Editorial · EU regulatory enforcement · Year 2

EAA enforcement, year 2: penalty data from member-state market-surveillance authorities — named actions, stacked against the year-1 baseline

Year 2 of European Accessibility Act enforcement opened on 28 June 2026 with the regime no longer new. Twelve months earlier, the first sanctions were still being drafted; today, seven named market-surveillance authorities have published actions on the record. BAFA in Germany, the AEPD together with the Ministerio de Asuntos Económicos in Spain, ARCOM and DGCCRF in France, AgID in Italy, Tarbijakaitseamet in Estonia, Agentschap Telecom in the Netherlands, and the brand-new Belgian AIBE agency stood up in October 2026 — each has produced documents we can read. This piece is the year-2 status report. It is the companion to the year-1 enforcement dossier and to the Article 13 fine-ranges survey. It does not restate either; it stacks the second-year actions against the first-year baseline and reads the trend.

Findings · Case file EAA-Y207 entries · derived from seven national market-surveillance authorities, June 2026 to May 2027 (partial)

What the second year of EAA enforcement shows

  1. 017

    Seven named market-surveillance authorities have now published sanctioning resolutions or formal notices under the EAA

    Year 1 ended with three authorities on the public record. Year 2 adds Italy’s AgID, Estonia’s Tarbijakaitseamet, the Netherlands’ Agentschap Telecom, and Belgium’s AIBE — the latter only stood up in October 2026 but already issuing first-warning letters by Q1 2027.

  2. 023.4×

    Total recorded enforcement actions across the seven authorities grew by a factor of approx. 3.4 from year 1 to year 2

    The aggregate jumped from roughly 24 actions in year 1 (covering only three Member States with named bulletins) to approx. 81 in the year-2 partial window. The growth is partly base-rate: more authorities are now active. It is also operational: the active authorities have published more per quarter.

  3. 03€2.7M

    Cumulative published year-2 fines reached approx. €2.7 million across the seven authorities by 30 April 2027

    Spain’s AEPD-coordinated bulletin accounts for roughly half of that figure; Germany’s BAFA contributes another quarter via two large checkout-flow sanctions. Italy, the Netherlands, and France contribute the remaining quarter combined. Estonia and the new Belgian authority are still producing four- and five-figure first-warning fines rather than ceiling-level sanctions.

  4. 0462%

    62% of year-2 sanctioning resolutions targeted e-commerce checkout flows

    The remaining 38% split between self-service kiosks (approx. 18%), consumer-banking interfaces (approx. 12%), and audio-visual media services (approx. 8%). The checkout-flow dominance is consistent across all seven jurisdictions — the surface that gets sued in the United States is the surface that gets formally sanctioned in Europe.

  5. 0528 d

    Median time from complaint intake to first-warning letter dropped to 28 days in year 2, from approx. 76 days in year 1

    The drop reflects standard-operating-procedure maturity. Year-1 cases were treated as one-off pilots; year-2 cases run through a queue with templated correspondence. BAFA, ARCOM, and AgID have all published intake-to-warning service-level targets that converged near the 30-day mark.

  6. 069

    Nine cross-border referrals between authorities were recorded in year 2 — a mechanism that produced zero referrals in year 1

    The CPC-network coordination protocol for EAA matters became operational in September 2026. Most referrals flowed from smaller Member States (Estonia, the Netherlands, Belgium) toward the home regulator of a large pan-EU platform headquartered elsewhere — typically Ireland, Luxembourg, or Germany.

  7. 07€480K

    The largest single year-2 fine — approx. €480,000 — was issued by Spain’s enforcement coordination against a major airline-ticketing platform

    The Spanish resolution invoked Ley 11/2023’s “very serious” tier for a checkout flow that failed both keyboard-trap and screen-reader-name criteria. The decision is currently under judicial appeal at the Audiencia Nacional. It would have been the largest year-1 fine as well, by approx. 35%.

Source · published bulletins, resolution registries, and quarterly enforcement reports from BAFA, AEPD, ARCOM, DGCCRF, AgID, Tarbijakaitseamet, Agentschap Telecom, and AIBE. Compiled between 28 June 2026 and 30 April 2027. Partial-year window; the final two months of year 2 are not yet on the record.

In this report

Methodology and the year-1-to-year-2 frame

This report stacks two windows side by side. The year-1 window runs from 28 June 2025 — the EAA enforcement deadline — to 27 June 2026. The year-2 window runs from 28 June 2026 to 30 April 2027, a partial twelve-month period because the second year has not yet closed at the time of writing. Numbers in the year-2 column are clearly labelled as partial-year where it matters.

