The Grace Period is Over: What Can We Learn from the First Wave of EAA Audits in Early 2026?

More than six months have passed since the European Accessibility Act (EAA) deadline officially expired on June 28, 2025. This date, which we referred to in our previous articles as a somewhat distant yet critical milestone on product development roadmaps, has now become a concrete business risk.

The relative silence of the past few months may have misled many market players. While on the surface it might have seemed that the world didn't end and no spectacular changes occurred immediately after the deadline, the processes in the background were intense. The first tangible and painful signals are appearing: the grace period is definitely over. National market surveillance authorities have not been idle; they used the last six months to build, test, and activate the inspection protocols capable of screening millions of digital products.

The sudden activation of these authorities clearly indicates a trend: digital product accessibility has escalated to a CFO-level financial risk factor. Non-compliance in 2026 is no longer a theoretical risk handled by the legal department in a footnote, but a concrete source of business loss appearing on the balance sheet. Where do we stand now? What specific penalties must those who failed to prepare expect? And what immediate operational steps can be taken to minimize risks?

The Legal Background Sharpens: From Directive to Hard National Law

To understand the gravity of the current situation, it is important to clarify the baseline, which may have given rise to many misunderstandings in recent years. The legal nature of EU Directive 2019/882 (EAA) was not a directly applicable regulation (like parts of the GDPR), but a directive. In practice, this meant that while the Union defined the goals and frameworks, each member state had to incorporate the regulations into its national legal system within its own jurisdiction and, most importantly, develop its own sanctioning system.

Although this harmonization process began in 2022, the date for actual, enforceable application was June 28, 2025. Up to this point, corporate lawyers could relatively easily refer to ongoing developments, transitional periods, or attempt to use the "disproportionate burden" clause.

In early 2026, these excuses no longer hold water

In early 2026, these excuses no longer hold water. The disproportionate burden clause, for instance, is not a blank check that anyone unwilling to spend on development can fill out. It must be strictly documented, proving that the costs of accessibility would genuinely jeopardize the company's viability – which, in the case of a profitable bank, insurer, or e-commerce player, is an almost impossible mission.

The biggest novelty of the current situation is the activation of market surveillance authorities. Unlike GDPR, where data protection authorities act, in the case of the EAA, consumer protection or communications agencies typically receive the mandate. This is not merely an administrative difference, but a shift in perspective. These bodies operate with a different logic: for them, non-accessible software is a product safety risk, exactly like a hair dryer with faulty wiring or a children's toy posing a choking hazard. While the legal environment varies by country, the severity is palpable everywhere. Some states focused on fixed fines; others tied penalties to corporate turnover, drastically raising the stakes.

German Precision: The Magdeburg Hub as a Warning Example

Germany, as the European Union's largest market, transposed the directive via the Barrierefreiheitsstärkungsgesetz (BFSG). The German approach is a particularly instructive and frightening example; they prepared thoroughly for the deadline and left nothing to chance. The federal states do not inspect in a fragmented, ad hoc manner; instead, they act centrally: they have established a joint market surveillance coordination center (Marktüberwachungsstelle) specifically tasked and resourced to examine the compliance of digital products.

In the German system, the fine is capped at €100,000 per violation. While at first glance this might seem like a rounding error in a multinational company's annual budget, the system is built on escalation and repetitive sanctioning. This means the fine is not a one-off fee that, once paid, allows the business to continue as usual. The penalty can be imposed multiple times if the violation is not remedied despite warnings.

Even more important than the financial sanction, however, is that German authorities have the power to prohibit the distribution of non-compliant products. Consider this: for an e-commerce player or a SaaS (Software as a Service) provider, being banned from the German market – even temporarily – would cause damage orders of magnitude greater than the fine itself. Not to mention the reputational loss.

Furthermore, the German inspection mechanism relies not on human resources, but on technology, heavily using automated testing software. These crawler bots can scan websites in massive volumes, day and night, searching for basic WCAG (Web Content Accessibility Guidelines) errors. Anyone hoping that "my company is small, they won't notice me in the crowd" is mistaken: automated screening does not discriminate, does not get tired, and knows no leniency.

