A VPAT (Voluntary Product Accessibility Template) is a free, standardised template published by the Information Technology Industry Council (ITI) that vendors complete to disclose how their digital product conforms to recognised accessibility standards. The completed document is called an Accessibility Conformance Report (ACR).
That is the answer most guides stop at, because most guides are written for the US market, where VPATs live. If you sell to US federal agencies, you will be asked for one, and this post explains exactly what that involves.
But if the reason you are reading this is the European Accessibility Act (EAA), the answer to "do we need a VPAT?" is more interesting: no law in the EU requires one. Not the EAA, not the standards it relies on, not any national enforcement authority. The document the EAA does require is different in ways that matter, and a VPAT is neither necessary for it nor sufficient.
This post covers what a VPAT actually is, who genuinely requires one, what the EAA asks for instead, and how much of your existing VPAT work carries over.
What Is a VPAT? (And What Is an ACR?)
The VPAT has been around since 2001, when ITI developed it in partnership with the US General Services Administration. Its original job was to serve Section 508 of the US Rehabilitation Act, the law requiring US federal agencies to buy accessible information technology. Agencies needed a consistent way to compare vendors' accessibility claims, and the VPAT became that format.
The terminology trips people up, so here is the clean version. The VPAT is the blank template. When a vendor fills it in for a specific product, the completed document is an Accessibility Conformance Report, or ACR. ITI's own framing(opens in new tab) is direct: "A version of the VPAT which has been completed for a specific product is an ACR." In practice almost everyone says "our VPAT" when they mean their ACR. Procurement teams know the difference, and so should you.
The current version is VPAT 2.5Rev, released in April 2025. ITI publishes it in four editions, each mapped to a different standard:
- VPAT 508 covers the US Revised Section 508 standards, which incorporate WCAG 2.0 (the Web Content Accessibility Guidelines, the global standard most accessibility rules build on).
- VPAT EU covers EN 301 549 v3.2.1, the EU's harmonised accessibility standard, which incorporates WCAG 2.1. ITI's own label for this edition describes it as covering accessibility requirements suitable for public procurement of ICT products and services in Europe.
- VPAT WCAG covers WCAG 2.2 and is the most flexible edition, common among SaaS vendors disclosing to private-sector buyers.
- VPAT INT combines all three for vendors selling into multiple markets.
One thing worth knowing if you have been searching for a VPAT template: the template itself is free. ITI publishes all four editions for download on its website, and there is nothing to buy. What costs money, and what the document's credibility rests on, is the testing behind the answers. A VPAT report filled in from guesswork is worse than no report at all, because procurement reviewers read them critically and a wrong claim surfaces during their own evaluation.
Hold on to that "public procurement" qualifier on the EU edition. It is doing more work than it appears to, and we will come back to it.
Who Actually Asks for a VPAT?
Every situation where a VPAT is genuinely expected shares two features: it is American, and it is procurement-driven.
US federal procurement. Section 508 requires federal agencies to ensure the technology they buy is accessible, and the ACR is the evidence document vendors supply. Even here there is nuance worth knowing: Section508.gov's own FAQ(opens in new tab) notes that the VPAT format itself is not mandated. What agencies require is an ACR; the VPAT is simply the dominant format for producing one.
US state procurement. Many states run "mini-508" laws modelled on the federal rule. Virginia's Information Technology Access Act, for example, applies accessibility requirements to state agencies, public universities, and school divisions, and ACRs are a standard part of vendor evaluation.
US public higher education. Under the ADA Title II final rule, which took effect in April 2026, public colleges and universities must ensure the digital tools they license conform to WCAG 2.1 AA. VPAT and ACR documentation is now a routine part of how those institutions screen vendors.
Large enterprise buyers. Plenty of private companies ask for a VPAT during vendor due diligence. That is contractual practice, not law.
Notice the pattern. In every mandatory case, the demand comes from a buyer before a contract is signed. Nobody fines you for not having a VPAT. You just lose the deal.
This is also why "VPAT compliance" is a slightly misleading phrase, common as it is. A VPAT does not make a product compliant with anything. It discloses a conformance position so a buyer can judge it. The compliance obligation, where one exists, sits in the underlying law: Section 508 for US federal buyers, the ADA for US institutions, and the EAA in Europe. The document is evidence, not the obligation itself.
Does the EAA Require a VPAT? No. Here Is What It Requires Instead
Directive (EU) 2019/882, the EAA, never mentions the VPAT. It never mentions the ACR. Neither does EN 301 549. Neither does the published guidance of any national enforcement authority we have reviewed: German, Italian, Dutch, Swedish, or French. The EU regulatory framework simply does not use this vocabulary.
That absence is not an oversight. The EAA was built on a different model, and what it requires depends on whether you provide a service or manufacture a product.
Services get Annex V. If you run an app, an e-commerce site, a banking interface, or any other in-scope digital service, Article 13(2) of the directive(opens in new tab) requires you to prepare information in accordance with Annex V and keep it for as long as the service operates. Annex V asks for three things: a general description of the service in accessible formats, the descriptions and explanations necessary to understand how the service operates, and a description of how the service meets the accessibility requirements set out in Annex I. This information must be available to the public, in accessible formats, and maintained continuously. The public-facing layer of this duty is what most teams know as the accessibility statement, which we cover in our Article 13 breakdown.
