposing legislation in force. The Commission opened infringement proceedings against the laggard cohort during 2023 and issued reasoned opinions during the second half of 2024 against the Member States still missing the deadline. By mid-2025, the cohort had shrunk; by mid-2026, all 27 Member States have a transposition act on the books. The picture below is the formal status — what is enforceable on paper.

Selected EU Member-State transposition acts and penalty ceilings under the European Accessibility Act, mid-2026.
Member StateTransposition actTop per-violation penaltyMarket-surveillance authority
GermanyBarrierefreiheitsstärkungsgesetz (BFSG, 2021)€100,000BAFA / Länder authorities
FranceLoi n° 2005-102, RGAA implementing decrees (2023 update)approx. €75,000ARCOM / DGCCRF
SpainLey 11/2023 (de trasposición)up to €1,000,000Ministerio de Asuntos Económicos
ItalyD.lgs. n. 82/2022 (Stanca Law extension)up to 5% of turnoverAgID
NetherlandsImplementatiewet toegankelijkheidsvoorschriften (2022)approx. €87,000Agentschap Telecom (RDI)
EstoniaToodete ja teenuste ligipääsetavuse seadus (2022)€5,000–€32,000Tarbijakaitseamet (TTJA)
SloveniaZakon o dostopnosti proizvodov in storitev (2022)€10,000–€40,000Tržni inšpektorat
The transposition gap: formal versus operational readiness

The Estonia–Spain ceiling spread is two orders of magnitude. That is not a drafting accident: the Directive’s Article 30 requires penalties to be “effective, proportionate and dissuasive,” and leaves the absolute level to national legislatures. In smaller Member States, a five-figure ceiling is consistent with the rest of the consumer-protection penalty schedule; in Spain and Italy, the ceiling is consistent with general data-protection or competition-law ceilings, where the deterrent calculus is set against the turnover of the largest covered firms.

France and Germany sit between — high enough to matter to a national retailer, low enough that a multinational e-commerce platform would treat it as a cost of business if it appeared in isolation. The Commission’s own 2026 implementation report has signalled that the spread will be reviewed in the next consolidated review of the Directive, scheduled for 2030.

The first named enforcement actions

The penalty regimes mattered most in jurisdictions where the surveillance authority had a budget, a designated team, and a pre-existing accessibility enforcement track record. Three Member States produced the first publicly-reported fines during the 2025–26 enforcement window.

Germany — BAFA opens proceedings under the BFSG

The Federal Office of Economics and Export Control (BAFA), acting as the federal coordinating market-surveillance authority for the BFSG, opened a tranche of formal proceedings during the autumn of 2025 against e-commerce operators whose checkout flows failed the Annex I functional requirements on a programmatic check. The first publicly-reported penalty under the BFSG was issued in Q1 2026 against a mid-sized fashion e-commerce operator and sat in the upper-five-figure range. BAFA’s own communication noted that the Bundesländer authorities — which retain residual enforcement competence in several covered service categories — were running parallel investigations.

BAFA enforcement bulletin, Q1 2026
”Effective, proportionate, dissuasive — the Directive’s three words for penalties. After one year, the proportionality and effectiveness are visible. The dissuasion test is what 2027 will answer.”
— European Commission, Directorate-General for Justice and Consumers, EAA implementation note, March 2026

Spain — Ley 11/2023 produces the first published resolutions

The Spanish transposition act, Ley 11/2023, gave the Ministerio de Asuntos Económicos y Transformación Digital the lead surveillance role for digital services, with sector-specific competences retained by the Banco de España (banking interfaces) and the CNMC (electronic communications). The first sanctioning resolutions under Ley 11/2023 were published in late 2025 against operators of self-service kiosks at regional transport hubs. The penalty levels in the published resolutions were well below the €1 million ceiling — closer to the €50,000–€150,000 range typical of Spanish first-instance accessibility sanctions — but the public-resolution practice is itself novel: the published-decision regime gives the Spanish enforcement pipeline a deterrent visibility that, e.g., the German Länder-level proceedings do not have.

