Elgarde
accessibility eaa enforcement eu-regulation

EAA enforcement: first wave hits the EU in spring 2026

Elgarde Team · · 6 min read

The grace period is over

Through the second half of 2025 and the start of 2026, “EAA enforcement” was a hypothetical. The European Accessibility Act became binding on 28 June 2025, and the dominant story for several months was guidance and warnings — regulators publishing FAQs, advocacy groups sending polite letters, lawyers writing articles that began with “soon.”

Spring 2026 is different. Three enforcement tracks are now running in parallel, in three different EU member states, against companies you have heard of. If your business operates a public-facing e-commerce site in the EU, this is the moment when the cost of doing nothing turns from future risk into an active calendar item.

What’s actually happening this quarter

Sweden — 28 active investigations

The Swedish Post and Telecom Agency (PTS, Post- och telestyrelsen) has launched 28 supervisory investigations of e-commerce sites under the Swedish transposition of the EAA. The programme spans fashion, furniture, electronics, online supermarkets, and online pharmacies — meaning no single sector is being singled out.

The first round looks at three specific surfaces of each site: the homepage, a product page, and the search function. PTS is checking whether each meets the WCAG criteria the EAA incorporates by reference. The programme started in late 2025 and continues through 2026.

What this tells you: the regulator has chosen narrow, replicable scope (3 page types) so it can audit fast and at scale. If your site fails on any of those three, you’re inside the same template the next 28 investigations will follow.

France — four major retailers in court

On 7 July 2025, ten days after the EAA deadline, two French disability-rights organisations (ApiDV and Droit Pluriel), supported by the legal collective Intérêt à Agir, issued formal legal notices to Auchan, Carrefour, E. Leclerc, and Picard — France’s largest grocery retailers. The complaints cited screen-reader incompatibility, checkout flows that broke for keyboard-only users, and product information that visually impaired customers couldn’t access.

The retailers had until 1 September 2025 to remediate. Remediation efforts were judged insufficient. In November 2025, the same coalition filed assignations en référé — emergency injunctions — against all four.

This is the first major private-litigation EAA enforcement action in the EU, and it matters for two reasons:

  1. It bypasses the regulator entirely. The French transposition of the EAA lets civil-society organisations file complaints in court directly. You don’t need a national authority to find you first; an NGO can.
  2. The targets are the largest, best-resourced retailers in their market. The Directive was published in 2019 and the deadline ran for six years. If France’s biggest grocery chains couldn’t ship a screen-reader-compatible checkout in that window — and couldn’t fix it in the 12 weeks between formal notice and court filing — the engineering work is harder than most teams plan for.

Netherlands — priority audit list activated this spring

The Dutch Authority for Consumers and Markets (ACM) ran a non-conformance self-reporting deadline on 15 October 2025. Businesses had to report any known accessibility gaps; non-reporters and incomplete reporters were warned they would be prioritised for audit in early spring 2026 — which is now.

ACM has begun testing companies that didn’t reply to the reporting request. Where the absence of a self-report is combined with concrete audit findings, the authority intends to escalate to formal enforcement. Penalty decisions are expected throughout 2026.

The Dutch penalty range is unusually wide: up to €900,000 as a flat cap, or — for larger companies — 1% to 10% of annual turnover, scaled to the violation. The 10% upper bound puts the EAA in the same financial-risk tier as the GDPR for the businesses ACM cares about.

Why this matters now (and not in six months)

The three tracks above don’t share a regulator, a procedure, or a sector. They share a pattern: enforcement is decentralised and asymmetric. Different EU member states have built different machinery for this — some via national supervisory authorities (PTS, ACM), some via civil society litigation (France), some via market-surveillance audits — and they are all moving simultaneously.

For a website operator, that has three operational implications:

  • You can’t watch one source to know what’s coming. A regulatory tracker that only follows DPAs misses the French civil-society lawsuits. A tracker that only follows class actions misses the Swedish 28-investigation sweep.
  • The “we’ll fix it when warned” plan no longer works. France’s NGO route gave 8 weeks between the formal notice and the court filing. Sweden’s audits are unannounced. ACM’s audit list is already finalised.
  • Cross-border companies face cumulative exposure. Operate in NL, FR, and SE simultaneously? You sit inside three different enforcement systems at once — the same accessibility defect can produce parallel exposure in each, against the same set of underlying code.

What to check on your own site this week

The three enforcement tracks share a small set of defects. If you address these, you reduce exposure to all three at once.

  1. Run keyboard-only through your full checkout. Tab from product page to confirmation. If you cannot complete a purchase using only the keyboard, you are inside the failure mode that triggered the French complaints. WCAG 2.1.1 (Keyboard) is mandatory at level AA.

  2. Run a screen reader on a product page. macOS VoiceOver or NVDA on Windows takes 5 minutes to install and 20 minutes to learn enough for a smoke test. Listen to one product page from top to bottom. Are the price, variant selector, and “add to cart” announced clearly? If not, you reproduce the second French complaint.

  3. Check your homepage, one product page, and the search results page against WCAG 2.1 AA — exactly the three surfaces PTS audits in its first-round template. Common failures: focus indicators removed by outline: none, image alt text generated by the CMS as the filename, text contrast below 4.5:1 against background colour.

  4. Document what you find. Even if you cannot fix everything immediately, ACM has explicitly told Dutch businesses that self-reporting plus a remediation plan is treated more favourably than no report. The same logic applies in any of the three jurisdictions: a documented, dated remediation plan is evidence of good faith.

A note on scope

The EAA does not cover every website — it applies to a defined list of products and services that includes e-commerce, banking, e-books, electronic communication services, and audiovisual media services. Microenterprises providing services (under 10 employees, under €2M turnover) are exempt for the services side. A B2B SaaS dashboard with no consumer-facing storefront is generally outside scope.

If you’re unsure whether your site is in scope, the European Accessibility Act overview explains the scoping rules; the Directive (EU) 2019/882 text on EUR-Lex is the authoritative source.

The shape of 2026 enforcement

PTS, ACM, and the French NGO coalition are not coordinated. They didn’t agree to launch in the same quarter. The fact that they did, independently, tells you the EAA enforcement system has finished its setup phase across the EU. Expect similar moves from the equivalent authorities in Italy, Spain, Germany, and Ireland through the rest of 2026.

The defensible posture is the same one every regulator and advocacy group is implicitly asking for: a documented, repeated audit of the surfaces those bodies are looking at, with a remediation plan attached to each finding. Doing the work once a year, before the regulator finds you, is now meaningfully cheaper than the alternative.

Run a free accessibility audit on your site — no registration required. Start a scan.

Check your website's compliance

Free scan — no registration required. Most results in under a minute.

Scan now
← Back to all posts