Products get Annex IV. If you manufacture in-scope hardware, such as payment terminals or e-readers, you need technical documentation under Annex IV, an EU declaration of conformity, and CE marking. Most readers of this post are service providers, so Annex V is the obligation that matters, but the split is worth keeping straight: a SaaS product is a service under the EAA, however much the word "product" appears in your marketing.
The structural difference from the US model is the point. Section 508 documentation exists to win a buyer's confidence at purchase time. EAA Annex V documentation exists to demonstrate conformity to regulators and the public, continuously, for the life of the service. One is a sales artefact. The other is a standing legal record.
Can an EN 301 549 ACR Count Toward EAA Documentation?
This is the question that matters most if you already sell into both markets and have a completed ACR on file. The honest answer is: partly. Here is the mapping.
Annex V says service providers "may apply" harmonised standards to meet the documentation duty. EN 301 549 is the standard everyone uses for this in practice, so conformance evidence gathered against EN 301 549 is exactly the right raw material. A completed VPAT EU edition ACR documents your product's conformance against EN 301 549 v3.2.1, clause by clause. That maps closely to the third Annex V requirement, the description of how the relevant accessibility requirements are met.
So the testing behind a well-executed ACR is genuinely reusable. But the ACR itself is not a substitute for Annex V information, for three reasons.
First, Annex V also requires a general description of the service in accessible formats, and explanations of how the service operates. An ACR contains neither. It is a conformance table, not a service description.
Second, an ACR is a point-in-time procurement document. Annex V information must be maintained for as long as the service is offered. A PDF dated 2024 does not meet a continuous duty.
Third, and this deserves plain statement: the bridge between ACRs and Annex V is practitioner consensus, not law. Accessibility professionals broadly agree that ACR evidence can feed EAA documentation but cannot replace it. No EU authority has endorsed the VPAT framework, or even mentioned it, and no case law has tested the question. Any vendor telling you a completed EU edition VPAT "makes you EAA compliant" is selling past the directive.
A completed EN 301 549 ACR gives you the conformance evidence layer of EAA documentation. It does not give you the accessible service description, the operation explanations, or the ongoing maintenance the EAA expects. Treat it as an input, not the deliverable.
Remember the EU edition's own label: public procurement. ITI scoped that edition for tenders to European public bodies, which is a real but narrow use case. It was never positioned, even by its publisher, as an EAA compliance document.
One More Thing: EN 301 549 Is About to Change
There is a timing wrinkle that affects anyone relying on existing documentation.
The VPAT EU edition currently maps to EN 301 549 v3.2.1(opens in new tab), published in March 2021, which incorporates WCAG 2.1 AA. That version is cited in the EU's Official Journal under the Web Accessibility Directive, the law covering public-sector websites. It has not been formally cited under the EAA. In practice it is the standard everyone audits against for EAA purposes, but the formal legal presumption of conformity with the EAA does not yet attach to it.
That formal link is coming. ETSI registered EN 301 549 v4.1.1(opens in new tab) for formal approval on 3 June 2026. The new version incorporates WCAG 2.2 and adds an annex mapping the standard directly to the EAA. Industry sources expect citation in the Official Journal later in 2026, though the Commission has not confirmed a date. Once that citation lands, conforming to v4.1.1 will give a formal presumption of conformity with the Act.
The practical consequence: an ACR or audit pegged to v3.2.1 will need refreshing against v4.1.1, including the new WCAG 2.2 success criteria. Documentation built as a living record absorbs a standard change as part of normal maintenance. A one-off PDF commissioned in 2024 does not; it quietly goes stale. For a closer look at what the standard actually tests, see our EN 301 549 guide for mobile apps.
What EU-Market Teams Should Do Instead of Buying a VPAT
Three moves, depending on who is asking.
If a US or enterprise buyer asks for a VPAT, produce an ACR using the WCAG or INT edition, and back it with real testing. An ACR that claims "supports" on every row reads as untested, and experienced procurement teams treat it accordingly. Honest partial conformance with a remediation plan wins more deals than optimistic self-assessment.
If your obligation is the EAA, build the Annex V documentation: an accessible service description, operation explanations, and a standing description of how you meet the Annex I requirements, generated from actual audit evidence against EN 301 549. Few companies have this in place properly yet, which makes doing it well an early-mover advantage rather than a remedial chore.
If you are both, do not run two separate exercises. Run the EN 301 549 audit once, properly, and feed both documents from the same evidence base. The audit is the asset. The ACR and the Annex V information are outputs of it.
Where AUDITSU Fits
AUDITSU's audit toolkit walks product and compliance teams through an EN 301 549 audit screen by screen and keeps the results as a living evidence record. From that record it generates a jurisdiction-aware accessibility statement, the public-facing layer of your EAA documentation, via the statement generator. The same evidence base gives you defensible answers when a procurement team sends over a blank VPAT. Beta access is £197 per month, first month free, and no accessibility expertise is required to run it.