· regulation & compliance
The European Accessibility Act is now enforceable. Most digital businesses are in scope.
Since 28 June 2025, Directive (EU) 2019/882 has required a wide range of consumer products and services sold in the EU to be accessible to people with disabilities. Enforcement and penalties are set country by country. This is a sourced briefing on what the Act is, who it applies to, and what non-compliance can cost.
01 What the Act is
One EU-wide law that makes digital accessibility a condition of selling in Europe
The European Accessibility Act (EAA) is a European Union directive adopted on 17 April 2019 and in force since 28 June 20251. It sets one shared set of accessibility requirements across all 27 member states — so accessible products can move freely across borders, and businesses follow a single rulebook instead of 27 different national ones.
It implements the EU's commitments under the UN Convention on the Rights of Persons with Disabilities. Unlike the 2016 Web Accessibility Directive, which covers only public-sector bodies, the EAA reaches into the private sector: e-commerce, banking, transport, telecommunications and more.
Products Covered products
- Computers and operating systems
- Smartphones and telecoms terminal equipment
- Self-service terminals — ATMs, ticketing and check-in machines, payment terminals
- TV equipment for digital television services
- E-readers
Services Covered services
- E-commerce and consumer-facing websites and apps
- Consumer banking services
- Electronic communications
- Access to audiovisual media services
- Elements of air, bus, rail and waterborne passenger transport
- E-books and dedicated reading software
Compliance is measured against EN 301 5494, the harmonized European standard, which currently incorporates WCAG 2.1 Level AA for web content and adds requirements for mobile apps, software, documents and hardware (an update aligning with WCAG 2.2 is expected). In plain terms: if your website meets WCAG 2.1 AA, you have covered the core web requirements in every member state.
02 Key dates
From adoption to enforcement — and the transitional periods still running
Directive adopted
The European Parliament and Council adopt Directive (EU) 2019/882; it enters into force on 27 June 2019.
Transposition deadline
Member states had to adopt and publish the national laws transposing the directive by this date. All 27 have now done so.
Requirements apply
Covered products placed on the market and services provided to consumers must meet the requirements. National authorities can investigate, demand remediation, and impose penalties.
Service contract transition ends
Service contracts agreed before 28 June 2025 may continue unchanged until they expire, but no later than this date. Self-service terminals lawfully in use may be used for up to 20 years after deployment.
First Commission review
The European Commission delivers its first report on the application of the Act, and every five years thereafter.
03 Who it applies to
Every operator in the supply chain — including businesses based outside the EU
The EAA applies to every business in the chain — makers, importers, sellers and service providers (the law calls them economic operators) — that puts a covered product or service in front of EU consumers. If you sell to people in the EU, being based elsewhere does not exempt you.
Manufacturers & importers
Must design and produce covered products to the requirements, keep technical documentation, and carry the conformity marking. Importers and distributors must verify compliance before products reach the market.
Service providers
E-commerce sites, banks, telecoms, transport operators and media services must make consumer-facing services accessible and publish an accessibility statement describing how they conform.
Non-EU businesses
Like the GDPR, what matters is where your customers are, not where you are based. Any company in the world that offers covered products or services to EU consumers is in scope.3
04 Exemptions & relief
The small-business exemption is narrower than most people assume
Micro-enterprises — services only
A micro-enterprise (fewer than 10 staff and annual turnover or balance sheet of €2 million or less)3 is exempt from the requirements when it provides services, along with the related documentation duties.
The carve-out does not extend to products. A micro-enterprise that manufactures, imports or distributes a covered product must still comply in full.
Disproportionate burden & fundamental alteration
A business can be excused from specific requirements if meeting them would fundamentally change what the product or service is, or cost far more than it can reasonably bear (a “disproportionate burden”). This is not a free pass: the decision must be written down, can be reviewed by regulators, and has to be revisited when circumstances change.
Legacy content & existing terminals
Time-based media, office documents and third-party content published before 28 June 2025 can be out of scope, and archived content not updated after that date need not be retrofitted.
Self-service terminals lawfully used before that date may run to the end of their economic life (up to 20 years), and service contracts signed beforehand may continue until they expire — no later than 28 June 2030.
05 The accessibility statement
A published statement is itself a legal requirement
Most member states require every in-scope service provider to publish an accessibility statement — a standing declaration of how the service meets the requirements. It is not optional paperwork: regulators in France, Ireland and Spain check it early in a complaint, and a missing or inaccurate statement is separately penalized — up to €25,000 per year in France.5
Must include What it declares
- Conformance status against EN 301 549 / WCAG 2.1 AA
- Known limitations and any features still non-conformant
- Any disproportionate-burden claims being relied on
- A contact route to report barriers, and your response time
- The date it was last reviewed
Where it lives
Publish it on the service itself — typically a persistent "Accessibility" link in the footer — so users and regulators can find it without asking.
Keep it current: an out-of-date statement is treated as an inaccurate one, and that is what gets penalized.
06 Enforcement across the EU-27
One directive, transposed into 27 national laws
All 27 member states have transposed the EAA, so the requirements are in force everywhere. What differs is enforcement activity — the color below tracks how far each country has moved from "law on the books" to active surveillance and legal action.
