EAA fines by country range from €40,000 in Italy to €1,000,000 in Spain and up to €1,260,000 in Hungary, with enforcement active since June 28, 2025. Every EU member state has transposed the European Accessibility Act (Directive 2019/882) into national law with its own fine ranges, enforcement agencies, and additional sanctions including operational bans and criminal penalties. Eight months into enforcement, France has already filed its first EAA lawsuits against major retailers, Norway is issuing daily penalties of NOK 50,000 for non-compliant health portals, and Sweden's PTS is running systematic inspections of e-commerce platforms. This guide provides the definitive country-by-country breakdown of fines, enforcement agencies, real cases, and what you need to do to stay on the right side of each national regulator.
EAA Fines at a Glance: Quick Answer
EAA fines by country range from €40,000 (Italy) to €1,000,000 (Spain) and up to €1,260,000 (Hungary), with enforcement active since June 28, 2025. Each EU member state sets its own penalties — the Directive requires "effective, proportionate and dissuasive" sanctions.
| Country | Maximum Fine | Enforcement Agency | Enforcement Start | Additional Sanctions |
|---|---|---|---|---|
| Hungary | €1,260,000 (or 5% turnover) | National Market Surveillance Authority | June 28, 2025 | Turnover-based escalation |
| Spain | €1,000,000 | AEPD / sectoral regulators | June 28, 2025 | Operational ban up to 2 years |
| Netherlands | €900,000 (or 10% turnover) | ACM (Authority for Consumers and Markets) | June 28, 2025 | Mandatory public reporting |
| Sweden | €900,000 (SEK 10M) | PTS / Konsumentverket | June 28, 2025 | Active market surveillance programme |
| France | €250,000 | DINUM / Arcom / DGCCRF | June 28, 2025 | €25,000/yr for missing accessibility statement; lawsuits filed Nov 2025 |
| Austria | €200,000 | Federal Ministry of Social Affairs | June 28, 2025 | €80,000–€200,000 per violation |
| Belgium | €200,000 | FSMA / regional authorities | June 28, 2025 | €1,000–€200,000 per breach |
| Germany | €100,000 | MLBF AoeR (BFSG) | June 28, 2025 | Competitor Abmahnung cease-and-desist claims |
| Ireland | €60,000 | CCPC / ComReg | June 28, 2025 | Up to 18 months imprisonment (criminal sanction) |
| Italy | €40,000 (or 5% turnover) | AgID | June 28, 2025 | 90-day cure period before escalation |
Grace periods apply for some product categories (e.g. self-service terminals already in service before June 28, 2025 have until 2030). Covered services include e-commerce sites, banking apps, transport ticketing, e-books, telephony, and ATMs.
Key Data at a Glance
EAA Fines & Penalties by Country: Full Breakdown
Sources: National transposition laws, EU Directive 2019/882
What the European Accessibility Act Actually Requires
The European Accessibility Act (Directive 2019/882) is an EU directive that mandates accessibility for digital products and services sold to or used by EU consumers. It became enforceable on June 28, 2025, after a three-year transition period that many businesses treated as optional. That was a mistake. The technical standard underpinning the EAA is EN 301 549, which maps directly to WCAG 2.1 Level AA. If your website, mobile app, e-commerce platform, banking interface, or transport ticketing system does not meet WCAG 2.1 AA, you are non-compliant with the EAA. The directive covers a broad range of products and services: computers and operating systems, smartphones, self-service terminals like ATMs and ticket machines, e-readers, e-commerce websites and apps, banking and financial services, electronic communications, audiovisual media services, e-books, and transport information and ticketing. If you sell any of these into the EU market, the EAA applies to you regardless of where your company is headquartered. There is one meaningful exemption: microenterprises with fewer than 10 employees AND annual turnover below 2 million euros are exempt from the service requirements. Note the AND. A company with 8 employees but 5 million euros in revenue does not qualify. The exemption also does not cover product requirements, only services. The directive requires each EU member state to establish penalties that are "effective, proportionate and dissuasive." That specific legal language matters. It means regulators cannot simply send polite letters indefinitely. They must impose consequences that actually change behavior. And as the first eight months of enforcement show, many countries are taking that mandate seriously.Country-by-Country Penalty Breakdown
Each EU member state transposed the EAA into national law with its own fine ranges, enforcement agencies, and procedural rules. The result is a patchwork that businesses operating across multiple EU markets must navigate carefully. Below is the detailed breakdown for every country with significant penalty structures.
