European Accessibility Act

The EAA Compliance Checklist for SMBs: What Changed on June 28, 2025 and What You Have to Do Now

Last updated May 24, 2026

Quick answer: where the EAA stands today

The European Accessibility Act (Directive (EU) 2019/882) is the first horizontal EU law that puts private-sector digital accessibility obligations on a uniform statutory footing across the single market. It was adopted in 2019, transposed into national law by every member state across 2022–2024, and the EAA has been enforceable across all 27 EU member states since June 28, 2025. The EAA only covers an enumerated list of consumer products and services under Article 2 of the Directive: e-commerce, consumer banking, passenger-transport digital touchpoints, electronic communications, audiovisual media access, e-books and dedicated software, plus consumer computer hardware/OS, self-service terminals (ATMs, payment / ticketing / check-in machines) and e-readers. If your business sells one of those products or services to consumers in the EU — even from outside it — you are almost certainly in scope. If what you sell is not on that list (a bakery storefront, a B2B SaaS, a brand-marketing site without ecommerce, etc.), the EAA is not the legal mechanism to worry about. The following bullets are the load-bearing facts most SMBs in scope need before they read anything else:

• Enforcement is live.The EAA became enforceable on June 28, 2025. There is no further grace period for new services placed on the market after that date, and market surveillance authorities in each member state are now empowered to act on complaints and on their own initiative. See the European Commission's overview of the European Accessibility Act for the official scope and definitions.
• Non-EU sellers are covered if they place products or services on the EU market. A US, UK, or Asia-Pacific e-commerce site that ships to EU consumers, takes payment in EUR, or delivers digital services to users physically in the EU is in scope regardless of where the company is headquartered. Establishment in the EU is not a prerequisite for liability.
• The covered sectors are broad but specific. E-commerce, consumer banking, transport-passenger services, telecoms, e-books and e-reader devices, audiovisual media services access components, and general-purpose computer hardware and operating systems — plus the websites, mobile apps, and self-service terminals used to deliver any of the above.
• Article 32 carves out three narrow transitions — not a blanket service-level grace period. (a) Products lawfully used by service providers to deliver similar services before 28 June 2025 may continue in use until 28 June 2030 (Article 32(1)). (b) Service contracts agreed before 28 June 2025 may continue without alteration until they expire, but no longer than five years from that date (also Article 32(1)). (c) Self-service terminals lawfully used before 28 June 2025 may continue in use until the end of their economically useful life, up to 20 years (Article 32(2)). The service itself does not get a transition — new digital services launched after 28 June 2025 must comply immediately.
• The microenterprise carve-out is narrow. A microenterprise — fewer than 10 employees ANDunder €2 million annual turnover or balance sheet total — is exempt from the EAA's service obligations (though not from the separate product obligations of the broader CE marking framework). The exemption is interpreted strictly: companies that are part of a larger group, or that exceed either threshold, do not qualify.
• Enforcement is already happening — through private litigation, not just regulators. The first significant public actions on the new regime landed in France barely a week after the law became effective. On July 7, 2025, French disability-rights organisations ApiDV and Droit Pluriel, supported by lawyers' collective Intérêt à Agir, filed mises en demeure (formal legal notices) against Auchan, Carrefour, E.Leclerc, and Picard. The matter was escalated to assignation en référé before the tribunal judiciaire on November 12, 2025. These are private-party civil actions, not regulator-led enforcement.
• The technical standard is EN 301 549, which incorporates WCAG 2.1 Level AA. Conforming to EN 301 549 gives a presumption of conformity for web content. WCAG 2.2 is not yet a legal requirement under the EAA, though several member states are preparing to reference it in updated national checklists. See the EAA overview for the full technical mapping.

Who must comply (and who is exempt)

The EAA applies to two categories of economic operators: producers of covered products (importers, manufacturers, distributors of consumer-facing computing hardware, e-readers, self-service terminals, etc.) and providers of covered services (e-commerce platforms, banks, telecoms, transport-ticketing services, e-book platforms, audiovisual on-demand services). The European Commission's reference page for the European Accessibility Act sets out the canonical scope and includes the microenterprise framing.

Covered services and products

• E-commerce— consumer online stores, marketplaces, product detail pages, search, checkout, and post-sale customer service surfaces.
• Consumer banking services — online banking, account opening flows, payment terminals and mobile-banking applications used by consumers.
• Transport ticketing— air, bus, rail, and waterborne passenger transport websites and apps, including booking, check-in, and real-time travel information.
• Electronic communications — telecoms websites and apps, and the equipment used to access them.
• E-books and e-readers— digital publications, the apps that deliver them, and the consumer devices used to read them.
• Audiovisual media access components — the access services to AVMS content (subtitles, audio description controls, sign-language tracks where applicable).
• Consumer computing hardware and operating systems — general-purpose consumer computer systems and the general-purpose operating systems that run on them.

