EAA Compliance Finale 2026: Developer Toolkit, Enforcement Timeline & National Authorities Guide

Post #1431 in the sota.io EU Compliance Series — EU-EAA-DEVELOPER-2026 #6/6 FINALE

June 28, 2025 passed. The European Accessibility Act (Directive 2019/882) entered enforcement — and most European SaaS companies were unprepared.

One year later, enforcement varies significantly by country. Some national competent authorities (NCAs) are actively conducting market surveillance. Others are still building their enforcement infrastructure. But the legal obligation is uniform across the EU: if your service is in scope, it must conform to the accessibility requirements in Art.4, with EN 301 549 as the harmonized technical standard.

This finale consolidates everything you need: a complete developer toolkit referencing all posts in this series, a clear view of the enforcement landscape, and the two exemption routes — microenterprise (Art.22) and disproportionate burden (Art.14) — for services that genuinely cannot comply.

Where EAA Enforcement Stands in June 2026

The EAA transposition deadline was June 28, 2022 (Art.32). Member states were required to have national legislation in place. The service provider compliance deadline was June 28, 2025 (Art.33).

Existing services: Under the EAA transitional provisions, service contracts that predate June 28, 2025 have until June 28, 2030 to comply. New services and services launched after the deadline must comply now.

Market surveillance authorities under Art.19 and Art.26 have the power to:

• Inspect service providers for compliance documentation
• Request accessibility statements and conformance evidence
• Issue corrective orders under Art.24
• Impose financial penalties under national transposition laws

The enforcement reality in 2026: First-wave enforcement is focused on public-facing digital services with high user volumes. Financial services, transport, e-commerce, and electronic communications services are priority sectors under Art.2. Pure SaaS infrastructure (developer tools, APIs without end-user interfaces) has lower enforcement priority but remains legally in scope if the service is offered to consumers.

Art.2 Scope: Is Your Service In Scope?

Before running through the compliance checklist, confirm scope. Art.2 of Directive 2019/882 covers services in these categories when offered to consumers in the EU:

Definitely in scope:

• E-commerce services (including SaaS sold via web storefronts with checkout)
• Electronic communications services with end-user interfaces
• Consumer banking and financial services
• Transport-related passenger services with booking/information interfaces
• Audiovisual media services player software

Probably in scope:

• Any SaaS with a customer-facing web application used by EU consumers
• Mobile applications distributed to EU consumers

Grey area:

• Pure API services with no consumer-facing interface
• B2B-only SaaS where all users are professional/enterprise clients

The official determination is under national implementation. When in doubt, treat your service as in scope — the cost of compliance documentation is far lower than the cost of enforcement proceedings.

The Two Exemption Routes

If your service is technically in scope but compliance would be genuinely disproportionate, two exemption routes exist.

Route 1: Microenterprise Exemption (Art.22)

Art.22 provides a full exemption for services provided by microenterprises, defined as:

• Fewer than 10 employees, AND
• Annual turnover OR annual balance sheet total not exceeding EUR 2 million

Both conditions must be met simultaneously. The exemption applies to services, not products. If you are a microenterprise offering a SaaS product, you are exempt from the EAA service obligations.

Important: The exemption is self-assessed. You do not need to notify any authority. But you should document your microenterprise status annually — if your headcount or revenue grows above the threshold, the exemption ceases to apply.

What to document:

EAA Microenterprise Status Declaration
Date: [YYYY-MM-DD]
Entity: [Company Name]
Employees (FTE): [N] (below 10)
Annual Turnover: EUR [X] (below EUR 2 million) / OR Annual Balance Sheet: EUR [X] (below EUR 2 million)
Conclusion: Microenterprise exemption applies under Art.22, Directive (EU) 2019/882.

Store this in your compliance records. Review annually when financial statements are filed.

Route 2: Disproportionate Burden (Art.14)

Art.14 allows service providers to deviate from the accessibility requirements where compliance would impose a disproportionate burden. This is a proportionality assessment — not an opt-out.

The assessment must consider:

1. The net cost of accessibility implementation relative to total operating costs
2. The estimated benefit to persons with disabilities
3. The frequency and duration of use of the specific feature
4. The size and resources of the service provider
5. The estimated number of persons with disabilities using the service

Procedural requirements under Art.14(5):

• Document the assessment formally
• Notify the relevant market surveillance authority
• Update the accessibility statement to declare which requirements are not met and why
• Renew the assessment periodically (when circumstances change materially)

The disproportionate burden assessment is not a one-time free pass. Authorities can challenge the assessment. If your operating costs grow while accessibility investment stays at zero, the burden calculation shifts. Treat it as a structured business case with documented assumptions.