Germany: Fines Up to 100,000 EUR Plus Competitor Lawsuits
Maximum fine: 10,000 to 100,000 EUR per violation. Enforcement agency: MLBF AoeR (Marktuberwachungsbehorde fur Barrierefreiheitsanforderungen), operating under the BFSG (Barrierefreiheitsstarkungsgesetz). The MLBF AoeR began operations in January 2025 and has been actively accepting complaints since the June enforcement date.
What makes Germany distinctive is the Abmahnung risk. Under German unfair competition law (UWG), a competitor that complies with accessibility requirements can file a cease-and-desist claim against a non-compliant competitor, arguing that the accessibility failure constitutes an unfair competitive advantage. Legal costs for defending an Abmahnung typically run 1,500 to 5,000 EUR per claim, and multiple Abmahnungen can be filed simultaneously.
The practical risk in Germany is therefore not just regulatory fines but competitor litigation. German legal practice has well-established procedures for this, and accessibility Abmahnungen are already being filed against companies that failed to update their accessibility statements by the June 2025 deadline.
Germany also requires an accessibility statement (Barrierefreiheitserklärung) for all covered services. Missing or inadequate statements are independently sanctionable and are the most common trigger for both regulatory complaints and Abmahnungen.
France: Up to 250,000 EUR and First EAA Lawsuits Filed
Maximum fine: up to 250,000 EUR for repeated violations. Annual penalty: 25,000 EUR per year for missing accessibility statement. Enforcement agencies: DINUM (Direction Interministerielle du Numerique) for public sector, Arcom and DGCCRF for private sector.
France is the most aggressive enforcer in the first wave. In November 2025, four major French retailers—Auchan, Carrefour, E.Leclerc, and Picard—received formal EAA enforcement notices after DGCCRF inspections found systematic accessibility failures in their e-commerce platforms. These are the first publicly confirmed EAA enforcement actions in the EU.
The French framework imposes a tiered penalty structure. A first offense carries up to 50,000 EUR. Repeat violations escalate to 250,000 EUR. Additionally, companies that fail to publish a required accessibility statement are subject to a separate 25,000 EUR annual penalty that accumulates independently of any compliance fines.
France also uses a named-and-shamed approach. The DGCCRF publishes enforcement actions, and the reputational damage of being identified as an EAA non-complier is being cited by French businesses as a significant additional deterrent beyond the financial penalties.
Spain: Up to 1,000,000 EUR and Operational Bans
Fine ranges: minor violations 30,000 to 90,000 EUR, serious violations 90,001 to 300,000 EUR, very serious violations 300,001 to 1,000,000 EUR. Additional sanction: operational ban of up to 2 years for repeated very serious violations. Enforcement: AEPD (Agencia Española de Protección de Datos) for digital services, plus sectoral regulators.
Spain has the highest fixed maximum fine in the EU at 1,000,000 EUR, though Hungary's turnover-based approach can theoretically exceed this. The operational ban provision is unique among EU member states and represents the most severe non-financial sanction available under any national EAA transposition.
Spain classified accessibility failures using a three-tier severity system drawn from its existing LSSI (Ley de Servicios de la Sociedad de la Información) framework. This means Spanish regulators have existing experience applying these penalty tiers and established procedural infrastructure for imposing them.
The AEPD has indicated it will prioritize enforcement against e-commerce platforms with annual revenues above 10 million EUR. Smaller businesses are more likely to receive remediation orders before fines, though the law does not require this graduated approach and inspectors have discretion to impose direct fines for serious violations.