The microenterprise exemption

A microenterprise — fewer than 10 employees AND under €2 million annual turnover or balance sheet total— that provides a covered service is exempt from the service obligations of the EAA. The exemption does not apply to producers of covered products, and it is interpreted strictly: an SMB that exceeds either threshold loses the benefit, and group-affiliated companies typically cannot claim it. Crucially, the exemption removes the substantive obligations but does not exempt companies from sector-specific consumer-protection law that may impose its own accessibility requirements (especially in banking and telecoms).

The disproportionate-burden defence

A non-microenterprise economic operator can argue that meeting a specific accessibility requirement would impose a disproportionate burden. This is not a free pass — it requires a documented written assessment that weighs the cost of conformity against the operator's resources and the expected benefit to people with disabilities. The assessment must be repeated periodically (most national transpositions specify every five years, or whenever the service materially changes) and made available to market surveillance authorities on request. Treating disproportionate burden as a verbal claim rather than a formal, evidence-based document is the single most common compliance mistake we see.

Technical standard — EN 301 549 (WCAG 2.1 AA)

The EAA itself is functionally drafted — it specifies outcomes like “perceivable” and “operable,” not specific code patterns. The harmonised standard EN 301 549is the presumption-of-conformity bridge between those functional outcomes and a concrete, testable checklist. For web content, EN 301 549 directly incorporates WCAG 2.1 Level AA. The mapping below is how most SMBs should think about the stack:

Country-by-country enforcement and fines

The EAA is a directive, which means each member state has its own transposition law, its own market surveillance authority, and its own penalty framework. Frameworks vary by country: some apply administrative fines per violation, some allow penalties as a percentage of turnover, and at least one provides for criminal liability. The table below covers the five member states where SMBs most often have meaningful customer exposure. The Deque country compliance data table is a useful cross-reference for the remaining 22 jurisdictions; the Fieldfisher risk-of-non-compliance overview is the primary source for the statutory ranges cited below.

Italy: D.Lgs. 82/2022 and the older Stanca framework

Italy is the most layered of the five jurisdictions, because two regimes now operate in parallel. Per the Fieldfisher overview of EAA risks and key authorities: Italy's EAA transposition (D.Lgs. 82/2022) sets administrative fines of €5,000–€40,000 per violation, plus €2,500–€30,000 for ignoring AgID supervisory orders. The older Stanca framework (Legge 4/2004, extended to private companies via DL 76/2020) can sanction private companies with 3-year average turnover above €500 million up to 5% of annual turnover through an AgID notice-and-cure procedure. Most SMBs will sit exclusively under the D.Lgs. 82/2022 administrative-fine regime, but companies with significant turnover and an Italian footprint should map their exposure under both.

Spain: Ley 11/2023

Spain has the harshest headline number in this group. Ley 11/2023 (Article 27) defers to sectoral legislation and supplementarily to the TRLGDPD (Real Decreto Legislativo 1/2013) Title III sanctions regime: Article 83 sets fines up to €1,000,000 for very serious infringements, and Article 85 lists accessory measures (loss of public subsidies, disqualification from public contracting). Operational bans are not part of the verified primary-statute text. For supplemental industry context, see Fieldfisher's EAA penalties overview (secondary). See our Spain EAA deep-dive for the full breakdown.

Germany: BFSG and MLBF AöR

Germany's framework is described in the activemind.legal BFSG guide and reuschlaw's German Accessibility Act briefing; both should be cross-checked against the Bundesfachstelle BFSG FAQ for current authority designations. Germany's transposition law is the Barrierefreiheitsstärkungsgesetz (BFSG), which entered into force on June 28, 2025. Market surveillance is conducted by the Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen (MLBF AöR), a joint authority of the 16 Länder based in Magdeburg, established by interstate treaty and operational since September 26, 2025. Before that date, enforcement was via legacy Land-level Gewerbeaufsicht authorities. § 37 BFSG sets administrative fines from €10,000 to €100,000 per violation. In practice, MLBF has so far prioritised information requests and corrective notices over immediate fines, but a refusal to remediate after a corrective notice escalates to the statutory fine band quickly.

Ireland: criminal liability tail risk

Ireland is the outlier on criminal liability. Per the Fieldfisher risk-of-non-compliance overview: Ireland's EAA transposition includes potential criminal liability with imprisonment of up to 18 months for certain offences. This is reserved for the worst cases — persistent, knowing non-compliance after multiple notices — but it changes the calculation for executives at companies that operate in or sell significantly into Ireland.