Select any country to see its penalties, enforcing authority and complaint route.
Posture reflects publicly documented activity as of mid-2026 and is indicative, not a legal status. Transposition is complete across all 27 member states2 — a country shaded "law in force" is no less binding than one shaded "active enforcement." Norway, Iceland and Liechtenstein apply equivalent rules through the EEA; Norway has already imposed daily penalties in an accessibility case.
07 Fines & penalties
No EU-wide fine — each country sets its own under Article 30
Article 30 requires every member state to set penalties that are "effective, proportionate and dissuasive,"3 but leaves the amounts to national law. The result is a wide spread — from no fixed ceiling to seven figures, plus market bans, daily fines and, in one country, prison.
As of mid-2026, no fine has been confirmed issued under any EAA-transposed law. But the machinery is live: France filed the first EAA lawsuits in November 2025 against major retailers, Sweden and the Netherlands have opened surveillance programs, and German competitors began sending cease-and-desist letters within weeks. Pre-EAA precedent exists too — in 2024 a Spanish court upheld a €90,000 fine against an airline for an inaccessible website.5
| Country & transposing law | Reported maximum | Enforcing authority | Basis |
|---|---|---|---|
| SpainLey 11/2023 | Up to €1,000,000 + suspension up to 2 yrs (very serious) |
Ministry / autonomous communities | Statutory |
| SwedenLag 2023:254 | ≈ €900,000 SEK 10,000,000 + market bans |
PTS · Konsumentverket | Statutory |
| ItalyD.Lgs. 82/2022 (Stanca) | €5,000–€40,000 (Art. 24) 5% of turnover only for firms > €500M (Stanca Act) |
AgID — 90-day cure period | Statutory |
| FranceLoi 2023-171 + Décret 2023-931 | €7,500 (legal persons) up to €300,000 with daily fines; ARCOM web regime adds €50k |
DGCCRF · ARCOM | Statutory |
| GermanyBFSG | Up to €100,000 per violation; + competitor actions |
MLBF (Länder market surveillance) | Statutory |
| NetherlandsImplementatiewet (Stb. 2024, 87) | Up to €110,000; ACM up to €900,000 ACM reporting duty since Oct 2025 |
ACM + sector regulators | Reported |
| IrelandEU Regs 2023 (S.I. 636/2023) | Up to €60,000 + 18 mo. prison only EU state with criminal sanctions |
Multiple sector regulators | Statutory |
| CroatiaNN 89/2025 | Up to €132,720 legal entities; tiered from €1,990 |
State Inspectorate · HAKOM | Statutory |
| BelgiumFederal/regional | Up to €200,000 or 6% of turnover (most serious) |
SPF Économie | Reported |
| AustriaBaFG | Up to €80,000 €50k for micro & SMEs; lower for minor cases |
Sozialministeriumservice | Statutory |
| PortugalDecreto-Lei 82/2022 | €24,000–€44,892 (very serious) €2,000–€3,741 for individuals |
ANACOM · ASAE · ERC · AMT | Statutory |
| PolandDz.U. 2024 poz. 731 | 10× avg monthly wage capped at 10% of annual turnover |
PFRON + sector bodies | Statutory |
| DenmarkAct 801/2022 | No fixed maximum fines only; set case by case |
Sikkerhedsstyrelsen | Statutory |
| Other statesBG·CY·CZ·EE·GR·HU·LV·LT·LU·MT·RO·SK·SI | All transposed and applicable. Published maxima vary widely — for example Hungary up to ≈ €1,260,000 (5% of turnover), Luxembourg up to €1,000,000, Czechia ≈ €400,000, Cyprus up to €30,000, Slovenia €40,000, Estonia €20,000, Lithuania €15,000, Romania ≈ €3,000. Select any country for its sourced detail. | Reported | |
Figures verified June 2026 and reproduced from the sources listed in section 08. Currency conversions are approximate. Penalty regimes are changing as enforcement matures — treat "Reported" figures as indicative and confirm against national law before relying on them. Nothing here is legal advice.
08 What to do next
A defensible compliance position is built, documented, and maintained
Audit against EN 301 549
Test every consumer-facing surface — website, mobile app, checkout, account flows — to WCAG 2.1 AA and the wider EN 301 549 criteria. Scope in the services people actually transact through, not just the marketing site.
Publish an accessibility statement
Most member states require a statement describing conformance, known limitations, and a contact route for users to report barriers. A missing statement is itself penalized in some countries.
Remediate and document
Fix the highest-impact barriers first and keep an evidence trail. Documented good-faith remediation mitigates penalties and supports any disproportionate-burden assessment.
Maintain conformance
Accessibility regresses with every release. Bake checks into your design system and CI so new features ship accessible and your statement stays accurate.
Find out where you stand before an authority does.
I run structured accessibility audits against EN 301 549 and WCAG 2.2 AA — severity-rated, evidence-backed, and mapped to the obligations that matter for your markets. Start with a conversation about your risk and readiness.
09 Sources & references
Every claim on this page is sourced
Core facts are drawn from the European Commission and EUR-Lex. National penalty figures are corroborated against legal-firm analyses where possible and flagged as "Reported" where only industry matrices were available.