The EAA and BFSG: Recap and Update – What has happened in the first year since June 28, 2025

One year ago, on 28 June 2025, the Directive (EU) 2019/882 , the European Accessibility Act (“EAA”), and its German implementing Act, the Barrierefreiheitsstärkungsgesetz (“BFSG”) and the German BFSG Executive Order (“BFSGV”), came into force . What once looked like a largely theoretical compliance exercise is rapidly turning into a concrete supervisory and litigation landscape. This article summarizes where we stand in June 2026, with a focus on the new German market surveillance authority and its recently published strategies and emerging EU-wide enforcement trends.

1. Recap: Scope and enforcement

Who is in scope?

The EAA and BFSG introduce harmonized accessibility requirements for a defined set of consumer‑facing products and services across the EU. In Germany, in line with the EAA, the BFSG applies to economic operators who bring certain products into circulation or provide certain services to consumers from 28 June 2025 onwards.

In line with the EAA, the BFSG/BFSGV apply in particular to:

• Products: ATMs, payment terminals, ticketing and check‑in machines, smartphones, tablets and e‑book readers.
• Services:
  • E‑commerce services, including online shops, booking platforms and subscription models that enable consumers to conclude contracts via websites or apps.
  • Consumer banking services, including payment services, credit agreements, certain investment services and e‑money for private customers.
  • E‑books and related distribution services.
  • Services providing access to audiovisual media, such as streaming platforms, media apps and electronic programme guides.
  • Electronic communications services with human interaction, for example email, messenger and chat functions (subject to certain narrow exemptions).

The German regime mirrors the EAA exemptions: accessibility obligations do not apply where compliance would fundamentally alter the basic nature of a product or service or impose a disproportionate burden, subject to strict documentation and notification duties. Microenterprises (fewer than 10 employees and annual turnover or balance sheet total below EUR 2 million) are exempt from accessibility obligations for services under the BFSG.

Enforcement framework in Germany and legal risks

In Germany, the central competent authority for most BFSG‑relevant products and services is the “Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen” („MLBF“), a joint supervisory authority of the federal states which is based in Magdeburg. It is responsible for monitoring compliance with the accessibility requirements for both products and services under the BFSG and BFSGV, with the exception of services providing access to audiovisual media, where the state media authorities remain competent.

The MLBF formally started operations on 26 September 2025. It has now published its official website and has released market surveillance strategies for products and for services under the BFSG outlining its risk‑based supervision model. In addition to regulatory enforcement, private actors, such as consumers, consumer protection associations, associations representing people with disabilities, and competitors can seek to enforce accessibility obligations via civil and competition law routes.

The MLBF follows a graduated enforcement model:

• Correction orders: Providers are first required to remedy formal or material non‑conformities within a set deadline.
• Restrictions and prohibitions: If non‑compliance persists, the authority can restrict or prohibit the offer or provision of services or the placing of products on the market.
• Administrative fines: breaches can trigger fines of up to EUR 100,000.

The new German market surveillance strategies

The newly published market surveillance strategies for products and services under the BFSG provide the clearest indication to date of how the MLBF will supervise businesses.

The MLBF applies a two-sided risk‑based approach. The authority distinguishes between proactive (ex officio) and reactive (trigger‑based) market surveillance:

• Reactive surveillance is driven by external information and has priority over proactive surveillance. Key triggers include:
  • Applications by consumers or recognized associations requesting market surveillance measures
  • Declarations by businesses invoking exemptions due to a fundamental alteration or disproportionate burden
  • Self‑notifications of non‑conformity by businesses
  • Information from external sources including hints, media reports or information from other authorities or EU Member States indicating possible non‑compliance
• Proactive surveillance consists of systematic and ongoing controls online and in-person, regularly evaluated and prioritized according to the risk profile. The MLBF uses a number of factors to identify high‑risk profiles, including:
  • Market share or user reach, with a focus on businesses with very high user reach or a local or sectoral monopoly position,
  • Company size,
  • Complexity and interactivity of the service,
  • Price structure of the product or product category,
  • Relevance for autonomous living and everyday participation of people with disabilities,
  • Market trends,
  • Results of automated pre‑assessments for web‑based services and
  • Public user feedback.

Web‑based services are screened through technical testing tools, allowing the authority to cover a broader range of offerings than would be possible with purely manual checks. The MLBF intends to prioritize services and products that are essential for everyday participation and that have significant market coverage.

Importantly, the strategy emphasizes that the MLBF will also assess the “own activities” of businesses, such as ongoing compliance measures, provision of accessible information on service functionality and accessibility features, and the level of cooperation with the authority. Businesses who have repeatedly shown non-compliance or low willingness to cooperate will face heightened scrutiny in future supervisory cycles.

2. Enforcement in practice: Germany and beyond

In our March 2026 update, we noted that the first period after entry into force was characterized more by soft enforcement and awareness‑raising than by fines. In Germany, no public regulatory enforcement actions had been reported at that time, while some warning letters were being sent by private actors. This is now changing.