France — ARCOM and DGCCRF run on RGAA experience

ARCOM and the DGCCRF have shared competence under the French transposition, with ARCOM taking on audio-visual media services and electronic communications, and DGCCRF taking on e-commerce and consumer banking. The first DGCCRF formal-notice tranche under the EAA-implementing decrees landed in early 2026, with penalty proposals concentrated in the €15,000–€60,000 band. France’s pre-existing RGAA framework (Référentiel général d’amélioration de l’accessibilité) had given French enforcement authorities a decade of operational experience with which to triage EAA referrals — visible in the speed of the first-year action.

The microenterprise carve-out and the disproportionate-burden defence

Two structural exemptions in the Directive shape the enforcement landscape more than any of the penalty schedules. The first is the microenterprise exemption for service providers (Article 4(5)): undertakings with fewer than 10 staff and an annual turnover or balance-sheet total not exceeding €2 million are exempt from the services-side requirements. The carve-out does not apply to the products-side of the Directive, where a small-volume manufacturer faces the same conformity-assessment requirements as a multinational. The asymmetry is intentional — products bear the conformity-assessment burden once per model, services bear it per platform — but it has been challenged by small-business federations across multiple Member States during the transposition rounds, and the Commission’s 2030 review will revisit it.

Article 4(5) and Article 14 — the two structural exemptions

The microenterprise exemption (Article 4(5)) applies only to the services side of the Directive: a service provider with fewer than 10 staff and turnover or balance-sheet total under €2 million is exempt. A small-volume hardware manufacturer is not — it faces the same conformity-assessment regime as a multinational. The asymmetry is a deliberate trade-off between cost of compliance and conformity overhead.

The disproportionate-burden defence (Article 14) may be invoked by any covered operator. The burden of proof is on the operator and the supporting documentation must be retained for inspection for five years. In the first year of enforcement, the defence has succeeded for specific features (legacy product catalogues being grandfathered out until a planned platform migration) but not for headline service categories.

The second is the disproportionate-burden defence (Article 14): an economic operator may, under defined conditions, claim that a specific accessibility requirement would impose a disproportionate burden, with the burden of proof on the operator and a documentation requirement that the operator must keep available for five years for inspection. In the first year of enforcement, several Member States — Germany, Netherlands, France — have published guidance on how the disproportionate-burden assessment should be documented, including the cost–benefit calculation methodology and the threshold above which the defence is plausibly arguable. The early enforcement record suggests that the defence is rarely successful at the level of a whole-platform exemption: it has succeeded for specific features (e.g., legacy product catalogues being grandfathered out of the requirements until a planned platform migration) but not for headline service categories. The DGCCRF in particular has indicated that a disproportionate-burden claim covering a checkout flow on a major e-commerce platform would not be accepted absent unusual circumstances.

What the scan data shows

The hardest piece of the first-year picture has been measuring compliance. The Directive does not require any centralised reporting from covered firms; it requires Member States to provide market-surveillance authorities with the powers to inspect, request documentation, and apply penalties, and to publish summary enforcement data. The result is that the most comparable EU-wide compliance data comes not from regulators but from automated accessibility scans of public-facing URLs, run by a handful of academic groups and accessibility-tool vendors who have been publishing methodologically-similar samples since 2018.

The picture across those samples is consistent. In the months immediately before the 28 June 2025 deadline, programmatic scan-pass rates for major EU-domain e-commerce home pages and primary checkout flows hovered around 30–40% against a WCAG 2.1 AA rule set — the conformance level the EAA implicitly references. By mid-2026, the same rolling sample sits between 45% and 55%, with substantial variance by Member State and by sector.

WCAG 2.1 AA programmatic-scan pass rate by sector — EU sample, mid-2026
Consumer banking
approx. 72%
Regulated transport
approx. 68%
Electronic communications
approx. 58%
Audio-visual media
approx. 53%
E-commerce (large platforms)
approx. 48%
E-books / dedicated software
approx. 41%
E-commerce (fashion / regional retail)
approx. 34%

National variation: Member States with mature pre-EAA enforcement frameworks (Germany, France, Netherlands, Spain) cluster in the 55–70% range; Member States with no pre-EAA digital-accessibility enforcement (most of the Central and Eastern Europe cohort) cluster in the 30–45% range. Sectoral variation: consumer banking and regulated transport operators have closed the gap fastest, with first-pass rates often above 70%; independent fashion e-commerce and regional retail banking remain the hardest-trailing sectors.