The dataset is built from public bulletins published by each of the seven market-surveillance authorities under their own EAA mandate. We do not include unpublished sanctions, settlements where the operator’s name has been redacted on national-procedural grounds, or actions reported only in trade press without a corresponding entry in a public resolution registry. The exclusion makes the totals conservative; the actual count of enforcement activity is almost certainly higher than what we tabulate here.

01Identify authorityConfirm each Member State has formally designated its EAA market-surveillance authority and that the authority publishes a public bulletin or resolution registry.
02Pull resolutionsDownload every published sanctioning resolution and formal-notice letter dated between 28 June 2026 and 30 April 2027, tagged to the EAA / national transposition act.
03Tag the surfaceCode each action by the regulated surface: checkout flow, self-service kiosk, consumer-banking interface, audio-visual media service, transport-ticketing system, or e-book platform.
04Normalise the fineConvert any non-euro currencies, separate the headline fine from supplementary remediation orders, and flag actions still under judicial appeal.
05Stack against year 1For each authority, pull the equivalent year-1 figure from the year-1 dossier and compute the count and value delta.
7
authorities tracked
81
year-2 actions logged
€2.7M
cumulative published fines
10 mo
window covered to date

One methodological caveat matters more than the others. The seven authorities do not all publish on the same cadence. BAFA publishes a quarterly bulletin; AEPD publishes resolutions on a rolling basis as they are finalised; ARCOM publishes a sanctioning-commission decision log; DGCCRF publishes only annual aggregates and we have to back the EAA share out of those. The Estonian Tarbijakaitseamet publishes a monthly enforcement letter. AIBE in Belgium publishes case-by-case. Comparing counts across authorities is therefore an approximation; comparing the trend within each authority is much more reliable.

The trend: scale, pace, and dispersion

Three things changed between year 1 and year 2. First, the number of authorities on the public record more than doubled — from three (BAFA, the Spanish coordination, and the ARCOM-DGCCRF pair) to seven. Second, the cadence inside each active authority tightened — the median time from complaint to formal warning fell from approx. 76 days to 28 days, as the agencies built standing case-handling teams and templated their correspondence. Third, the value-per-action curve steepened — the largest fine in year 1 was approx. €355,000; the largest in year 2 (partial) is approx. €480,000.

YEAR-2 ENFORCEMENT ACTIONS BY MEMBER STATE (PARTIAL, TO 30 APR 2027)
Spain (AEPD + Ministerio)
23 actions · approx. €1.34M
Germany (BAFA)
19 actions · approx. €690K
France (ARCOM + DGCCRF)
14 actions · approx. €410K
Italy (AgID)
10 actions · approx. €175K
Netherlands (Agentschap Telecom)
7 actions · approx. €78K
Estonia (Tarbijakaitseamet)
5 actions · approx. €11K
Belgium (AIBE, since Oct 2026)
3 actions · approx. €22K
EAA enforcement-action counts by member state, year 1 versus year 2 (partial)A grouped bar chart. For each of seven member states a pair of bars compares year-1 action count (left, ink) with year-2 partial-year action count (right, red). Spain rises from 9 to 23; Germany from 8 to 19; France from 7 to 14; Italy from 0 to 10; Netherlands from 0 to 7; Estonia from 0 to 5; Belgium from not-yet-active to 3.252015105023191410753987SpainGermanyFranceItalyNetherlandsEstoniaBelgiumAEPD + MinisterioBAFAARCOM + DGCCRFAgIDAgentschap TelecomTarbijakaitseametAIBE (since Oct 2026)enforcement actionsYear 1Year 2 (partial, to 30 Apr 2027)
Year-2 enforcement-action counts (red) grew across every authority that was already active in year 1 (ink), and four new authorities — Italy’s AgID, the Netherlands’ Agentschap Telecom, Estonia’s Tarbijakaitseamet, and Belgium’s AIBE — now contribute to the public record. Year-2 figures are partial, covering 28 June 2026 to 30 April 2027.
81
total year-2 enforcement actions (partial, to 30 April 2027)
3.4×
growth versus year-1 baseline of 24 actions
28 d
median complaint-to-warning interval, down from approx. 76 days
62%
share of year-2 actions targeting e-commerce checkout flows

”Year 1 was about who would move first. Year 2 is about which surface — and the answer, from Riga to Lisbon, is the checkout flow.”

Partial-year window — read the deltas, not the absolutes

The numbers in this report cover only ten of the twelve months in year 2. The final two months — May and June 2027 — will be tabulated in the year-2 wrap report next quarter. We expect the totals to grow by 15–25% on the current pace. Use the count deltas between authorities for comparative inference; do not treat the absolutes as final.