Italy: 5% of Turnover for Large Companies
Standard fines: 5,000 to 40,000 EUR per violation. Large company penalty: up to 5% of annual turnover. Enforcement agency: AgID (Agenzia per l'Italia Digitale). Cure period: 90 days after formal notification before escalation to fines.
Italy has the most debtor-friendly enforcement framework in the EU. The 90-day cure period is the longest in the bloc, and AgID has indicated it will use this period as a genuine opportunity for remediation rather than a procedural formality before automatic fines.
However, the 5% turnover rule for large companies creates significant exposure for multinational businesses. A company with 500 million EUR annual revenue could face a 25 million EUR fine for a single serious violation, making Italy paradoxically both the most lenient and potentially the most expensive jurisdiction depending on company size.
Italy defines large companies for this purpose as those with more than 250 employees or annual turnover above 50 million EUR. Companies below these thresholds face only the standard 5,000 to 40,000 EUR range.
Netherlands: Up to 900,000 EUR with Mandatory Reporting
Maximum fine: up to 900,000 EUR or 1 to 10% of annual turnover, whichever is higher. Enforcement agency: ACM (Authority for Consumers and Markets). Mandatory reporting requirement: companies operating in covered sectors must file annual accessibility compliance reports with ACM.
The Netherlands has taken a compliance-first approach. The mandatory annual reporting requirement means companies must proactively demonstrate accessibility compliance rather than waiting for complaints. This significantly increases enforcement efficiency since ACM receives documented evidence of compliance status each year without needing to conduct proactive inspections.
The fine structure is notably flexible. ACM can choose between a fixed maximum of 900,000 EUR and a percentage of turnover, selecting whichever produces the higher amount. For large e-commerce operators or financial services companies, the 10% turnover figure is likely to be determinative.
ACM has published detailed guidance on what constitutes a compliant annual report, including specific WCAG success criteria that must be tested and documented. Companies that file incomplete or misleading reports face separate penalties for the reporting failure itself, independent of any underlying accessibility violations.
Sweden: SEK 10 Million and Active Market Surveillance
Maximum fine: SEK 10,000,000 (approximately 900,000 EUR). Enforcement agency: PTS (Post and Telecom Authority) for digital services, Konsumentverket for consumer products. Sweden has launched a formal active market surveillance program targeting e-commerce platforms.
Sweden is conducting the most systematic market surveillance in the EU. PTS published a list of 200 e-commerce platforms that it will audit by Q3 2026, with audit methodology based on automated WCAG 2.1 AA testing combined with manual keyboard navigation and screen reader testing.
Konsumentverket is simultaneously running a parallel program targeting consumer product accessibility, focusing on ATMs, self-service kiosks, and electronic communications equipment. Sweden's dual-agency enforcement approach means companies may face simultaneous investigations from two different regulators.
The SEK 10 million maximum converts to approximately 900,000 EUR at current exchange rates, placing Sweden among the highest-fine jurisdictions alongside the Netherlands. Sweden also permits the affected person to seek damages through civil courts in addition to regulatory fines, creating a potential double-exposure similar to GDPR enforcement patterns.
Ireland: Criminal Penalties Including Imprisonment
Maximum fine: 60,000 EUR on indictment. Imprisonment: up to 18 months. Summary conviction: 5,000 EUR and/or 6 months imprisonment. Enforcement: CCPC (Competition and Consumer Protection Commission) and ComReg.
Ireland is unique in the EU for having criminal sanctions, including imprisonment, for EAA non-compliance. This was a deliberate policy choice by the Irish legislature when transposing the directive, reflecting Ireland's existing approach to consumer protection enforcement.
The criminal sanction is reserved for deliberate and sustained refusal to comply after formal enforcement action. A company that makes genuine efforts to remediate identified issues will not face criminal prosecution. The mechanism is designed to address bad actors who ignore repeated enforcement notices.