When Non-Compliance Hits the Balance Sheet

Perhaps surprisingly, based on a comprehensive analysis by Deque Systems, some of Europe's strictest financial sanction systems are found in Hungary and Italy. These countries have adopted a model that strongly resembles the GDPR fining principle: the legislator recognized that fixed fines are not a deterrent for large corporations, whereas revenue-based penalties are unavoidable.

Hungarian legislation responded to the EAA by tightening the Consumer Protection Act. Domestically, the fine can reach 5% of annual net revenue or a fixed maximum (which in some cases can be up to 500 million HUF, ca. €1.3 million). For a domestic webshop with billions in turnover, a bank, or a fintech provider, losing 5% of revenue falls well into the category that endangers profitability, and indeed, the company's future.

Italy has followed a similarly rigorous path. Under the Decreto Legislativo n. 82/2022, the penalties are specifically designed to scale with the size of the entity. For companies falling under the extended scope of the Stanca Law (primarily those offering public services or large enterprises), the fine can reach up to 5% of the annual turnover. Even for smaller violations, the administrative fine cap is set at €40,000. As detailed in the AgID (Agency for Digital Italy) Guidelines, this approach ensures that accessibility is treated as a critical compliance metric rather than a minor administrative checkbox.

Personal Liability and Draconian Caps

While revenue percentages are frightening for shareholders, other member states have introduced measures that strike fear directly into the hearts of management.

The cost of sustained non-compliance is significantly higher than the cost of proper development

France has opted for an exceptionally high penalty system to enforce compliance. Through amendments to the Code de la consommation (Consumer Code), validated by Décret n° 2023-931, the French authorities have established a mechanism that goes beyond simple one-off fines. Beyond the immediate criminal fines, authorities can impose cumulative daily penalties that can reach up to €300,000 per inspection cycle to force compliance. This high ceiling ensures that for medium and large enterprises, the cost of sustained non-compliance is significantly higher than the cost of proper development.

The situation is perhaps most drastic in Ireland, the European headquarters for numerous tech giants (Google, Meta, etc.).

The Irish implementation, Statutory Instrument No. 636 of 2023, introduced the institution of personal liability, representing unprecedented severity. Company executives can be held criminally responsible if it can be proven that the violation occurred with their consent or due to their negligence. The sanction is not just a fine (up to €60,000 on indictment) but, in serious cases, can include up to 18 months’ imprisonment. This clause fundamentally changes the attitude of C-level executives: UX decisions now directly impact their personal safety and freedom.

Not Just Fines: Market Restriction as a Real Threat

Professional discourse often gets stuck on the amount of fines, yet the EAA’s true teeth lie in market restriction measures. Financial penalties are just one tool. Authorities have the right to order much more painful steps:

• Total recall of the product from the market.
• Immediate suspension of service provision.
• Restriction of product availability (e.g., geoblocking).

As an extreme example, imagine a banking mobile app that the authority orders to suspend operations until severe accessibility errors are fixed. In practice, this means the bank's customers cannot access their accounts on mobile from one day to the next. This is not just lost revenue, but an immediate loss of trust and a reputational catastrophe that takes years to recover from. For a strictly online webshop, a shutdown could mean bankruptcy. 

Legal analyses, such as those by DLA Piper on national implementations, highlight a critical nuance: the enforcement process is not just about financial penalties. Authorities typically grant a specific timeframe for corrective action. However, if a company fails to bring the product into compliance by this deadline, the regulator is mandated to escalate immediately to market restriction measures – such as product withdrawal or service suspension – effectively shutting down operations regardless of whether a fine has been paid.

What Are They Actually Checking? Technical Reality and the Lack of Empathy

The basis for inspections remains the standard. The EAA regards WCAG 2.1 AA level compliance as the benchmark (although the legislation technically refers to the EN 301 549 European standard, which is entirely based on WCAG). However, our practical experience shows that technical compliance alone is insufficient if genuine design intent is missing.

If a website or application cannot be handled exclusively with a keyboard, it is an immediate failure

As we explained in a previous article, true accessibility is not about mechanically ticking off checklists, but about empathy. While authorities rely on automated software to scan for technical code violations, the spark that ignites a targeted investigation is almost always a human experience. Users do not report invalid code, they report usability barriers – such as a checkout button that cannot be clicked or a form that is impossible to navigate. These functional blockers drive users to file official complaints, which then puts the company directly on the regulator's radar.