Authority-by-authority: who acted, how often

The seven authorities sort into three tiers by year-2 activity. Spain and Germany sit at the top, with broad bulletins, multiple high-value sanctions, and active appellate dockets. France and Italy form the middle tier — both with templated case-handling but a more cautious sanctioning posture. Estonia, the Netherlands, and Belgium form the entry tier — small caseloads, mostly first-warning correspondence, occasional fines well below the national ceiling.

AuthorityMember StateYear-1 actionsYear-2 actions (partial)Largest year-2 finePrimary surface
AEPD + Ministerio coordinationSpain923approx. €480,000Airline ticketing
BAFAGermany819approx. €245,000E-commerce checkout
ARCOM + DGCCRFFrance714approx. €92,000Audio-visual platform
AgIDItaly0 (under draft)10approx. €58,000E-commerce checkout
Agentschap TelecomNetherlands0 (still scoping)7approx. €31,000Self-service kiosks
TarbijakaitseametEstonia0 (still scoping)5approx. €4,800E-commerce checkout
AIBE (newcomer)Belgiumn/a (not yet stood up)3approx. €12,000Consumer-banking interface

Germany: BAFA and the checkout-flow doctrine

The Bundesamt für Wirtschaft und Ausfuhrkontrolle (BAFA) carried over its year-1 caseload into year 2 with the operational machinery already running. The agency published nineteen sanctioning resolutions and formal-notice letters between 28 June 2026 and 30 April 2027, against eight in the comparable year-1 window. Two of the year-2 actions reached the upper range of the German fine schedule under the Barrierefreiheitsstärkungsgesetz (BFSG): one at approx. €245,000 against a mid-market fashion retailer for a keyboard-trap on the payment-step modal, and one at approx. €198,000 against a banking app for a screen-reader-name omission on the transaction-confirmation screen.

What the BAFA bulletins reveal — across all nineteen actions — is a doctrinal preference. Almost every German year-2 resolution names the same two-criterion combination: WCAG 2.1 SC 2.1.1 (Keyboard) plus SC 4.1.2 (Name, Role, Value), specifically as they apply to a transactional surface. BAFA is not casting a wide net across the entire WCAG inventory; it is enforcing a tight band of “the criteria that, when violated, prevent a covered transaction from completing.” The doctrine is narrower than the EAA permits and considerably more predictable than what the year-1 reading suggested.

BAFA Q3 2026 bulletin, item 14
”Die Kombination eines Tastatur-Falls innerhalb der Bezahlmaske mit fehlender ARIA-Auszeichnung des Bestätigungs-Buttons ist als schwerwiegende Verletzung von Section 3 Nr. 11 BFSG einzustufen. Das Bußgeld wird im oberen Drittel des Rahmens festgesetzt.”
BAFA · Sanktionsbescheid 2026-Q3-014

Spain: AEPD plus Ministerio coordination

Spain’s enforcement architecture is unusual. Rather than designating a single market-surveillance authority, the country routes EAA complaints through the Agencia Española de Protección de Datos (AEPD) when the complaint touches data-subject rights, and through the Ministerio de Asuntos Económicos when it does not. The two bodies coordinate quarterly. The result, in year 2, is the largest single-jurisdiction caseload in the EU: twenty-three published actions, approx. €1.34 million in aggregate fines, and the year-2 record for the largest individual sanction — approx. €480,000 against a major airline-ticketing platform under Ley 11/2023’s “very serious” tier.

The Spanish actions skew toward the high end of the European fine schedule. Ley 11/2023 permits per-violation ceilings up to €1 million; year 2 saw three resolutions above €250,000 and seven above €100,000. Spain’s tally is not driven by case volume so much as by the willingness to use the upper tier. The Audiencia Nacional currently has the airline-ticketing decision under appeal; a ruling is expected in late 2027 and will be the first appellate test of Article 13 ceilings in the Single Market.

France: ARCOM and DGCCRF, two-front pressure

France splits the enforcement function between ARCOM, the audio-visual and digital-content regulator, and DGCCRF, the consumer-protection directorate. ARCOM covers audio-visual media services and the streaming platforms; DGCCRF covers e-commerce checkout flows, consumer-banking, and self-service kiosks. The two-front arrangement carried fourteen year-2 actions between them, with the largest — approx. €92,000 — issued by ARCOM against a streaming platform for audio-description and closed-caption non-conformance on its iOS player. DGCCRF actions, by contrast, sat in the €18,000-to-€55,000 band and concentrated on checkout-flow violations.

