EAA compliance checklist for e-commerce: 15 audit items

An EAA compliance checklist scoped to e-commerce is the working artefact most EU online retailers now need before the next audit window closes. Sweden’s Post and Telecom Agency (PTS) has 28 active supervisory investigations of online shops under the European Accessibility Act, the Dutch market-surveillance authority has activated its priority audit list, and France’s largest grocery retailers are in court over inaccessible checkout flows. The Act became binding on 28 June 2025; the grace period is over.

This checklist focuses where regulators actually look: the product card, checkout, payment, account, and search flows of a real storefront. It is scoped to the surfaces enforcement bodies have already chosen as their first-round audit template. The substantive test is WCAG 2.1 Level AA, as incorporated into the EAA — see the European Accessibility Act overview and the first wave of EU enforcement for the legal framework. The checklist is written for the CTO or Head of Engineering of a European e-commerce business, not for a legal team.

What the EAA actually requires for e-commerce

The EAA — Directive (EU) 2019/882 — covers e-commerce services as one of its explicit in-scope categories. Article 3(5) defines an e-commerce service as one provided at a distance, by electronic means, at the individual request of a consumer, with a view to concluding a contract. That definition pulls in essentially every consumer-facing online shop in the EU. Microenterprises providing services (fewer than 10 employees, under €2M annual turnover) are exempt for the services side; no other size threshold applies.

The technical conformity benchmark for digital surfaces is EN 301 549 v3.2.1, which itself adopts WCAG 2.1 Level AA. That is the substantive standard PTS, the Dutch market-surveillance authority, and every other national body is testing against right now.

National penalty ranges vary substantially. Sweden caps fines at SEK 10 million (≈ €900,000). The Netherlands has a flat ceiling of €900,000, with scaled penalties up to 10% of annual turnover for larger entities — which puts the EAA in the same financial-risk tier as the GDPR for the businesses that authority targets. Transposition deadlines have all elapsed; the substantive obligations are uniform across the EU.

The 15-item EAA e-commerce checklist

The items below are grouped by the five flows enforcement bodies most often audit. Each item names the WCAG success criterion and the most common failure mode our platform’s audits surface in real e-commerce sites.

Product card and listing pages

1. Product images carry meaningful alt text (WCAG 1.1.1). Most common failure: the CMS generates alt as the filename (SKU-001-front.jpg) or duplicates the visible product title verbatim. Alt text should describe the visual information a sighted user gains — colour, material, configuration — without redundancy.

2. Product cards are reachable and operable by keyboard alone (WCAG 2.1.1). Tab from the listing page header through the card grid. Focus order must follow visual order, and “Add to cart” must be activatable with Enter or Space.

3. Filters and sort controls expose state to assistive technology (WCAG 4.1.2). Common failure: filter checkboxes built from <div> with click handlers, with no aria-checked and no announced state change when a result set updates.

Search function

4. The search input is labelled programmatically, not only visually (WCAG 1.3.1, 3.3.2). A placeholder attribute is not a label. Use <label for="…"> or aria-label. Sweden’s PTS audits the search function as one of three first-round surfaces, so this surface is being tested in 28 cases right now.

5. Search results announce result count and changes (WCAG 4.1.3). When a user submits a query and 12 results return, a screen reader should announce that — and announce a count change when filters tighten the result set. Implement with role="status" or aria-live="polite" on the count region.

Product detail page

6. Price, variant selectors, and availability are programmatically associated (WCAG 1.3.1). Common failure: a colour-swatch grid uses bare <div> elements, the selected state is communicated only through a CSS border, and the price update on variant change is not announced.

7. The “Add to cart” button has a programmatic name matching its visible label (WCAG 2.5.3). Visible text “Add to cart” with aria-label="Add SKU-001 to cart" is a divergence between accessible name and visible name, which breaks voice-control workflows.

8. Image zoom and gallery controls are keyboard-operable and screen-reader-announced (WCAG 2.1.1, 4.1.2). Carousels are the single most common failure on product detail pages — a recurring defect is autoplay with no pause control, which fails WCAG 2.2.2 (Pause, Stop, Hide).

Checkout flow

9. Form fields have visible labels positioned above the input, not as placeholder text (WCAG 3.3.2, 1.4.4). Placeholder-as-label disappears on focus, fails for users who magnify text, and is announced inconsistently by screen readers.

10. Errors are identified in text, with field-level association (WCAG 3.3.1). A red border alone is insufficient. Use aria-describedby to bind the error message to the input, and place the message after the input in DOM order so reading order is correct.

11. The full checkout, from cart review to order confirmation, is completable by keyboard alone (WCAG 2.1.1). This is the specific failure that triggered the French civil-society lawsuits against Auchan, Carrefour, E. Leclerc, and Picard. Run it on your own site. Tab from the cart to the confirmation page using nothing but the keyboard. If you cannot, you reproduce that failure mode.

12. Payment methods are not exclusively dependent on visual cues (WCAG 1.4.1, 1.3.3). Common failure: card-brand logos with no text equivalent, expiry-date format communicated only by an inline example (“MM/YY”) with no associated instruction, or radio buttons styled to look like cards with no semantic markup.

Account and authentication

13. Login, password reset, and 2FA flows are screen-reader-compatible (WCAG 1.3.1, 4.1.3). Code-input fields for 2FA frequently use auto-advance between single-character inputs that confuses assistive technology and breaks keyboard navigation back into a previous field.

14. The account dashboard exposes orders, addresses, and subscriptions through semantic HTML (WCAG 1.3.1). A “table” built from <div> elements with CSS grid is the recurring failure here — order rows that look like a table on screen but read as an undifferentiated stream to a screen reader.

15. An accessibility statement is published and reachable from every page (Annex V, EAA). Each member-state transposition requires a published statement that names the technical standard used, lists known non-conformities, and provides a feedback mechanism. Both PTS and the Dutch authority check for its presence as a precondition before opening an audit.

How to use this checklist

Treat it as a first pass, not the only pass. The 15 items above approximate the audit templates enforcement bodies have built for their initial sweeps — but EN 301 549 incorporates more than 50 WCAG 2.1 success criteria. A passing score against this checklist reduces, but does not eliminate, exposure under the EAA. For a fuller WCAG-level audit beyond the e-commerce surfaces, the WCAG 2.1 AA checklist for B2B SaaS covers the broader criteria set.

The defensible posture under the EAA is the one Dutch and Swedish authorities have both endorsed in their 2026 communications: a dated, written audit of the in-scope surfaces, with a remediation plan attached to each finding. An audit completed before a regulator opens an investigation is treated meaningfully differently from one produced under formal-notice pressure.

To get a first-pass audit of the surfaces above on your own storefront, run a free compliance audit on Elgarde — the report covers WCAG 2.1 AA findings on the homepage, product, search, checkout, and account flows, with each finding mapped to the article of the regulation that applies. For the authoritative legal text, see Directive (EU) 2019/882 on EUR-Lex. For the technical standard, see EN 301 549 on the ETSI portal.