Eight months into enforcement of the European Accessibility Act, the question has shifted from "will they actually fine us" to "how much will it cost." France has already filed its first EAA lawsuits against major retailers. Norway is issuing daily penalties of NOK 50,000 for non-compliant health portals. Sweden's PTS is running systematic inspections of e-commerce platforms. The EAA is no longer theoretical. This guide provides the definitive country-by-country breakdown of fines, enforcement agencies, real cases, and what you need to do to stay on the right side of each national regulator.
What the European Accessibility Act Actually Requires
The European Accessibility Act (Directive 2019/882) is an EU directive that mandates accessibility for digital products and services sold to or used by EU consumers. It became enforceable on June 28, 2025, after a three-year transition period that many businesses treated as optional. That was a mistake. The technical standard underpinning the EAA is EN 301 549, which maps directly to WCAG 2.1 Level AA. If your website, mobile app, e-commerce platform, banking interface, or transport ticketing system does not meet WCAG 2.1 AA, you are non-compliant with the EAA. The directive covers a broad range of products and services: computers and operating systems, smartphones, self-service terminals like ATMs and ticket machines, e-readers, e-commerce websites and apps, banking and financial services, electronic communications, audiovisual media services, e-books, and transport information and ticketing. If you sell any of these into the EU market, the EAA applies to you regardless of where your company is headquartered. There is one meaningful exemption: microenterprises with fewer than 10 employees AND annual turnover below 2 million euros are exempt from the service requirements. Note the AND. A company with 8 employees but 5 million euros in revenue does not qualify. The exemption also does not cover product requirements, only services. The directive requires each EU member state to establish penalties that are "effective, proportionate and dissuasive." That specific legal language matters. It means regulators cannot simply send polite letters indefinitely. They must impose consequences that actually change behavior. And as the first eight months of enforcement show, many countries are taking that mandate seriously.Country-by-Country Penalty Breakdown
Each EU member state transposed the EAA into national law with its own fine ranges, enforcement agencies, and procedural rules. The result is a patchwork that businesses operating across multiple EU markets must navigate carefully. Below is the detailed breakdown for every country with significant penalty structures.
Germany: Fines Up to 100,000 EUR Plus Competitor Lawsuits
Maximum fine: 10,000 to 100,000 EUR per violation. Enforcement agency: MLBF AoeR (Marktuberwachungsbehorde fur Barrierefreiheitsanforderungen), operating under the Bundesnetzagentur. Germany transposed the EAA through the Barrierefreiheitsstarkungsgesetz (BFSG), effective June 28, 2025. The official fines are significant but not the whole story. Germany's unique risk factor is the Abmahnung system: competitors can file cease-and-desist claims against non-compliant businesses under unfair competition law (UWG). A competitor whose website meets BFSG requirements can sue you for operating a non-compliant site, arguing it gives you an unfair cost advantage. These competitor-driven lawsuits bypass the regulator entirely and go straight to civil court. This is not theoretical. German courts have a well-established track record of entertaining Abmahnungen in related areas like GDPR and cookie consent. Law firms specializing in these claims are already advertising BFSG-related services. For businesses in competitive German markets, the real enforcement risk may come from rivals rather than regulators. The MLBF AoeR uses a graduated enforcement approach: notification, remediation deadline, then fines for non-compliance. But the per-violation structure means a website with multiple accessibility failures faces stacking penalties. Fifteen violations at 100,000 EUR each is a theoretical ceiling of 1,500,000 EUR.France: Up to 250,000 EUR and First EAA Lawsuits Filed