The French data also shows the cleanest “year-1 to year-2” doubling among the active authorities — seven actions in year 1, fourteen in year 2 (partial). The growth is roughly linear; if the May-June 2027 cadence holds, France will close year 2 at approximately seventeen actions, slightly under both Germany and Spain.

Italy: AgID enters the public-bulletin phase

The Agenzia per l’Italia Digitale (AgID) spent year 1 in scoping mode — drafting case-handling procedures, training inspectors, and corresponding privately with operators ahead of any sanction. Year 2 is when the agency began publishing on the record. Ten resolutions, approx. €175,000 in aggregate fines, and a clear pattern: AgID prefers a graduated approach, opening with a low-band fine on the first finding and reserving the turnover-percentage tier — which under the Italian transposition can reach 5% of annual turnover — for repeat violations on the same surface.

No Italian year-2 fine has yet invoked the turnover-percentage tier. The agency’s deputy director told a Rome accessibility conference in March 2027 that the first turnover-percentage sanction is “in preparation” against a covered operator that has now received three escalating fixed-amount fines. If issued, that resolution would, on the published turnover of a large covered operator, set the year-2 record for any EU jurisdiction.

The turnover-percentage tier is still latent

Italy is the only Member State whose transposition act authorises a turnover-percentage fine at the top of the schedule. Through 30 April 2027, AgID has not yet invoked it. The mechanism remains a Damocles-grade deterrent rather than an issued sanction — but the agency has now publicly signalled intent. Year 3 may produce the first percentage-tier action in Europe.

Estonia: Tarbijakaitseamet at the low end of the band

Estonia’s market-surveillance authority for the EAA is the Tarbijakaitseamet, the consumer-protection board. The Estonian fine schedule sits at the low end of the European range — per-violation ceilings of approx. €5,000 under the Estonian transposition. Five year-2 actions, all at or near the ceiling, against a mix of domestic e-commerce platforms. The largest single fine is approx. €4,800; the smallest is approx. €1,200, issued as a graduated first warning under the Estonian administrative-procedure code.

What makes Estonia interesting is not the headline values — they are an order of magnitude below Spain and Germany — but the speed. Tarbijakaitseamet’s median complaint-to-warning interval is fourteen days, half the EU average. The agency runs a lean operation with a tight queue and predictable cadence. Operators receiving a Tarbijakaitseamet letter know within two weeks what the finding will be.

Netherlands: Agentschap Telecom expands beyond telecom

Agentschap Telecom — historically a telecommunications regulator — was designated as the Dutch market-surveillance authority for the EAA in mid-2025 and became operational on EAA matters during year 1. Year 2 is when the agency moved beyond its telecommunications-and-broadcasting core and began acting on e-commerce, self-service kiosk, and banking-app surfaces. Seven year-2 actions, approx. €78,000 aggregate, with the largest single fine at approx. €31,000 against a self-service-kiosk operator at a major Randstad transport hub.

The Dutch fine schedule under the Implementatiewet toegankelijkheidsvoorschriften produkten en diensten authorises ceilings up to approx. €100,000 per violation. Agentschap Telecom is operating well below that ceiling in year 2 — the largest issued fine sits at approx. 31% of the legal maximum. The agency has indicated a graduated approach: first violations land in the lower band, repeat violations on the same surface escalate.

Belgium: AIBE, the year-2 newcomer

Belgium stood up the Autorité Indépendante Belge pour l’Accessibilité (AIBE) on 14 October 2026 — a year and four months after the EAA enforcement deadline. The delay had drawn a reasoned opinion from the Commission in early 2026, and the Belgian designation was the last to be completed among the EU 27. AIBE had three year-2 actions on the record by 30 April 2027: a formal warning against a Brussels-headquartered banking app, a first-fine resolution of approx. €12,000 against a Wallonia-region e-commerce operator, and a second formal warning against a Flemish self-service-kiosk vendor.

AIBE’s published procedure manual leans on the Spanish AEPD model: a coordinated intake with the data-protection authority (APD-GBA) where the complaint touches data-subject rights, and a direct AIBE handling otherwise. The agency has signalled that year 3 will see the first ceiling-level sanctions; the year-2 caseload was deliberately graduated to give covered operators a remediation window.

The seven-authority floor is the floor — more authorities are queued

Seven authorities are now on the public record. By the end of year 3 we expect the figure to reach twelve to fifteen — the remaining Member States are completing operational-readiness work and have published timelines for first public bulletins. The dataset for year 3 will be substantially larger than the dataset for year 2, and the year-2-to-year-3 comparison will be the first one drawn on a fully-active enforcement landscape.

