European Accessibility Act

BFSG: Germany's EAA Implementation Explained for Online Stores

What non-German merchants selling to Germany actually need to know about the Barrierefreiheitsstärkungsgesetz.

Last updated May 25, 2026

The Barrierefreiheitsstärkungsgesetz (BFSG)is Germany's national transposition of the European Accessibility Act (Directive 2019/882). It is a federal statute — not an agency — and it has been enforceable since June 28, 2025. The law requires businesses that place covered products or services on the German market to meet accessibility requirements aligned with the harmonised European standard EN 301 549, which for the web maps directly to WCAG 2.1 Level AA. The primary German text is published at gesetze-im-internet.de/bfsg and a clear English-language summary of scope, deadlines, and exemptions is maintained by activemind.legal.

The scope is wide and deliberately consumer-facing. Online stores, banking and payment services, passenger-transport ticketing and information, telecommunications, e-books and e-readers, and certain consumer hardware and software are all named in the law. If your business sells to consumers in Germany — whether you operate a Shopify store from the United States, a Webflow site from the United Kingdom, or a custom platform from anywhere else — you are very likely in scope. Distance-selling does not create an exemption, and neither does the absence of a German entity.

Sanctions are set out in § 37 BFSG, which provides for administrative fines from €10,000 to €100,000 per violation. For services that were already in use before June 28, 2025, the law provides a transition period: those services must be brought into conformity by June 28, 2030. A narrow microenterprise exemption applies for businesses with fewer than 10 employees AND less than €2 million in annual turnover, mirroring the framing in the parent EU Accessibility Act; the exemption does not apply to products at all, only to certain services, and it is interpreted strictly when a business is part of a larger group. BFSG market surveillance is conducted by the Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen (MLBF AöR), a joint institution of public law established by all 16 Bundesländer under a Staatsvertrag and based in Magdeburg, operational since 26 September 2025.

BFSG vs the EAA — clearing up the terminology

A surprising amount of confusion in the English-language coverage of the German accessibility regime comes from mixing up three things: the law (BFSG), the directive it transposes (EAA), and the authority that enforces it (MLBF AöR). Keeping the distinction clean makes everything else easier to reason about.

• BFSG — the Barrierefreiheitsstärkungsgesetz, a German federal statute that entered into force on 28 June 2025. It is a piece of legislation, not an authority. The primary German text lives at gesetze-im-internet.de/bfsg.
• EAA — the European Accessibility Act, Directive 2019/882. The EAA is the EU-level parent. The BFSG is one of twenty-seven national transpositions of it.
• MLBF AöR — the Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen, an Anstalt des öffentlichen Rechts(institution of public law) based in Magdeburg, Saxony-Anhalt. MLBF is the joint market-surveillance authority for the BFSG — established by a Staatsvertrag (interstate treaty) carried by all 16 Bundesländer and operational since 26 September 2025. The Saxony-Anhalt MS page on MLBF is at ms.sachsen-anhalt.de.
• Länder — the sixteen German states. Under the Staatsvertrag the Bundesländer pooled their BFSG surveillance powers into MLBF rather than each running parallel agencies. Land-level Gewerbeaufsicht authorities exist alongside MLBF for other matters but are not the primary BFSG enforcement route.
• Bundesfachstelle für Barrierefreiheit — the federal information and advisory body for accessibility. It runs the public BFSG FAQ but is not the surveillance or enforcement authority.

Practically, the distinction matters for two reasons. First, when you receive correspondence about a BFSG accessibility issue in Germany after 26 September 2025, the letterhead is from MLBF AöR (or, for matters opened before that date, from the Land authority that originally took the file). Second, when you read English coverage that says “BFSG fined a company €X”, the claim is loose — BFSG is the law; the fine is imposed by MLBF under § 37 BFSG. For the kind of detailed English-language analysis that disambiguates these, the firm summaries at reuschlaw and graulaw are the most useful starting points.