National Competent Authorities: Art.26 Overview

Art.26 requires each member state to designate competent authorities responsible for enforcement. By mid-2026, most EU member states have notified their NCAs to the European Commission.

Key pattern across member states: Enforcement is typically split between:

1. A market surveillance authority (often a consumer protection agency, communications regulator, or digital ministry) with inspection and corrective order powers
2. A designated contact point for public inquiries and accessibility statement review

Priority sectors for NCA enforcement across EU member states:

• Financial services (online banking, payment services)
• Transport (booking systems, information services)
• E-commerce (retail platforms, marketplace checkouts)

For the current list of designated national authorities, refer to the European Commission's official notification database. NCAs are required to publish enforcement plans and can share enforcement information across the EU under Art.26(4).

Practical implication: If you receive a formal inquiry from a national accessibility authority, you have a limited window (typically 15–20 business days under national implementation) to provide compliance documentation. Having your Accessibility Statement, audit reports, and conformance evidence ready before an inquiry arrives is the only viable preparation.

Building Your Compliance Documentation Package

Regardless of whether you are currently being surveilled, you need a compliance documentation package. This is your proof of conformance if an NCA contacts you.

Document 1: Accessibility Statement

Most EU member state transpositions require a publicly posted Accessibility Statement for in-scope services. Minimum required content varies, but converges on:

Accessibility Statement for [Service Name]

Compliance status: [Fully compliant / Partially compliant / Non-compliant]
Standard: EN 301 549 (incorporating WCAG 2.1 Level AA for web, Chapter 9; 
          Chapter 11 for native software/mobile)
Assessment date: [YYYY-MM-DD]
Assessment method: Self-assessment + external audit (if applicable)

Non-accessible content:
[List specific features and WCAG SC failures, with remediation timeline]

Feedback mechanism:
[Email/form for users to report accessibility barriers]

Enforcement procedure:
[Name of national enforcement/ombudsman body and contact details]

Post the Accessibility Statement at a stable URL (e.g., /accessibility). Link to it in your footer.

Document 2: Conformance Evidence

Your Accessibility Statement references a testing process. The conformance evidence package includes:

• Automated scan results (axe-core, Lighthouse, Pa11y) — run against key user flows
• Manual testing logs (NVDA/JAWS/VoiceOver screen reader, keyboard-only navigation)
• Component inventory with WCAG 2.1 AA criterion mapping
• Known failures with remediation dates

Document 3: Internal EAA Assessment Record

A one-page record documenting:

• Scope determination: why your service is/is not in scope
• Exemption status: microenterprise (Art.22) or disproportionate burden (Art.14), if applicable
• Standard applied: EN 301 549 version, WCAG 2.1 Level AA
• Date of last review

The EAA Developer Toolkit: Complete Series Index

This series has built a complete implementation guide across six posts:

Post 1 — Scope & Obligations EAA Developer Guide: What the EAA Means for SaaS & Web Apps Art.2 scope analysis, Art.4 requirements, who is in scope, first compliance steps.

Post 2 — WCAG 2.1 AA Technical Implementation EAA WCAG 2.1 AA Technical Implementation for EU Web Services Keyboard navigation, focus management, contrast ratios, semantic HTML, ARIA — the full implementation reference.

Post 3 — Complete SaaS Developer Guide (WCAG + EN 301 549) EAA 2026 Complete SaaS Developer Guide: WCAG & EN 301 549 How EN 301 549 extends WCAG, Chapter 9 vs Chapter 11, documentation requirements.

Post 4 — Mobile Accessibility (iOS, Android, PWA) EAA Mobile App Accessibility: iOS, Android & PWA Developer Checklist EN 301 549 Chapter 11 for native apps, VoiceOver/TalkBack testing, PWA accessibility patterns.

Post 5 — Testing & Audit Stack EAA Testing & Audit Guide 2026: Automated + Manual Accessibility Testing Stack axe-core, Lighthouse, Pa11y, NVDA, JAWS, VoiceOver CI/CD integration, audit documentation format.

Post 6 — This post: Finale Enforcement landscape, Art.22 microenterprise exemption, Art.14 disproportionate burden, national authorities, compliance documentation package.

Final EAA Compliance Checklist: June 2026

Work through this checklist to assess where your service stands.