For technology companies with EU headquarters in Ireland (which includes many major US tech firms due to Ireland's corporate tax environment), the CCPC's jurisdiction is particularly significant. An enforcement action by the CCPC against an Irish-headquartered company applies across its EU operations under the cooperation mechanisms established by the directive.
The 60,000 EUR maximum on indictment is relatively low compared to other EU jurisdictions, but the imprisonment provision and the reputational implications of criminal prosecution represent a qualitatively different risk category.
Austria, Belgium, Portugal, and Hungary
Austria imposes fines of 80,000 to 200,000 EUR per violation, enforced by the Federal Ministry of Social Affairs and regional market surveillance authorities. Austria's framework includes specific provisions for construction accessibility that extend beyond digital services, making it one of the more comprehensive transpositions.
Belgium has established a tiered system running from 1,000 EUR for minor technical violations to 200,000 EUR for systematic non-compliance. The FSMA (Financial Services and Markets Authority) handles financial sector enforcement, while regional authorities handle general digital services. Belgium's federal structure means enforcement intensity varies significantly between regions, with Brussels and Flanders showing more active enforcement than Wallonia in the first six months.
Portugal has set maximum fines at 44,891 EUR (indexed to the national minimum wage multiplier system used across Portuguese administrative law). Enforcement is split between ANACOM for electronic communications and the national market surveillance authority for other covered products and services.
Hungary has the highest potential fine in the EU when the turnover percentage applies. The base penalty structure allows fines up to approximately 500,000 EUR, but the 5% of annual turnover provision can reach 1,260,000 EUR for a company at the large enterprise threshold. Hungary's National Consumer Protection Authority has been actively building enforcement capacity since mid-2024.
Enforcement Mechanisms: How Fines Actually Get Imposed
Understanding the fine amounts is only half the picture. How enforcement actually works determines your real risk level.
Most EU countries follow a graduated enforcement sequence: complaint or inspection trigger, formal notification of alleged violation, remediation period (ranging from 30 days in Spain to 90 days in Italy), failure to remediate, formal finding of violation, penalty decision, appeal period. The entire process typically takes 6 to 18 months from initial complaint to final penalty decision.
However, this graduated approach is not legally required. Spain, the Netherlands, and Ireland can impose direct penalties for serious violations without a prior remediation opportunity. The existence of a remediation period depends on the severity of the violation and the national regulator's discretion, not on an automatic procedural right.
The trigger mechanisms vary. Germany and the Netherlands actively inspect based on annual reporting data. France uses DGCCRF market surveillance. Sweden PTS runs automated scans. Most other countries rely primarily on complaints, which creates a significant role for disability advocacy organizations in initiating enforcement actions.
Appeals follow national administrative law procedures. In most jurisdictions, a penalty decision can be appealed to administrative courts within 30 to 60 days. Appeals automatically stay enforcement in Germany, Austria, and Belgium but not in France, Spain, or the Netherlands, where fines accrue during appeal unless a court orders a stay.
Who Can File Complaints Against You
The EAA creates multiple pathways for enforcement actions, and they do not all start with regulators.
Individuals with disabilities can file complaints directly with national enforcement authorities. In countries with ombudsman systems (Sweden, Norway, Finland), complaints can be filed with the equality ombudsman as an alternative to the market surveillance authority. Both pathways can result in formal enforcement proceedings.
Disability advocacy organizations can file collective complaints on behalf of affected individuals. Several European disability organizations announced in 2025 that they would systematically file complaints against non-compliant businesses in their sectors, beginning with financial services and e-commerce.
Competitors can use the EAA as a competition law lever in Germany (Abmahnung), and similar competitor complaint mechanisms exist under general unfair competition law in Belgium, Austria, and the Netherlands. A compliant competitor has standing to complain that a non-compliant competitor is gaining unfair advantage.
Suppliers and business customers in B2B relationships are increasingly including EAA compliance requirements in procurement contracts, creating contractual liability exposure separate from regulatory enforcement. A supplier that is found non-compliant may face contract termination and damages claims in addition to regulatory penalties.
