The European Accessibility Act came into force on 28 June 2025. One year on, here is what EAA enforcement actually looks like: real legal activity in at least seven member states, the first court ruling in an EAA-transposition case, formal regulator investigations underway, and not a single fine issued under any EAA transposition anywhere in the European Union.
That last fact is being read two ways. Some companies hear "no fines" and relax. That is the wrong read. The year produced precedent and pressure rather than penalties. The first court ruling, handed down in France in May 2026, turned on a scope question that is now on appeal. Sweden's telecoms regulator has opened 28 investigations on its own initiative. The Netherlands ran a mandatory self-reporting cycle and is auditing the companies that stayed silent. Enforcement is not a future event waiting to begin. It is a process already running.
This post gives the full picture of European Accessibility Act enforcement in its first year: the France case in detail, the country-by-country record, what the absence of fines actually means, and what a company should have in place at the one-year mark.
France: The First EAA Court Ruling
France produced the year's most closely-watched enforcement story. In November 2025, disability associations ApiDV and Droit Pluriel, backed by the legal collective Intérêt à Agir, filed emergency injunctions against Auchan, Carrefour, E. Leclerc, and Picard for inaccessible online shopping services. Formal notices had gone out in July 2025; the companies let the September compliance deadline pass.
On 5 May 2026, the Tribunal judiciaire de Lille became the first court in any EU member state to issue a judgment in an EAA-transposition case against a private company. The outcome surprised enforcement advocates. The court dismissed the case against Auchan E-Commerce on threshold grounds: France's 2005 disability law sets a €250 million revenue ceiling for this obligation, and Auchan's e-commerce subsidiary earned €144 million in 2024. The judge found no obligation attached, even while noting the site was only 41% compliant with France's accessibility standard. ApiDV and Droit Pluriel announced an appeal to the Cour d'appel de Douai on 7 May, arguing the reading contradicts the EU directive's(opens in new tab) €2 million threshold. The appeal is pending. The three remaining cases are still before the courts; the E. Leclerc hearing was pushed to September 2026, and Carrefour and Picard have no confirmed dates.
Two things make this ruling matter beyond France. First, it was decided on scope, meaning which companies are covered, not on whether the site was accessible. The judge noted the Auchan site failed 13 of the 19 sections of France's accessibility standard. Inaccessibility was not in dispute. Coverage was. Second, the threshold question, France's €250 million ceiling set against the directive's far lower floor, is exactly the kind of issue an appellate court settles and other member states watch.
For a founder reading this, the practical takeaway is blunt. The question being litigated is whether a company is in scope, and the safe assumption is that you are.
There is a second lesson in the timing. The associations had to escalate to court because the formal notices and the September deadline produced no fix. That is the shape enforcement is likely to take across the bloc: a notice, a window to remediate, and litigation or investigation only when that window closes unanswered. A company that can show a credible remediation plan when the first notice lands is in a very different position from one that has nothing to show at all.
For the full account of the Lille ruling and the arguments on each side, see our breakdown of the first EAA court ruling against Auchan. The picture below is the cumulative one across the whole bloc.
EAA Enforcement in 2026: Country by Country
Year one produced activity in at least seven EU member states, plus one monetary penalty in the wider European Economic Area. Here is the record, drawn from regulator statements and court filings.
A pattern runs through the list. Regulators have reached for audits, self-reporting cycles and investigations rather than fines. Where there has been litigation, it came from disability associations and private firms, not from the state. And almost everywhere the first focus has been websites and online shops, with mobile apps treated as a later phase. Year one was about building cases and setting expectations, not about issuing penalties.
France. Covered above, France remains the only country to produce a court ruling. The associations filed for emergency injunctions against four retailers in November 2025; none were granted. The Auchan case was dismissed on the €250 million threshold on 5 May 2026 and is now on appeal at Douai. The other three cases are pending. No fines, no injunction granted.
Germany. The warning letters that appeared from August 2025 came from private law firms, not the regulator. These Abmahnungen, notices issued under unfair-competition law, cite the BFSG, Germany's EAA transposition. Legal commentators rate the wave weak, and no successful warning has been confirmed. The federal market surveillance body, the MLBF in Magdeburg, has been operational since 26 September 2025 but has taken no public action. Its remit under the BFSG covers e-commerce services delivered through both websites and mobile apps, though activity so far has centred on web shops.
Netherlands. The regulator ACM(opens in new tab) set a mandatory self-reporting deadline of 15 October 2025 and is auditing the companies that stayed silent through spring 2026. No decisions or fines have been published. The maximum penalty available is €900,000 or 10% of turnover.
Sweden. Sweden has been the most active. The telecoms regulator PTS(opens in new tab) opened 28 investigations into e-commerce websites on its own initiative in October 2025, with further reviews set to follow in stages. None followed a complaint. No decisions, orders or fines have been published, and this investigation batch covers websites, not apps. The maximum penalty is SEK 10 million.
Ireland. The regulator ComReg is processing complaints, including one against the operator Three reported in December 2025. Processing is the operative word: there is no order and no fine. The Irish transposition carries criminal liability of up to €60,000 or 18 months, but that route has not been used.