Maximum fine: up to 250,000 EUR for repeated violations. Annual penalty: 25,000 EUR per year for missing accessibility statement. Enforcement agencies: ARCOM (audiovisual and digital platforms), DGCCRF (consumer protection and commerce), ARCEP (electronic communications), AMF and ACPR (financial services). France has the most complex enforcement structure in the EU, with five different agencies covering different sectors. The base penalty for a single EAA violation is a fifth-class fine: 1,500 EUR for individuals, 7,500 EUR for legal entities. These double for repeat offenders. Systemic non-compliance across a platform triggers aggregate penalties up to 250,000 EUR. But the headline number misses a critical detail: France imposes a separate annual penalty of 25,000 EUR for failing to publish an accessibility statement. This penalty accrues every year until you publish one. Many businesses are non-compliant with this requirement without even realizing it. France became the first EU country to file EAA-related enforcement actions. In November 2025, the DGCCRF initiated proceedings against four major retailers: Auchan, Carrefour, E.Leclerc, and Picard. These are the first real-world tests of EAA enforcement in any EU member state. The cases target e-commerce platform accessibility and are being closely watched across Europe as precedent-setters. The French approach signals that enforcement will focus first on large companies with high consumer visibility before working down to smaller businesses. If you are a major brand selling into France, you should assume you are already on the DGCCRF's radar.Spain: Up to 1,000,000 EUR and Operational Bans
Fine ranges: minor violations 30,000 to 90,000 EUR, serious violations 90,001 to 300,000 EUR, very serious violations 300,001 to 1,000,000 EUR. Additional sanction: operational bans up to 2 years. Enforcement: Ministry of Social Rights and autonomous community governments.
Spain has the most aggressive penalty regime in the EU by a wide margin. Even the floor for minor violations starts at 30,000 EUR, which exceeds the maximum fine in several other member states. The ceiling of 1,000,000 EUR for very serious violations is the highest published maximum in Europe.
What makes Spain particularly dangerous is the operational ban provision. For very serious or repeated violations, Spanish authorities can prohibit a company from operating in the Spanish market for up to two years. For businesses with significant Spanish revenue, a two-year market ban would be catastrophic.
Enforcement is split between the national Ministry of Social Rights and the 17 autonomous communities. This means a company operating across Spain could face parallel enforcement actions from multiple regional authorities. The autonomous communities of Catalonia, the Basque Country, and Madrid have been particularly proactive in establishing their enforcement mechanisms.
Spain classifies violations into three tiers. "Very serious" includes systematic refusal to comply after notification, deliberate discrimination, and accessibility failures affecting large numbers of users. "Serious" covers individual violations that substantially impact usability. "Minor" covers technical non-compliance without significant user impact. The tiered structure means the actual penalty depends heavily on how the regulator classifies the violation.
Italy: 5% of Turnover for Large Companies
Standard fines: 5,000 to 40,000 EUR per violation. Large company penalty: up to 5% of annual turnover. Enforcement agency: AgID (Agenzia per l'Italia Digitale). Cure period: 90 days.
Italy's penalty structure has two tracks. Small and medium businesses face standard fines of 5,000 to 40,000 EUR per violation. But large companies, defined as those with annual revenue above a threshold set by AgID, face penalties scaled to 5% of turnover. For a company doing 100 million euros in annual revenue, that is a potential 5,000,000 EUR fine.
The 90-day cure period is Italy's distinguishing feature. After AgID notifies a company of non-compliance, it has 90 calendar days to remediate all identified issues. If remediation is complete and verified within that window, no financial penalty is imposed. This makes Italy one of the more business-friendly enforcement regimes, provided you actually fix the problems.
Italy has a long history of accessibility regulation predating the EAA. The Stanca Law of 2004 already required accessibility for public sector websites, and AgID has been enforcing it for two decades. This institutional experience means Italian enforcement is likely to be technically competent and methodical rather than arbitrary.
AgID has published detailed technical guidelines for EAA compliance, including specific test procedures mapped to EN 301 549. Companies operating in Italy should review these guidelines, as AgID will assess compliance against its own published criteria.
Netherlands: Up to 900,000 EUR with Mandatory Reporting
Maximum fine: up to 900,000 EUR or 1 to 10% of annual turnover, whichever is higher. Enforcement agency: ACM (Authority for Consumers and Markets). Mandatory reporting: in effect since October 2025.