Two caveats on the scan data matter. First, automated scans capture only a fraction of the accessibility issues a manual conformance audit would find — typically 25–40%, by the published rule of thumb from accessibility-tool vendors. (A free WCAG 2.2 scan will produce that 25–40% baseline on any public URL in under a minute.) A site that passes a programmatic scan is not necessarily WCAG 2.1 AA-conformant; a site that fails one almost certainly is not. Second, the Directive’s substantive requirements (Annex I) are framed as functional outcomes, not as a literal incorporation of WCAG. The relationship between WCAG 2.1 AA, EN 301 549 V3.2.1 (the harmonised standard), and the Annex I functional requirements is “presumption of conformity” rather than “is”: conforming to the standard creates a presumption that the Directive’s requirements are met, but the Directive’s requirements are the legal obligation.

The open standards question

The most-watched open question of the first year is the WCAG version reference. EN 301 549 V3.2.1 — the harmonised standard the Commission referenced during 2024–25 — incorporates WCAG 2.1 AA. WCAG 2.2 was published by the W3C in October 2023 and adds nine new success criteria, several of which (focus appearance, dragging movements, target size minimum) materially change what a conforming interface must do. EN 301 549 V4 — the revised harmonised standard incorporating WCAG 2.2 — is in late-stage drafting at ETSI as of mid-2026 and is expected to be referenced by the Commission within the following 18 months. Once referenced, it will become the presumptive technical standard for the Directive, with a transition period for covered operators.

The practical question for compliance teams is whether to design now to WCAG 2.1 AA (the current floor) or to WCAG 2.2 AA (the likely 2027 floor). Several of the early enforcement actions — particularly in France and Germany — have signalled that surveillance authorities will treat WCAG 2.2 conformance as evidence of good-faith compliance, even before the standard is formally referenced. The reverse — that WCAG 2.2-only failures would not be enforced against under a 2.1-referenced standard — has been less explicitly addressed but appears to be the working assumption.

The CRPD link

The EAA is the European Union’s most consequential piece of substantive accessibility legislation since the Union acceded to the UN Convention on the Rights of Persons with Disabilities in 2010. The Directive’s recitals explicitly cite Article 9 (Accessibility) of the CRPD as part of the legal basis. The Committee on the Rights of Persons with Disabilities has, since 2022, included the EAA’s transposition and enforcement progress in its concluding observations on EU Member States, treating it as the operational expression of Article 9 within the EU legal order. Several Member States — France, Spain, Germany — also remain bound by the CRPD Optional Protocol’s individual-communication procedure, which gives covered persons a route to bring accessibility complaints to the Committee where domestic remedies fail.

What 2026–27 will resolve

Four threads will determine whether the Directive’s first year is read as the start of substantive change or as a year of paper compliance.

  • The first cross-border enforcement action. All of the first-year fines have been issued against operators with a clear domestic presence in the sanctioning Member State. The Directive’s market-surveillance framework contemplates cross-border cooperation under Regulation (EU) 2019/1020, but no headline cross-border action has yet landed. The first such action — likely against a major non-EU e-commerce platform selling into multiple Member States — will set the tone for how the regime applies to operators without a single national point of accountability.
  • The EN 301 549 V4 reference. The Commission’s formal reference to the V4 harmonised standard (incorporating WCAG 2.2) will materially change the compliance bar. The expected transition period — likely 18–24 months from reference — will determine how aggressively surveillance authorities can act on WCAG 2.2-only failures in the intervening window.
  • The disproportionate-burden case law. No Member State has yet produced a published court decision on a contested disproportionate-burden defence under the EAA’s transposing legislation. The first such decision — particularly if it tests the documentation requirements at the level of a major retail platform — will shape the defence’s practical availability for the next decade.
  • The 2030 Commission review. The Directive requires the Commission to review its application by 28 June 2030 and to consider, among other matters, the scope of covered products and services, the penalty regime, and the microenterprise exemption. The first-year data is the baseline against which that review will be measured. The early signs from the Commission’s 2026 implementation note suggest that scope expansion — particularly to cover the built environment, which the current Directive only partially addresses — is the most likely substantive amendment.