Norway (EEA, not EU). Norway sits outside the EU as an EEA member, and its one monetary penalty came under older law. The accessibility authority Uutilsynet(opens in new tab) imposed a daily fine of NOK 50,000 on the HelsaMi health-services portal after a compliance deadline passed on 19 December 2025. The portal remediated within days and the case closed. This penalty was issued under Norway's pre-EAA domestic ICT-accessibility law, not under the EAA. It is not the first EAA fine, and it should not be counted as one.
Italy. Italy's digital agency, AgID(opens in new tab), published private-sector compliance guidelines on 4 March 2026. These are guidelines, not actions. The sanctions framework runs from €5,000 to €40,000, rising to as much as 5% of turnover for the largest operators, but no actions have been confirmed.
Spain. Spain's accessibility office, OADIS, has held a guidance posture since 28 June 2025, with no confirmed actions. The maximum penalty there reaches €1 million.
Add it up and the headline holds. As of mid-2026, no company has been fined under any EAA-transposed law anywhere in the European Union. The Norwegian daily fine is the only monetary penalty in the wider EEA, and it rests on older domestic law. For how the penalties are structured country by country, see our guide to European Accessibility Act fines.
What the record signals for year two is straightforward. The investigations Sweden and the Netherlands opened do not close themselves, the French appeal will produce a reasoned judgment on scope that the rest of the bloc reads, and the deadlines that have already passed do not reset. The activity built in year one is the input. The decisions and, eventually, the penalties are the output that follows.
Why "No Fines Yet" Is the Wrong Way to Measure Enforcement
The temptation, reading the record above, is to treat the absence of fines as the absence of risk. It is not. Four points explain why.
Year one of any directive is the slow part. Investigations, complaints and court filings come first; penalties follow months or years later. GDPR is the obvious precedent: its first major fines arrived well after the 2018 start date, once the regulators had worked through their early cases. Regulators spend the opening phase of a new regime building processes, training staff and choosing the cases that will set the tone. A fine is the visible end of a long pipeline, and that pipeline is now full. The lag is normal, not reassuring.
The activity is proactive, not just reactive. Sweden's PTS did not wait for a complaint. It opened 28 investigations on its own initiative. The Netherlands made self-reporting mandatory and is now auditing the non-reporters. A company can be inside an enforcement process without having done anything to trigger it, and without ever hearing from a customer. That changes the maths for any business that assumed enforcement would only follow someone complaining.
The litigated question is scope, and the safe answer is that you are in. The France ruling turned on a revenue threshold that most mid-market companies clear with room to spare. Other member states will read the Douai judgment when it lands, whichever way it goes, and adjust their own reading of who is covered. Betting on a scope carve-out is betting against that appeal and against the directive's own €2 million floor.
The cost of waiting is measured in evidence, not only in risk. When a regulator or an association asks, the question is, show us what you tested and when. A company that starts at the first letter starts from zero. A company that has kept a record answers in a day, the way HelsaMi closed its Norwegian case within days. This is not about most companies being non-compliant, so there is cover in the crowd. It is the opposite. The companies with a record at year one are the ones that answer an inquiry calmly, while everyone else scrambles.
Put the four together and the year reads differently. Enforcement did not stall in 2025. It started quietly, in the form regulators prefer at the outset: investigations, deadlines and the first test cases. The fine is a lagging indicator. By the time it appears, the evidence a company would have wanted is either already there or it is not.
No EAA fine has been issued anywhere in the EU. That is a statement about timing, not about safety. The investigations, complaints, and the first court ruling all happened in year one. Penalties follow process, and the process is already running.
What EAA Compliance Looks Like One Year In
EAA compliance in 2026 is less about a one-time certificate and more about a record you can produce on request. The companies positioned well at the one-year mark share four things.
- A current audit against EN 301 549. This is the EU's harmonised accessibility standard, and it incorporates WCAG 2.1 AA. The audit has to cover the real app and web product, not a marketing-site stub. A scan of the homepage is not an audit. The standard expects coverage of the journeys that matter, sign-up, checkout, account and the core tasks, on the product people actually use.
- A published accessibility statement at a discoverable URL, scoped to the real product, with a feedback mechanism. Our guide to the EAA accessibility statement covers what it has to contain.
- A remediation record showing what failed, what was fixed, and when. The France judge's "41% compliant" finding is exactly the kind of measurement that either protects or exposes a company, depending on whether it can show its own equivalent.
- An audit trail kept over time, not once. Accessibility degrades with every release. A 2025 audit does not cover a 2026 app, because an audit that is a year old describes a product that has shipped dozens of times since.
The throughline is simple. The EAA asks you to demonstrate compliance, not merely to achieve it. Achievement is invisible without evidence: a near-perfect product with no record behind it still has to be rebuilt from scratch the day someone asks for proof. The artefact a regulator or an association asks for is exactly that record: what you tested, what you found, and what you did about it. For what a regulator-grade audit grades against, see what an EAA audit checks, and for the wider method, our guide to accessibility testing.
Turn Compliance Into a Record You Can Show
AUDITSU gives product and compliance teams the structure to build and keep that evidence trail. The guided audit toolkit walks your team through EN 301 549 screen by screen, logs every result, tracks remediation over time, and generates a jurisdiction-specific accessibility statement from the evidence you gather. When an inquiry comes, you answer with a record, not a scramble. No accessibility expertise required, and no code access needed.
If the first year of enforcement taught compliance leaders anything, it is that the process is already running, and the companies with a trail are the ones who meet it calmly. Start building yours below.