Cross-Border Enforcement and Extraterritorial Reach
The EAA applies where the service is offered, not where the company is headquartered. This mirrors the extraterritorial reach established by GDPR and creates similar compliance obligations for non-EU companies.
A US company with a French-language e-commerce website targeting French consumers is subject to French EAA enforcement regardless of whether it has any physical presence in France. The test is whether the service is offered to EU consumers, not whether the provider is established in the EU.
For companies operating across multiple EU markets, the enforcement authority with primary jurisdiction is generally the regulator in the country where the company's EU establishment is located. For companies with no EU establishment, any member state where the service is actively offered can initiate enforcement.
The cooperation mechanisms in the directive require national enforcement authorities to share information and coordinate enforcement actions. This means a complaint in one country can trigger a coordinated investigation across multiple jurisdictions simultaneously, similar to the GDPR lead supervisory authority mechanism but with less formalized coordination procedures.
Practically, this means a company that ignores an enforcement notice in France should not expect that a German or Dutch regulator is unaware of the French proceedings. Information sharing between EAA enforcement authorities is becoming increasingly systematic.
Real Enforcement Cases Since June 2025
The EAA's first eight months have produced several enforcement actions that reveal how regulators are actually using their powers.
France leads with the highest-profile cases. DGCCRF sent formal enforcement notices to Auchan, Carrefour, E.Leclerc, and Picard in November 2025 following inspections that found systematic keyboard navigation failures, missing alternative text, and non-compliant checkout flows. All four retailers have retained specialist accessibility consultancies and are in active remediation. Penalty decisions are expected in Q2 2026 if remediation is incomplete.
Norway, while not an EU member, is an EEA state and has adopted the EAA through the EEA Agreement. Norway's Likestillings- og diskrimineringsombudet (Equality and Anti-Discrimination Ombud) imposed daily penalties of NOK 50,000 (approximately 4,500 EUR per day) on the HelsaMi health portal operated by Norsk Helsenett for persistent keyboard accessibility failures. The penalty has been running since August 2025 and the total accumulated fine exceeded NOK 3,500,000 by December 2025.
Sweden's PTS completed its first wave of formal inspections in Q4 2025, issuing 23 formal notices to e-commerce operators. None resulted in immediate fines, but companies have 60-day remediation periods with follow-up inspections scheduled.
The Netherlands ACM accepted its first EAA complaint in July 2025 against a major Dutch bank for inaccessible mobile app interfaces. Investigation is ongoing.
Germany saw its first Abmahnung wave in Q3 2025, with several specialized law firms filing competitor cease-and-desist claims against businesses that failed to publish accessibility statements. Estimates suggest 300 to 500 Abmahnungen were filed in the July-October 2025 period.
Penalty Comparison: Strictest to Most Lenient
Ranking EU countries by severity of their EAA penalty regimes requires considering not just maximum fines but also additional sanctions, enforcement intensity, and procedural protections.
The strictest jurisdictions by combined risk score are Spain (highest fixed maximum at 1M EUR plus operational bans), the Netherlands (flexible fine structure plus mandatory reporting creates high detection probability), and France (aggressive enforcement posture demonstrated by actual enforcement actions plus separate statement penalties).
Hungary and Sweden are high-fine jurisdictions but lack France's demonstrated enforcement track record in the first enforcement period.
Germany is unique: the regulatory fine maximum is moderate (100,000 EUR) but the Abmahnung mechanism creates rapid, private-sector-driven enforcement at scale that has already produced more enforcement actions than any other EU country.
Ireland has relatively low financial penalties but the unique criminal sanction creates a qualitatively different risk profile for companies operating significant EU operations from Irish headquarters.
The most lenient combined regimes are Italy (generous cure period, standard fixed fines below other major markets) and Portugal (low maximum indexed to wage multiplier). However, Italy's 5% turnover rule means large companies cannot rely on the low fixed amounts.