Who BFSG covers

The BFSG's scope is set out in § 1 (purpose and subject-matter) and § 4 (covered products and services). It tracks the EAA closely, and the consumer-facing service categories are the ones most relevant to SMBs and online sellers.

• E-commerce services — Websites and apps used to sell products or services to consumers, including category and product pages, search, cart, checkout, account creation, payment, and post-purchase communication.
• Banking and payment services for consumers — Online banking, account management, self-service payment terminals, and consumer-facing investment platforms.
• Passenger transport ticketing and information — Websites, apps, and self-service terminals used to plan, purchase, or check in for air, bus, rail, and waterborne transport.
• Telecommunications services — Consumer-facing electronic-communications services and the equipment used with them.
• E-books, e-readers, and certain consumer hardware/software — Digital publications, the dedicated devices used to read them, and general-purpose consumer hardware/software within scope of the EAA.

Two scope notes that trip up SMB sellers in particular. First, B2B sales are largely outside the BFSG's service scope (it is framed around consumers), but a single “business-only” banner is not enough — if your storefront is actually purchasable by consumers, you are in scope. Second, the law covers products and services independently, so a single business can have some offerings covered (a consumer e-commerce front) while others are not. The activemind.legal BFSG guide walks through these scope edges in English.

Non-German sellers — if you sell into Germany, this applies to you

The BFSG, like the EAA, follows the place-of-market principle. The relevant test is not where your company is incorporated, where your servers run, or where your team sits. The test is whether you are placing a covered service on the German market. A US merchant accepting orders from German consumers via a German-language storefront is in scope. So is a UK merchant whose English-language site ships to Germany. So is a Belgian or Dutch SMB whose only EU marketing happens to reach German consumers.

Distance-selling does not exempt you. If your checkout accepts a German billing address, if you accept German payment instruments, if you advertise to German consumers, or if your shipping policy lists Germany as a destination, the BFSG's service obligations apply to the service you are providing into Germany. The practical signal to look for in your own operations is simple: would a German consumer land on your site and reasonably believe they could buy from you? If yes, plan as though you are in scope and let counsel narrow it later.

Non-EU sellers should also note the role of authorised representatives, importers, and distributors under the EAA framework. For services, the obligation typically falls on the service provider directly; for products, the obligations cascade through manufacturer, importer, and distributor. Most ecommerce SMBs only need to think about the service-provider track, but if you sell own-brand consumer hardware into Germany you may also pick up manufacturer obligations.

Technical requirements — EN 301 549 and WCAG 2.1 AA

The BFSG, like every other EAA transposition, does not invent its own technical standard. It points to the harmonised European standard EN 301 549 as the presumption-of-conformity reference. For web content, EN 301 549 incorporates WCAG 2.1 Level AA directly. That gives non-German sellers a straightforward technical target: meet WCAG 2.1 AA across your German-facing surfaces.

For a working step-by-step against the EAA family of requirements, including the documentation and conformity-assessment side, see the EAA compliance checklist. The technical requirements themselves are not different for Germany versus France or Italy — the differences appear in the national procedural law: who enforces, what the fine ranges look like, what the accessibility statement has to say in the local language, and so on.

Automated tooling can carry a meaningful but bounded share of this work. Per Deque's Automated Accessibility Coverage Report, Deque reported automated tests identified 57.38% of issue instances by volume in its dataset — based on 2,000+ audits across 13,000+ pages and ~300K issues. That is a strong floor for catching the mechanical violations MLBF AöR is most likely to surface in a first-pass review. The remainder — keyboard flow, focus management, screen-reader intelligibility, error recovery in forms — still requires human review.

Sanctions — § 37 BFSG

§ 37 BFSG sets administrative fines from €10,000 to €100,000 per violation. The primary German text is at gesetze-im-internet.de/bfsg; the English-language analysis at reuschlaw summarises the sanctions catalogue and the enforcement procedure. Where summaries differ on detail, the primary German text in gesetze-im-internet.de governs.