The Netherlands has positioned itself as one of the toughest enforcers in Europe. The fine ceiling of 900,000 EUR or 10% of turnover gives the ACM significant leverage, particularly against large companies where the percentage-based calculation produces higher numbers than the fixed maximum.
What sets the Netherlands apart is its mandatory reporting requirement, effective since October 2025. Companies offering covered services in the Dutch market must proactively report their accessibility compliance status to the ACM. This is not a complaint-driven system. The ACM does not wait for someone to file a report. It requires you to come forward and declare your compliance status, and then it verifies those declarations.
The ACM already has substantial experience enforcing digital regulations, including GDPR, the Digital Services Act, and consumer protection rules. It has dedicated teams, established procedures, and a track record of imposing significant fines. The EAA fits neatly into the ACM's existing enforcement infrastructure.
For companies operating in the Netherlands, the mandatory reporting requirement creates an additional compliance obligation beyond the accessibility work itself. You need documentation, internal audits, and a compliance declaration ready for the ACM.
Sweden: SEK 10 Million and Active Market Surveillance
Maximum fine: SEK 10,000,000 (approximately 900,000 EUR). Enforcement agency: PTS (Post and Telecom Authority) for digital services, Konsumentverket for products. Market surveillance: active since October 2025.
Sweden matches the Netherlands at the top of the penalty scale with a maximum of SEK 10 million. PTS began active market surveillance in October 2025, conducting systematic inspections of e-commerce platforms and digital services. This is not reactive enforcement waiting for complaints. PTS is proactively auditing businesses.
Swedish enforcement includes market access restrictions beyond financial penalties. PTS can prohibit the sale or distribution of non-compliant products and services within Sweden. For many companies, losing access to the Swedish market, even temporarily, represents a more severe consequence than the fine itself.
Sweden's strong disability rights culture, built over decades of progressive legislation, means consumer awareness is high and complaints arrive quickly. Disability organizations in Sweden are well-organized, technically sophisticated, and actively monitoring digital services for EAA compliance. Companies that assume Swedish enforcement will be slow or lenient are misjudging the market.
Ireland: Criminal Penalties Including Imprisonment
Maximum fine: 60,000 EUR on indictment. Imprisonment: up to 18 months. Summary conviction: 5,000 EUR and/or 6 months imprisonment. Enforcement: CCPC (Competition and Consumer Protection Commission) for products, with sector-specific regulators for services.
Ireland is the only EU member state that includes criminal sanctions for EAA non-compliance. While financial penalties are moderate compared to Spain or the Netherlands, the possibility of imprisonment fundamentally changes the risk profile for company directors and officers.
Imprisonment is reserved for deliberate and sustained refusal to comply after formal enforcement action. A company that makes genuine efforts at accessibility but falls short is unlikely to face criminal prosecution. But a company that receives enforcement notices and ignores them entirely could see its directors face personal criminal liability. That distinction matters for corporate governance.
Enforcement in Ireland is distributed across multiple sector regulators: the CCPC for consumer products, ComReg for electronic communications, Coimisiun na Mean for media services, the National Transport Authority for transport, and the Central Bank for financial services. This sectoral approach means businesses need to understand which regulator covers their specific activities.
Ireland also has strong non-financial enforcement powers, including product withdrawal orders and public compliance notices. The reputational impact of a public notice can exceed the financial impact of the fine itself.
Austria, Belgium, Portugal, and Hungary
Austria imposes fines of 80,000 to 200,000 EUR per violation, enforced by the Federal Ministry of Social Affairs and regional market surveillance authorities. Austrian enforcement gives particular attention to banking and financial services, with a 14-day response window for accessibility complaints, one of the shortest in the EU.
Belgium sets penalties between 1,000 and 200,000 EUR per breach, enforced by SPF Economie. Belgium's trilingual market adds a unique requirement: accessibility must be maintained across French, Dutch, and German language versions of a service, and a failure in any single language version counts as a separate violation. Persistent violations can lead to business suspension orders.