Phase 1: Scope & Exemption (5 minutes)

• Confirm your service falls under Art.2 scope (consumer-facing service in the EU)
• Check microenterprise status: <10 employees AND <EUR 2M revenue/balance → exempt under Art.22
• If not exempt, determine launch date: services launched after June 28, 2025 must comply now; pre-existing service contracts have until June 28, 2030

Phase 2: Technical Foundation (1–4 weeks)

• Run automated audit: axe-cli https://your-service.com --tags wcag2a,wcag2aa across all key user flows
• Document results — target 0 critical violations on checkout/signup/core workflows
• Run Lighthouse accessibility audit on critical pages, target score >90
• Keyboard-only navigation test: tab through entire signup and core workflow without mouse
• Test with NVDA (Windows) or VoiceOver (macOS/iOS) on primary user flows
• Check color contrast: WCAG 1.4.3 requires 4.5:1 for normal text, 3:1 for large text
• Verify all images have meaningful alt text; decorative images have alt=""
• Verify all form inputs have associated labels (not just placeholders)

Phase 3: Mobile (if applicable, 1–2 weeks)

• iOS VoiceOver: test primary flows on iPhone
• Android TalkBack: test primary flows on Android
• Dynamic type / font scaling: text readable at 200% zoom
• Touch targets: minimum 44×44pt (iOS) / 48×48dp (Android)
• No functionality is gesture-only without keyboard/switch alternative

Phase 4: Documentation (2–3 hours)

• Publish Accessibility Statement at /accessibility
• List all known non-conformances with remediation timeline
• Add feedback mechanism (email or form) for accessibility barrier reports
• Document your conformance evidence (test results, audit log)
• If claiming exemption: document microenterprise status OR complete Art.14 disproportionate burden assessment

Phase 5: Ongoing Maintenance

• Integrate axe-core into CI/CD pipeline (block on critical violations)
• Schedule quarterly manual accessibility review
• Update Accessibility Statement when conformance status changes
• Review microenterprise/disproportionate burden status annually

What Happens If an NCA Contacts You

If a national market surveillance authority sends a compliance inquiry:

1. Do not ignore it. Under Art.24, non-response escalates to formal enforcement measures, including market withdrawal orders.

2. Respond within the specified window. National implementations typically specify 15–20 business days for initial response.

3. Provide your compliance documentation package. Accessibility Statement, conformance evidence, testing results, any exemption assessment.

4. If non-compliant, present a remediation plan. Most authorities will accept a concrete, time-bound remediation schedule rather than immediate enforcement action for first-time inquiries.

5. If you believe the inquiry is unfounded, request clarification of the specific alleged non-conformance before the response deadline expires.

Art.24 enforcement measures can include:

• Corrective action orders (require specific fixes within a deadline)
• Prohibitions on making the service available (severe non-conformance)
• Financial penalties (quantum set by national law — varies by member state)

The 2030 Window: What It Means for Existing Services

If your service was operational before June 28, 2025, you have until June 28, 2030 under the transitional provisions. This gives five years — but treat it as an implementation window, not a free pass.

Why start now:

• NCAs can still conduct market surveillance and issue voluntary compliance guidance
• User expectations are shifting — accessibility barriers generate complaints to NCAs
• Retrofitting accessibility into an established codebase is more expensive the longer you wait
• If you launch new features, they must meet EAA requirements immediately (transitional provisions cover existing services, not new functionality)

Practical approach for existing services:

• Year 1 (now): Audit, fix critical barriers, publish Accessibility Statement
• Year 2–3: Systematic WCAG 2.1 AA conformance across all user flows
• Year 4–5: EN 301 549 full conformance, including mobile and complex components
• June 2030: Full conformance required

Connecting EAA to sota.io

If you deploy your accessibility-compliant SaaS on EU infrastructure, every piece of the stack matters for EU regulatory alignment. sota.io runs on Hetzner Germany — no US parent, no CLOUD Act exposure, GDPR-compliant by design.

Your Accessibility Statement mentions your infrastructure. Listing EU-hosted infrastructure strengthens your compliance narrative for EU market surveillance authorities — they are increasingly asking where user data is processed, not just how the UI renders.

Deploy your EU-compliant SaaS on sota.io →

Summary: EAA Developer Series Complete

This six-post series has covered every layer of EAA compliance for SaaS developers:

1. Scope and obligations — who must comply and what Art.4 requires
2. WCAG 2.1 AA implementation — the technical requirements for web services
3. EN 301 549 deep dive — how the harmonized standard maps to your codebase
4. Mobile accessibility — iOS, Android, and PWA under Chapter 11
5. Testing infrastructure — CI/CD integration, automated and manual testing stack
6. Enforcement, exemptions, and toolkit — this post

The EAA deadline has passed. The enforcement machinery is operational. Whether your service is compliant today, working toward the 2030 transition deadline, or legitimately exempt under Art.22, you now have a complete implementation reference.

Start with the checklist above, publish your Accessibility Statement, and build accessibility testing into your deployment pipeline. Those three steps cover the vast majority of enforcement risk.