On 28 June 2025 the substantive obligation of the European Accessibility Act kicked in, directive 2019/882 transposed by every member state between 2022 and 2024. Six months in, we have real data: the first sanction files opened in Spain, Germany, and the Netherlands; the first forced mass-remediation deployments; and enough operational lessons to tell which companies were prepared and which panicked after discovering the scope at the last moment. Time to make an honest first-year balance and separate the regulatory narrative from the real technical work it demands.
What the EAA actually covers
Worth starting with precision. The EAA doesn’t turn the entire web into regulated space. It applies to specific products and services sold to end consumers inside the Union: e-commerce, consumer banking, passenger transport, e-books, electronic communications including emergency call centers, on-demand audiovisual services, and terminal hardware like ATMs and telecom devices. Companies selling exclusively to other businesses, non-commercial institutional sites, or internal applications fall outside the EAA, though they may be subject to the Web Accessibility Directive for the public sector or national rules.
The main technical threshold is EN 301 549, which incorporates WCAG 2.1 level AA as baseline and adds specific hardware and desktop software requirements. Nothing revolutionary in content, but the difference is that for the first time it applies with force of law and with national authorities holding sanction power. In Spain the Secretaría de Estado de Digitalización y Inteligencia Artificial took the role, with the Observatorio de Accesibilidad Web coordinating audits, and a sanctions regime reaching up to one million euros per very serious infringement.
Service-providing microenterprises, defined as fewer than ten employees and turnover under two million, are also excluded. This exception has generated intense debate through the second half of 2025 because many larger companies subcontracted design or maintenance of their digital products, and responsibility chains weren’t always clear. The interpretive trend from the first sanction files is that the obligation lies with whoever markets the product to the end consumer, regardless of who physically built it.
First sanction files
In Spain between July and December 2025, around forty formal files were opened per Secretaría de Estado published data. Most concentrated on mid-size e-commerce, online banking, and transport platforms. The patterns are revealing: over seventy percent of the detected infringements group into five basic categories that any technical team should audit first before worrying about more sophisticated cases.
The first group is forms and checkout flows with inaccessible validation: errors appearing without semantic field association, error summaries not announced to screen readers, buttons without accessible labels. The second is multimedia content without alternatives: marketing videos with badly synced auto-captions or no captions at all, informational audio without transcript. The third is broken keyboard navigation: dropdown menus that don’t respond to tab, custom components like date pickers or size selectors that trap focus or jump randomly.
The fourth pattern is inadequate contrast and text size, still the error most easily detected automatically and one of the most heavily penalized precisely for that reason: the administration argues that if automatic tools detect it, not fixing it is unforgivable. The fifth is complete absence of a published accessibility statement, required in a visible place with information on compliance level, contact channels, and improvement plan. Omitting it has been classified as a formal infringement independent of the product’s actual accessibility level.
Common operational mistakes during 2025
Watching companies of every size through the second semester, worrying patterns emerge that deserve naming. The first is the exclusive-automation reflex: install axe-core or similar in CI and declare victory when no errors appear. Automatic tools detect between thirty and forty percent of real problems, and practically nothing related to semantic coherence, content structure, or screen-reader usability. Auditing only with them answers ten percent of the exam.
The second mistake is delegating to an overlay tool. Companies like accessiBe, UserWay, or EqualWeb sold for years the promise that a script added to the page turned any site accessible. The EAA has made that lie clear: an overlay can ease visual adjustments for the user, but does not fix inaccessible code, and several disability advocacy groups have sued companies using them as supposed compliance. The initial interpretive position is that an overlay is a complement, never a substitute.
The third mistake is cramming the audit into the last weeks before 28 June. Several teams ran remediation sprints in May and June 2025 that fixed surface problems but left structural ones intact: design systems with inaccessible custom components by construction, information architectures penalizing screen readers, complex interaction flows with misused ARIA. The debt drags into 2026 and appears in every subsequent audit.
The fourth mistake, possibly the most damaging long-term, is treating accessibility as a one-off project rather than a continuous process. Digital products change constantly; every release can introduce regressions. Teams that passed a May audit and didn’t integrate continuous checks found themselves facing autumn files after new features broke the already-fixed parts. The EAA requires compliance maintenance, not a single certification.
What works in 2026
Against those mistakes, companies that entered 2026 well-postured share recognizable patterns. The first is integrating accessibility into the design system at the component level: if the buttons, forms, and navigation of the design system are accessible by default, the product team inherits compliance for free by consuming the system. This saves hundreds of point reviews and reduces the error surface.
The second pattern is regular human auditing, not only automated. Hiring auditors with disabilities to review critical flows quarterly catches problems no script finds. Companies that did this in 2025 have fewer open files and more effective remediations. The cost is reasonable compared with sanctions and with reactive remediation work.
The third pattern is living compliance documentation. Keeping the accessibility statement as a living document with real review dates, a conformance matrix per product area, and a remediation plan with dated commitments sends a clear signal to regulators and users: there is process, not just apparent point compliance. Several files closed without sanction precisely because the company could demonstrate ongoing process even with specific problems.
When it pays off
For technical teams entering 2026 still catching up, the practical question is where to concentrate effort. My recommendation is to start with the five categories where sanctions concentrate: forms and validation, multimedia, keyboard, contrast, published statement. That probably covers sixty percent of the sanction risk with a much smaller fraction of the total effort full WCAG 2.1 AA compliance would require.
After that, prioritize the critical product flows: user signup, purchase, account management, support contact. If these are accessible, both real risk and reputational risk are covered. The rest of the product can be remediated on a realistic calendar through 2026 without maximum risk exposure. Full accessibility isn’t achieved in a quarter, but meeting the critical part is.
The error to avoid is perfectionism paralysis. Many teams, upon discovering the real EAA scope, freeze trying to cover everything at once and deliver nothing. The administration has been relatively reasonable in its first year applying the principle that a company with documented plan and demonstrable progress gets different treatment than a company with no plan or remediation. Entering 2026 with a phased plan and executing monthly is infinitely better than chasing unachievable perfection.
My reading
After six months watching how the EAA applies in practice, my reading is that the regulation has worked as expected: it moved companies from treating accessibility as a goodwill topic to treating it as an accounting obligation. It didn’t become, as some feared, an arbitrary sanction war, nor, as others hoped, a full transformation of the European digital ecosystem. It raised the floor without pushing the ceiling much.
For technical teams, the practical message is that 2026 is the year accessibility stops being an optional extra and becomes basic discipline, like security or performance. Integrating it into normal development processes is cheaper and more effective than treating it as a recurring special project. Companies that have understood this are already saving effort and risk; those still treating it as an external annoyance will pay that overhead for years, both in sanctions and in accumulated remediation work that ends up much more expensive than doing it right from the start.