Portugal applies fines of 5,000 to 100,000 EUR, enforced by INCODE. While Portuguese fines are moderate by Western European standards, INCODE can also order the suspension of non-compliant services, which carries commercial consequences well beyond the fine amount. Portugal requires all service providers to publish accessibility statements.
Hungary has the highest potential fine in the EU when calculated as a percentage: up to 1,260,000 EUR or 5% of annual turnover, whichever is higher. The Hungarian Authority for Consumer Protection enforces with a focus on market surveillance of digital products and services. Hungary's percentage-based penalty structure means large companies face exposure exceeding even Spain's maximum.
Enforcement Mechanisms: How Fines Actually Get Imposed
Understanding the fine amounts is only half the picture. How enforcement actually works determines your real risk level.
Most EU countries follow a graduated enforcement approach. The typical sequence is: complaint or inspection triggers investigation, investigation confirms non-compliance, regulator issues notification with a remediation deadline (usually 30 to 90 days), company either fixes the issues or fails to, and penalties are imposed only after the remediation deadline passes without adequate action. Italy's 90-day cure period is the most business-friendly version of this approach.
Daily penalties are an increasingly common tool. Several countries can impose per-day fines that accumulate until the accessibility issue is resolved. These daily penalties typically range from 500 to 5,000 EUR per day, but Norway's HelsaMi case (discussed below) shows they can reach much higher levels. A daily penalty of 1,000 EUR becomes 365,000 EUR over a year, potentially exceeding the headline maximum fine.
Market access restrictions represent the most severe non-financial penalty. Germany, Sweden, Spain, Belgium, and the Netherlands can all prohibit non-compliant products or services from their markets. For a company generating significant revenue in any of these countries, a market ban is often more damaging than any financial penalty.
Enforcement actions in one country can trigger investigations in others. The EU's market surveillance framework includes information-sharing mechanisms between national authorities. A finding of non-compliance in France can prompt the Dutch ACM or German MLBF AoeR to investigate the same company's services in their markets.
Who Can File Complaints Against You
The EAA creates multiple pathways for enforcement actions, and they do not all start with regulators.
Individuals with disabilities can file complaints directly with their national enforcement agency. Every EU member state is required to provide an accessible complaint mechanism. The barrier to filing is low: a person encounters an accessibility issue, documents it, and submits a complaint. The agency must investigate and respond within defined timelines.
Disability organizations have standing to file complaints on behalf of their members in most EU countries. These organizations often have technical expertise in accessibility testing and can file highly detailed complaints that are difficult for regulators to dismiss. In Sweden, Denmark, and the Netherlands, disability organizations have been actively testing major websites and apps since the EAA became enforceable.
Consumer protection groups can also file complaints in many jurisdictions. In countries where the EAA is enforced by consumer protection authorities (like France's DGCCRF or the Netherlands' ACM), existing consumer advocacy groups have a direct pathway to trigger enforcement.
Competitors represent the wildcard, particularly in Germany. Under the Abmahnung system, a competitor that complies with the BFSG can take legal action against one that does not. This creates a self-policing dynamic within industries where companies have financial incentives to identify and report each other's non-compliance.
The practical implication: you cannot rely on regulators being too busy or understaffed to find you. Complaints can come from users, advocacy groups, consumer organizations, and business competitors. Any one of these can trigger formal enforcement.