First wave of enforcement — France (July 2025)

The most-cited early enforcement events under the new regime did not come from a regulator. They came from disability-rights NGOs in France. Per the ADA Title III blog's August 2025 brief on EAA challenges for US companies: On July 7, 2025, French disability-rights organisations ApiDV and Droit Pluriel, supported by lawyers' collective Intérêt à Agir, filed mises en demeure (formal legal notices) against Auchan, Carrefour, E.Leclerc, and Picard. The matter was escalated to assignation en référé before the tribunal judiciaire on November 12, 2025. These are private-party civil actions, not regulator-led enforcement.

On May 5, 2026, the tribunal judiciairede Lille handed down the first first-instance decision in this group of cases — against Auchan E-Commerce. The court acknowledged the site was inaccessible but dismissed the action, holding that no French statutory accessibility obligation attached to Auchan E-Commerce because the subsidiary did not exceed the €250 million revenue threshold set by French national accessibility legislation (a long-standing large-company threshold, separate from the EAA microenterprise rule). ApiDV, Droit Pluriel, and Intérêt à Agir have appealed to the Cour d'appel de Douai. Rulings against Carrefour, E.Leclerc, and Picard were pending at the time of writing. The ruling is widely viewed as a narrow reading of Loi 2023-171 and is on appeal — treat it as procedural news, not a safe harbour. See our France EAA guide for a deeper walk-through.

Three operational lessons fall out of this pattern. First, the earliest visible enforcement of the EAA in any member state is civil, not administrative — meaning an SMB cannot expect a warning letter from a regulator before being sued. Second, the targets were household names with obvious accessibility shortfalls on high-traffic e-commerce flows; the NGOs prioritised cases where consumer harm is easy to document. Third, the cadence from formal notice to court filing was roughly four months, which is faster than most US accessibility-litigation timelines. If you sell into France, treat published WCAG 2.1 AA conformance and a publicly accessible RGAA-aligned statement as the practical minimum. For more context on similar pressure patterns elsewhere, see our ADA demand-letter response guide.

The accessibility statement (Article 13 + Annex V)

Article 13 of the EAA, read together with Annex V of Directive 2019/882, requires service providers to prepare accessibility information describing how the service meets the accessibility requirements, and to make that information available to the public in written and oral format, in a manner accessible to persons with disabilities. Annex V § 1 says the information should be included in the general terms and conditions, or equivalent document. In practice most covered services publish a public accessibility statement at a stable URL linked from the global footer — this is the cleanest and most discoverable implementation — but the information may equally live in T&Cs or another accessible document, provided it is genuinely public and accessible. (Note: the obligation to publish a formal “accessibility statement” on a website at a fixed URL comes from the older Web Accessibility Directive 2016/2102, which applies to public-sector bodies, not from the EAA.) National transpositions add their own form requirements on top; France in particular insists on RGAA-aligned wording and a published remediation plan.

A defensible accessibility statement contains, at minimum, the following:

• Identification of the service provider (legal name, registered office, contact email).
• The standard against which conformance is claimed (typically EN 301 549 V3.2.1 / WCAG 2.1 AA) and the conformance level (“fully conformant,” “partially conformant,” or “non-conformant”).
• A list of known non-conformities and the parts of the service they affect, dated, with a remediation timetable.
• Any disproportionate-burden claims, the basis for them, and the scope of the service they cover.
• The date the statement was last reviewed and the date of the most recent automated and manual audit.
• A feedback mechanism (email or form) for users to report accessibility barriers, plus escalation contact details for the national market surveillance authority.

We will publish a deeper walkthrough at the accessibility statement generator guide when it goes live; for now, the bullet list above is the operational minimum.

Transition periods: June 28, 2025 vs June 28, 2030

The two dates that matter for SMBs are five years apart, and the distinction between them is narrower than most companies assume:

• June 28, 2025— the primary application date. Any service placed on the market after this date must comply immediately. New e-commerce launches, redesigns substantial enough to constitute a new service, new banking products, new transport apps, and new e-book platforms all fall here.
• June 28, 2030— the Article 32 backstop, but only for narrow carve-outs. Products lawfully used by service providers to deliver similar services before 28 June 2025 may continue in use until 28 June 2030. Service contracts agreed before 28 June 2025 may run their course but no longer than five years from that date (which caps at 28 June 2030). Pre-existing self-service terminals may continue for up to 20 years from their entry into use. The 2030 date is not a blanket grace period for digital services already in use.