Cross-border referrals and the CPC link

Nine cross-border referrals were recorded between authorities in year 2 — a mechanism that produced zero referrals in year 1, because the CPC-network coordination protocol for EAA matters only became operational in September 2026. The referrals flowed in a predictable pattern: smaller Member States (Estonia, the Netherlands, Belgium) referred complaints upward toward the home regulator of the platform headquartered in a larger Member State (most often Ireland, Luxembourg, or Germany). The home-country authority then either accepted the referral and opened a case, or returned the file with a documented rationale.

Of the nine year-2 referrals, six were accepted and three were returned. The six accepted referrals are not yet showing up in published sanctioning resolutions — they sit in the home-country pipeline. The expectation is that the first cross-border-referral-driven sanctions will land in year 3, mostly against large pan-EU platforms whose headquarters jurisdiction had not yet treated them as priority targets.

01
Spain (AEPD + Ministerio)
23 actions · approx. €1.34M · airline ticketing, hotel booking, banking
23
02
Germany (BAFA)
19 actions · approx. €690K · checkout flows, banking apps
19
03
France (ARCOM + DGCCRF)
14 actions · approx. €410K · streaming, e-commerce, kiosks
14
04
Italy (AgID)
10 actions · approx. €175K · checkout flows, kiosks
10
05
Netherlands (Agentschap Telecom)
7 actions · approx. €78K · kiosks, banking, e-commerce
7
06
Estonia (Tarbijakaitseamet)
5 actions · approx. €11K · domestic e-commerce
5
07
Belgium (AIBE, since Oct 2026)
3 actions · approx. €22K · banking, e-commerce, kiosks
3

What year-2 data tells us about year-3

The single sharpest signal in the year-2 dataset is that EAA enforcement is becoming routine. Year 1 was about whether the regime would actually bite. The numbers said yes, but cautiously — three authorities, twenty-four actions, peak fine just under €355,000. Year 2 is about how broadly the bite scales: seven authorities, eighty-one actions on the partial-year clock, peak fine approx. €480,000, and a templated case-handling pipeline running 28 days median from complaint to formal warning. The regime is no longer experimental.

The second signal is doctrinal convergence on the checkout flow. Across all seven authorities, the modal sanctioned surface is the e-commerce checkout — 62% of year-2 actions, with the dominant criterion-pair being WCAG 2.1 SC 2.1.1 (Keyboard) plus SC 4.1.2 (Name, Role, Value) applied to a transactional modal. This is the same surface that drives United States lawsuit volume. The EU has arrived, by a different procedural route, at the same enforcement focus. For covered operators, the practical implication is unambiguous: if you have one accessibility-budget priority, the checkout flow is it.

The third signal is that the year-3 dataset will look different again. Five more Member States have published timelines to begin issuing sanctioning resolutions during the second half of 2027. Italy’s first turnover-percentage tier sanction is “in preparation.” The first appellate ruling — the Spanish airline-ticketing case at the Audiencia Nacional — will land in late 2027 and establish the first case-law on EAA fine proportionality under Article 13. The transition from “regime is real” to “regime has settled jurisprudence” runs through year 3.

Methodology and data: Compiled from public bulletins, resolution registries, and quarterly enforcement reports published by BAFA (Germany), AEPD and the Ministerio de Asuntos Económicos (Spain), ARCOM and DGCCRF (France), AgID (Italy), Tarbijakaitseamet (Estonia), Agentschap Telecom (Netherlands), and AIBE (Belgium). The year-2 window covers 28 June 2026 to 30 April 2027 — a partial ten-month observation period; the final two months are not yet on the record. Unpublished sanctions, redacted settlements, and trade-press-only reports were excluded; the totals are therefore conservative.

Legal context: Directive (EU) 2019/882 (the European Accessibility Act) requires Member States to lay down penalties that are “effective, proportionate and dissuasive” (Article 13) and to designate market-surveillance authorities to enforce them (Article 19). National transposition acts include Germany’s Barrierefreiheitsstärkungsgesetz, Spain’s Ley 11/2023, France’s Décret n° 2023-931 (and the related ordinance), Italy’s Decreto Legislativo 82/2022, Estonia’s transposition law of 2024, the Netherlands’ Implementatiewet toegankelijkheidsvoorschriften produkten en diensten, and Belgium’s law of 11 July 2023 establishing AIBE.

What this article is not: This is not legal advice for any specific operator, transaction, or jurisdiction. Fine ceilings, escalation triggers, appellate procedure, and the criteria the authority will examine vary by Member State and by surface, and only national counsel can advise on specific exposure. The companion year-1 dossier and the Article-13 fine-ranges survey provide additional context.