One year in, the European Accessibility Act has moved from drafting question to enforcement question. The substantive obligation is settled. What is being decided now is what it costs to ignore.

The 27/27 formal transposition score flatters a still-uneven operational picture; the €5,000-to-€1-million penalty spread is wide enough to be a single-market problem the Commission will be asked to address; and the under-50% automated-scan compliance rate is both better than mid-2025 and far from where the Directive’s deadline implies it should be. The next twelve months will be defined by the first cross-border enforcement action, the EN 301 549 V4 reference, and the early court decisions on the disproportionate-burden defence.

Read more from Disability World on the EAA, on national regulations, on how compliance, conformance and accessibility differ, and on the wider 2026 reporting record.

Methodology and data: Findings synthesised from European Commission DG JUST implementation materials, national market-surveillance authority bulletins (Germany, Spain, France, Italy, Netherlands, Estonia, Slovenia), the Commission’s infringement decisions register, and a consolidated automated-scan dataset of approximately 4,000 EU-domain e-commerce home pages and primary checkout flows, sampled across 2024–2026 by a vendor consortium publishing methodologically-similar samples (WebAIM, Deque, Siteimprove rolling reports). Automated scans capture an estimated 25–40% of the accessibility issues a manual audit would identify.

Legal context: Directive (EU) 2019/882 (European Accessibility Act), OJ L 151, 7.6.2019. Member-State transposition acts: Barrierefreiheitsstärkungsgesetz (BFSG, 2021, Germany); Loi n° 2005-102 and the 2023 RGAA-update implementing decrees (France); Ley 11/2023 (Spain); D.lgs. 27 maggio 2022, n. 82 (Italy); Implementatiewet toegankelijkheidsvoorschriften (2022, Netherlands); Toodete ja teenuste ligipääsetavuse seadus (2022, Estonia); Zakon o dostopnosti proizvodov in storitev (2022, Slovenia). Harmonised standard: ETSI EN 301 549 V3.2.1, with V4 in drafting. W3C Web Content Accessibility Guidelines 2.1 (June 2018) and 2.2 (October 2023). Cross-border framework: Regulation (EU) 2019/1020 on market surveillance and compliance of products. CRPD Article 9 (Accessibility) and the Optional Protocol individual-communication procedure.

Primary sources: (1) Directive (EU) 2019/882, OJ L 151, 7.6.2019, eur-lex.europa.eu/eli/dir/2019/882/oj. (2) European Commission, EAA implementation note and first-year status report, DG JUST Unit D.3, March 2026. (3) European Commission, Infringement decisions register, 2023–2025 rounds. (4) Bundesministerium für Arbeit und Soziales, BFSG, BGBl. I 2021, p. 2970; BAFA market-surveillance bulletins. (5) BOE, Ley 11/2023, de 8 de mayo, BOE-A-2023-10952. (6) République française, Loi n° 2005-102 du 11 février 2005 with 2023 implementing decrees; RGAA versions in force. (7) Gazzetta Ufficiale, D.lgs. 27 maggio 2022, n. 82; Stanca Law framework and AgID guidance. (8) ETSI, EN 301 549 V3.2.1 and V4 drafting status, etsi.org/standards. (9) W3C, WCAG 2.1 (June 2018) and WCAG 2.2 (October 2023), w3.org/WAI/standards-guidelines/wcag. (10) Regulation (EU) 2019/1020 on market surveillance and compliance of products. (11) Consolidated automated-scan dataset, mid-2026: methodologically-similar WCAG 2.1 AA programmatic checks across approximately 4,000 EU-domain e-commerce home pages and primary checkout flows; vendor-consortium aggregation, methodology note available on request.

What this article is not: This is a first-year status report. It is not legal advice. National penalty schedules, designated authorities, and operational guidance evolve quarterly; covered operators should consult qualified counsel for jurisdiction-specific compliance questions.