The trap here is the meaning of “placed on the market.” A major redesign or platform replatform typically counts as a new service even if the brand and customer base are continuous, which collapses the 2030 grace into the 2025 enforcement date. If you are shipping anything more ambitious than incremental UI changes, plan to meet the standard now rather than betting on the long transition.

A second trap is the assumption that the 2030 backstop is a hard deadline you can ignore until 2029. In practice, national authorities and private litigants are already evaluating pre-existing services against the EAA today, and a service that has been demonstrably inaccessible since 2025 is a far weaker target for a disproportionate-burden defence than one with a documented annual remediation plan. The 2030 date is best read as a ceiling for the completion of the work, not permission to delay starting it.

The 12-step SMB checklist

Practical, action-oriented, and ordered roughly by the dependency chain we see in real EAA readiness work. None of these steps requires a law firm to start; the legal-review steps come at the end and only after the operational evidence exists.

1. Confirm your scope.Map your services against the EAA-covered sectors above. Note which EU countries you sell into and where you take payment in EUR. If you're a non-EU seller without a clear answer to those questions, assume you are in scope.
2. Check the microenterprise threshold. Fewer than 10 employees AND under €2 million annual turnover or balance sheet total — both must be true, and group affiliation typically disqualifies. If you don't cleanly qualify, skip this step.
3. Inventory the digital surfaces that matter. List every consumer-facing site, mobile app, email template, checkout iframe, third-party widget, and self-service terminal. Most SMBs underestimate the third-party widget count by a factor of three.
4. Run an automated baseline scan. Pick a primary scanner, scan every distinct page template, and export the results. Per Deque's Automated Accessibility Coverage Report, Deque reported automated tests identified 57.38% of issue instances by volume in its dataset — based on 2,000+ audits across 13,000+ pages and ~300K issues. That number is the ceiling: automated tooling is necessary but insufficient.
5. Triage by user-journey severity, not raw count. A single keyboard trap on checkout matters more than a hundred decorative-image alt-text findings. Prioritise: account registration, login, search, product detail, add-to-cart, checkout, payment, account self-service.
6. Fix the deterministic findings first. Missing labels, missing alt text, missing language attributes, broken heading hierarchy, insufficient contrast on text — these are the cheapest wins per hour of engineering time.
7. Run keyboard and screen-reader manual passes on top journeys. One person, one hour, NVDA on Windows and VoiceOver on macOS, just the eight journeys from step 5. This is what catches the issues automated tools cannot.
8. Document any disproportionate-burden claims in writing. For any requirement you cannot meet, write the cost-versus-benefit assessment now, sign it, file it, and put a review date on it. Don't rely on a verbal claim.
9. Publish your accessibility statement. Use the Article 13 + Annex V fields above. Link it from the global footer with the label “Accessibility.” Put the canonical URL at /accessibility.
10. Stand up monitoring for regressions. New deployments break accessibility. Weekly scheduled scans of the top templates with diff-based alerting catch the regressions before users do. SweepHound is built to do this; so are other tools.
11. Train the people who ship changes. Engineering, design, content, and marketing all introduce accessibility regressions. Two-hour primer plus a checklist embedded in your PR template is enough for most SMBs.
12. Run jurisdiction-specific legal review last. With the operational evidence in hand — statement, audit reports, remediation plan, training records — have local counsel review for the member states where you have the largest customer exposure. France, Germany, Spain, and Italy first; others on a risk-weighted basis. For deeper coverage see our forthcoming BFSG Germany guide, France EAA & RGAA guide, and Italy EAA & Stanca guide.

How SweepHound supports EAA readiness

SweepHound is an accessibility scanning and remediation tool, not a compliance certification. We do not issue legal opinions and we do not claim that running our scanner makes a site EAA-compliant. What we do is reduce the operational cost of the readiness steps above, specifically:

• Dual-engine scanning. Every scan runs both axe-core and IBM Equal Access against the same DOM, so coverage is broader than either engine alone. Headline numbers and per-engine breakdowns are both surfaced.
• Auto-generated accessibility statement scaffolding. We populate the Article 13 + Annex V fields from your most recent scan so your statement reflects current evidence instead of being a static one-time write-up.
• Scheduled monitoring and regression alerts. Weekly scans, diff-based alerting, and per-template trend lines so new deployments don't silently degrade accessibility.
• Remediation guidance per issue. Deterministic fix hints where the fix is mechanical, plus LLM-generated explanations and code examples where it is not. Output reviewed against known-bad pattern guards.

If you want to see where your site stands today, start a free scan — or compare plan-gated features on the pricing page if you already know which monitoring tier you need.