Order-of-magnitude framing helps SMBs calibrate. The lower end of the range — closer to €10,000 — lines up with procedural and documentation breaches: missing or incomplete accessibility statement, failure to respond to a market-surveillance information request, failure to keep technical documentation. The upper end — closer to €100,000 — lines up with repeated, deliberate, or wide-scope substantive non-conformity: continuing to place a non-conformant service on the market after a competent authority has ordered a cure, or material misrepresentation about conformity. The actual amount sits within that range based on the gravity of the violation, the size of the undertaking, the duration, and any prior conduct — standard German administrative-fine factors.

One nuance worth absorbing: the €10,000–€100,000 range is per violation, not per page or per site. In practice authorities will typically frame an enforcement action around a finite set of distinct violations rather than counting WCAG failures as individual offences, but a particularly stubborn pattern of non-conformity that survives a cure order can compound. The risk profile for a small ecommerce site is therefore very different from a large-platform operator's, but it is not zero.

Market surveillance — MLBF AöR

Enforcement under the BFSG is administrative, not court-led by default. Since 26 September 2025, the market-surveillance authority is the Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen (MLBF AöR), a joint institution of public law established by all 16 Bundesländer under a Staatsvertrag, headquartered in Magdeburg. MLBF is the single point of contact for BFSG market-surveillance matters; the Land-level Gewerbeaufsicht / market-surveillance bodies that handled the BFSG between 28 June and 25 September 2025 still exist for other product-safety and labour matters but have handed BFSG cases to MLBF. The federal Bundesfachstelle für Barrierefreiheit publishes general information about the BFSG (it is not the enforcement body). BAuA — the Federal Institute for Occupational Safety and Health — has only an adjacent coordination role under product-safety legislation; despite some earlier English-language coverage to the contrary, BAuA is not the BFSG market-surveillance authority.

The procedure most SMBs will actually encounter looks like this. First, a triggering event: a consumer complaint to MLBF, a referral from a disability-rights organisation, a notification under a cross-EU surveillance information exchange, or a proactive sweep. The authority then sends a formal information request (or directly an order to remedy) to the responsible economic operator. The operator is given a cure period — typically measured in weeks — to remedy the identified non-conformity and to demonstrate the remediation through documented evidence. If the cure is satisfactory the matter closes without a fine. If the cure is incomplete, late, or ignored, a fine procedure under § 37 follows.

Two practical observations. First, this is a notice-and-cure regime in its normal shape. The businesses that get hit with the upper end of the fine range are not the ones whose checkout fails a contrast check; they are the ones who receive a clear order and ignore it. Second, surveillance authorities draw heavily on user reports. Having a published, working accessibility-statement contact route is not just a formal requirement — it is the channel that lets you handle complaints before they escalate into an authority file.

The accessibility statement requirement

Every covered service must make accessibility information available to consumers. BFSG § 14 requires service providers to include the information described in Anlage 3 BFSG in their allgemeinen Geschäftsbedingungen (AGB) or in another clearly perceptible manner— a discoverable dedicated accessibility page reachable from the footer is the practical pattern most German stores follow, but the statute does not literally mandate a public page at a fixed URL. For a German-facing storefront, the practical expectations are: a German-language statement (English-only is not sufficient when the storefront is German-facing), published in the AGB or at a stable URL reachable from the homepage and the footer, naming the technical standard you are conforming to (typically EN 301 549 / WCAG 2.1 AA), describing known non-conformities and the planned remediation, and providing a contact route for users to report barriers plus an escalation route to the competent surveillance authority if the user is not satisfied with your response.

The most common failure modes are familiar from EAA enforcement elsewhere in the EU: the statement is generic and identical across dozens of sites (a clear sign of a templated overlay output rather than a real audit), the statement claims full conformance when the underlying site does not actually pass, or the contact address goes to a black hole. MLBF treats the statement as a tractable artefact — it is easy to read, easy to compare against the actual site, and easy to enforce on procedurally. For a more general walk-through of statement content and how to keep it honest, see the accessibility-statement generator guide.