Cross-Border Enforcement and Extraterritorial Reach
The EAA applies where the service is offered, not where the company is headquartered. This mirrors the extraterritorial reach established by GDPR and has the same practical implications. A US-based e-commerce company selling to French customers is subject to French EAA enforcement. A UK company (post-Brexit) serving Dutch consumers falls under Dutch ACM jurisdiction for those services. A Japanese banking app available to Italian users must comply with AgID's requirements. This means a single non-compliant digital service operating across multiple EU markets faces simultaneous exposure to multiple national enforcement regimes. The same accessibility failure on your website could result in proceedings from France's DGCCRF, Germany's MLBF AoeR, and Spain's Ministry of Social Rights concurrently. There is no "one country, one penalty" protection. The EAA compliance framework does not include a lead supervisory authority mechanism like GDPR's one-stop shop. Each national authority acts independently within its jurisdiction. Companies cannot designate a single EU country as their primary regulatory contact and deal exclusively with that authority. For businesses operating across the EU, this creates a strong incentive to achieve full compliance rather than trying to manage individual country relationships. Meeting WCAG 2.1 AA across your entire digital presence satisfies every national regulator simultaneously. Selective compliance for specific markets is a strategy that invites exactly the kind of fragmented enforcement it tries to avoid.Real Enforcement Cases Since June 2025
The EAA's first eight months have produced several enforcement actions that reveal how regulators are actually using their powers.
France leads with the most visible enforcement activity. In November 2025, the DGCCRF filed proceedings against Auchan, Carrefour, E.Leclerc, and Picard for non-compliant e-commerce platforms. These are the first EAA lawsuits in the EU and represent a clear signal that French authorities intend to enforce aggressively against high-profile targets. The cases focus on core e-commerce accessibility: product browsing, cart functionality, checkout processes, and the absence of accessibility statements.
Norway, while not an EU member, applies the EAA through the EEA agreement. The HelsaMi health portal case is the most financially significant enforcement action so far. Norwegian authorities imposed a daily penalty of NOK 50,000 (approximately 4,500 EUR per day) for persistent accessibility failures in a public health portal. The fine accumulates until full remediation is complete, creating open-ended financial exposure that could reach hundreds of thousands of euros.
Sweden's PTS launched systematic e-commerce inspections in October 2025, proactively testing major online retailers against EN 301 549 requirements. While PTS has not yet published penalty decisions, the inspections signal that Swedish enforcement will be proactive rather than complaint-driven. Companies that received inspection notices have been given remediation deadlines.
The Netherlands' ACM began enforcing its mandatory reporting requirement in October 2025. Companies that failed to report their accessibility compliance status received formal notices. The ACM has not yet published fine decisions, but the reporting requirement itself is creating a compliance paper trail that will facilitate future enforcement.
Penalty Comparison: Strictest to Most Lenient
Ranking EU countries by severity of their EAA penalty regimes requires considering not just maximum fines but also additional sanctions, enforcement intensity, and practical risk factors.
At the top tier, Spain (up to 1,000,000 EUR plus 2-year operational bans), Hungary (up to 1,260,000 EUR or 5% turnover), and the Netherlands (up to 900,000 EUR or 10% turnover) and Sweden (approximately 900,000 EUR) have the highest financial exposure. Spain's operational ban provision makes it arguably the strictest overall.
The upper-middle tier includes France (up to 250,000 EUR plus active enforcement already underway), Belgium (up to 200,000 EUR plus business suspension), Austria (up to 200,000 EUR), and Italy (5% turnover for large companies, but with a generous 90-day cure period).
Germany sits in a unique position. Official fines cap at 100,000 EUR per violation, placing it in the middle tier financially. But the Abmahnung risk from competitor lawsuits, combined with the per-violation stacking structure, pushes Germany's practical risk much higher. For businesses in competitive German markets, total exposure can rival the top-tier countries.
Ireland's moderate fines (60,000 EUR maximum) are offset by criminal liability, including up to 18 months imprisonment. For company directors, the risk calculation is fundamentally different from any other EU country.
Portugal (up to 100,000 EUR) and Poland (approximately 25,000 EUR) sit at the lower end of the financial penalty scale, though both include non-financial sanctions like service suspension and mandatory third-party audits that add significant cost.
The overall trend is clear: penalties are substantial, enforcement is real, and multiple EU countries are actively using their powers within the first year of EAA enforcement.