Let's look more specifically at the most common sources of error for which fines are now being issued:

1. Lack of keyboard navigation: If a website or application cannot be handled exclusively with a keyboard (i.e., without a mouse), it is an immediate failure. A common error is the "keyboard trap," where the user enters a menu or form using the Tab key but can never exit. 
2. Contrast ratios: Designers often use color combinations that strictly follow brand guidelines, which may be elegant but are unreadable. And we shouldn't just think of the visually impaired here: anyone trying to read their phone in strong sunlight encounters the same problem.
3. Forms and error messages: If a user fills out a field incorrectly, screen reader software must read out exactly where the error is and what to do. A red border is not information for a blind user. A generic "Error occurred" message helps no one. This is a critical point in the banking and insurance sector.
4. Multimedia captioning: For video content, the lack of subtitles is no longer just an annoyance but a concrete violation of the law. For the deaf and hard of hearing, a video without subtitles is "empty" content.

It is important to understand that authorities do not expect pixel-perfect design, but rather that the product is accessible to everyone. Accessibility is not the enemy of visual aesthetics, but a concomitant of quality code and logical UX.

Strategic Steps: What to Do If We Are Behind?

If a company realizes in early 2026 that its product does not meet regulations, structured action is the only viable path, not panic. Authorities value cooperation and proactivity. If, during an inspection, presenting a detailed, professionally grounded roadmap for fixing errors can be a serious mitigating factor, and the company may avoid the most severe sanctions.

1. Professional Audit – The First Line of Defense

The first step is a comprehensive, credible status assessment. Many fall into the trap of running a free Google Lighthouse test, and if it shows over 90 points, they relax. This is a dangerous misconception. Automated tests can detect at most 30%‒40% of errors.

Why? Because the machine does not understand context. A button may be syntactically correct, but if the reading software says "Button 34" instead of "Add to Cart," it is useless to the user. Semantic errors, illogical focus order, or structures that are code-correct but uninterpretable for screen readers can only be filtered out by expert eyes and manual testing. This is where the difference between a superficial solution and a real one becomes apparent. A thorough accessibility audit not only lists errors but also weights them according to business risk and repair effort (critical, severe, medium, minor). This is the document with which management can make responsible decisions about resource allocation.

2. Accessibility Statement

The second step is transparency. Every service provider falling under the EAA scope must publish a detailed statement on its website. This document describes the extent to which the product complies with regulations, exactly where the deficiencies are, and a concrete plan to fix them. An honest, professionally grounded statement can represent a legal safety net: it communicates to the authority and to users that the company is not burying its head in the sand, but is aware of its duties and is working on them.

3. Integration into the Development Process (Shift Left)

As a third step, accessibility must be integrated at the very beginning of the process – the industry calls this the "Shift Left" approach. You cannot "patch" WCAG rules onto the code at the last minute before every release, because it is expensive and inefficient. Contrasts, focus states, and semantic HTML structure must be handled at the design system level. If developers build from components (e.g., accessible buttons, input fields, and modal windows) that are factory-ready regarding regulations, we save a massive amount of subsequent bug fixing. In the long run, this is orders of magnitude cheaper than constant firefighting and the risk of fines.

The Era of Business Mindset Shift

In 2026, accessibility is no longer a hidden footnote in CSR (Corporate Social Responsibility) reports. It is one of the most important objective metrics of digital product quality. Companies now facing the first fines or official warnings are paying expensive tuition fees for the delay.

Those who do not make their products accessible are voluntarily giving up a significant portion of EU consumers

However, there is another reading of the situation, which smarter market players have already recognized: the EAA enforces a better UX. An accessible website is faster, more logically structured, has better discoverability, and reaches a wider target audience.

According to European Commission data, approximately 87 million people in the EU alone live with some form of disability. This is not a narrow market niche, but an invisible target audience the size of Germany's entire population. If we add the aging European society (the "Silver Economy"), where deteriorating vision, uncertainty in fine motor skills, or those who are only temporarily restricted (e.g., due to a broken arm or eye surgery) are everyday challenges, the formula is clear. Those who do not make their products accessible are not only breaking the law but are voluntarily giving up a significant portion of EU consumers.

The grace period has expired, but the opportunity is not lost. Now is the time to forge legal compliance into a competitive advantage and prove that our products are available to everyone – before the authority asks why they are not.