Microenterprise exemption — narrow and strict

The BFSG carries the EAA's microenterprise exemption for services: an undertaking with fewer than 10 employees AND less than €2 million annual turnover or balance sheet total may fall outside the service obligations. The exemption does not apply to products. It does not apply automatically just because you are small: you have to actually be under both thresholds.

The exemption is read strictly in practice. If you are a wholly owned subsidiary of a larger group, you are typically not a microenterprise for these purposes — aggregation rules apply. If you are an independent SMB but one of your shareholders sits at a large corporate, that link can also pull you out of the exemption depending on the structure. The English-language summaries at graulaw and activemind.legal walk through the exemption framing in plain English.

A pragmatic note for very small sellers: even when the exemption technically applies, basic conformity is usually still worth the effort. The marketing-page value of being able to say “our site meets WCAG 2.1 AA” is real, the engineering cost of getting there on a small storefront is modest, and the exemption is one acquisition or one threshold-crossing away from no longer applying.

Practical BFSG-readiness checklist for SMBs selling to Germany

This is the action-oriented sequence we recommend to non-German SMBs working toward BFSG readiness. It assumes you are an ecommerce or consumer-service seller; if you are also a manufacturer of consumer hardware, add the product-side documentation track from your conformity-assessment partner on top.

1. Confirm scope and threshold with German counsel: covered service category, microenterprise test (with group-aggregation), and whether any disproportionate-burden argument is even plausibly available.
2. Audit critical flows against WCAG 2.1 AA on the German-facing storefront: home, category, product, search, cart, checkout, account, post-purchase. Combine automated scanning with keyboard-only and screen-reader manual passes.
3. Inventory, triage, and date the findings. Every confirmed violation gets a URL, a WCAG success criterion, a severity, and a planned remediation date. The dated inventory is the artefact a surveillance authority will look at if they ever ask.
4. Remediate at the source code level. No overlays, no widgets, no “AI accessibility layers”. MLBF treats overlays as evidence of a missed real fix, not as a fix.
5. Publish a German-language accessibility statement at a stable URL, linked from the homepage footer. Name your standard (EN 301 549 / WCAG 2.1 AA), disclose known non-conformities honestly, give a working contact address, and reference the escalation route to the competent authority.
6. Stand up an ongoing monitoringcadence so a redesign or a new feature doesn't silently regress your conformance posture. The archive of repeat scans, with dates, is itself a defensible record of due diligence.
7. Operate the complaint channel. Treat the statement's contact address as a real user-facing channel. Most disputes that escalate to a Land authority started as a consumer email that went unanswered.

How SweepHound supports BFSG readiness

SweepHound is built for code-level remediation against WCAG 2.1 AA — the technical floor that EN 301 549, and through it the BFSG, ultimately points to. The product does not promise one-click BFSG compliance and we deliberately do not use that phrasing in the UI either. What it does provide is the work product an SMB needs to be in a defensible, documented BFSG-readiness posture.

• Dual-engine scanning (axe-core plus IBM Equal Access, both available on every paid plan) for broader automated-rule coverage than any single engine.
• Code-level remediation guidance with commit-ready diffs for mechanical fixes, and honest explanations when a fix is ambiguous or context-dependent.
• Auto-generated accessibility statement tied to your most recent scan — not a generic template that overstates conformance. SweepHound currently generates English statement drafts only; German-facing storefronts should add a German translation alongside the English statement before publication.
• Scheduled monitoring with regression alerts when a new deploy introduces a violation. The dated archive of scans is itself a due-diligence artefact.

If you sell into Germany and want a dated baseline on the record today, start a free scan. Plan tiers and monitoring cadences are on the pricing page. When you are ready, create an account and run the first audit on your German-facing storefront in the next hour.

For neighbouring EAA jurisdictions, see also the France / RGAA guide and the Italy / Stanca guide, and for the parent-directive overview the EAA requirements guide.