Germany: MLBF moves from set-up to action

With the MLBF now fully operational and its strategies published, businesses are beginning to see concrete supervisory activity. The strategies explicitly state that, given the recent introduction of the BFSG, the current priority is to ensure the authority’s “responsiveness” and to build a qualitative database. This database will be used to determine an appropriate minimum control level.

In practice, we are seeing that service providers that notified the MLBF in 2025 about partial non‑compliance – for instance where certain parts of their websites cannot be made accessible and this is transparently disclosed in their accessibility statements – are now receiving follow‑up questions from the authority. This aligns with the strategy’s focus on using self‑reported non‑conformities and exemption declarations as key risk signals. Therefore, businesses should ensure that any reliance on exemptions and any disclosure of remaining barriers is robustly documented and defensible against follow‑up questions.

Enforcement trends in other Member States

As reported in our update from March, enforcement activity has already picked up in several Member States, i.e. the Dutch Authority for Consumers and Markets (ACM) moved from a self‑reporting phase ending in mid‑October 2025 to active audits and investigations under the national EAA regime, while the Swedish Post and Telecom Authority (PTS) began targeted reviews of in‑scope e‑commerce providers in October 2025.

In Italy, the digital authority (AGID) has now introduced a two‑stage enforcement model as of May 2026: an initial cooperative remediation phase with deadlines, followed by formal sanctioning proceedings if shortcomings persist.

In France, interim court proceedings were initiated against four major retailers in July 2025. Now, these actions have led to a landmark interim ruling by the Judicial Court of Caen of 4 June 2026 in the case against Carrefour. Here, the court found that Carrefour’s online grocery website and mobile app are not sufficiently accessible and therefore breach the French digital accessibility obligations. Relying on Carrefour’s own accessibility audit, which showed 71.21% conformity with the reference standard EN 301 549 by assessment through the RGAA framework, the main technical accessibility standard in France, the court held that significant remaining barriers (including missing or inadequate alternative texts for images, insufficient colour contrast, poorly labelled links, incompatibility with assistive technologies and misuse of HTML semantics) prevent visually impaired users from fully using the service.  The court rejected Carrefour's argument that accessibility should be assessed solely on the basis of whether persons with disabilities are effectively able to use the service. Instead, it held that e-commerce services must satisfy the legal requirements under the EAA of being perceivable, operable, understandable and robust. These criteria require a detailed assessment of each individual accessibility criterion, not a “global”, functional assessment. The court emphasized that "it is clear that the e-commerce website cannot be merely a little accessible, it must be fully accessible".  Carrefour has been ordered to bring its e-commerce services into conformity, subject to a penalty payment of EUR 500 per day if full compliance is not achieved within six months of the order. The court refused the extensive request to suspend access to Carrefour's site and app as disproportionate, reasoning that such a measure would have prevented access not only for users affected by accessibility barriers but also for the large number of other consumers who were not concerned by the accessibility issues at stake. However, the associations acting as plaintiffs were awarded a provisional EUR 10,000 in non-pecuniary damages and the reimbursement of costs.

In an earlier judgement of the Judicial Court of Lille of 6 May 2026, the court likewise recognized that Auchan’s e-commerce site is not accessible for visually impaired users and it only dismissed the claim because it held that the defendant, the e-commerce subsidiary of the Auchan group, was exempted because it did not exceed the French turnover threshold of EUR 250 Million under French Disability Law and its implementing decree for private-sector online services. It should be noted that the claim was based on the lower EUR 2 million threshold of the French Consumer Code (“FCC”, specifically Article L.412-13), which implements the EAA into French law. The court did not apply this lower threshold because it interpreted this law as preserving the pre-existing national French Disability Law with the higher threshold of EUR 250 Million. However, this decision was rendered only in summary proceedings and remains subject to appeal. It will be important to closely monitor whether French courts will uphold this interpretation.

3. No “one‑stop shop”: multi‑state presence, multi‑state notifications

Unlike the GDPR, the EAA does likely not establish a one-stop-shop mechanism. Each Member State designates its own market surveillance authority (or authorities) with national competence. This has two practical implications for companies offering services in several EU jurisdictions:

• Non-conformity notifications must be addressed to each relevant national authority where the non-compliant product or service is placed on the market or provided to consumers, as required by Art. 13(4) EAA (Sec. 14(4) BFSG).
• Exemption notifications (for fundamental alteration or disproportionate burden under Art. 14 EAA (Sec. 16, 17 BFSG) likewise must be submitted individually to each Member State in which the operator relies on the exception.

For cross‑border operators, this creates a fragmented notification landscape requiring jurisdiction‑specific procedures and templates.

4. Accessibility statements and national divergences

Under the EAA, businesses must not only make their services and products accessible; they must also publish accessibility statements explaining how they comply with accessibility requirements. This is now a central element of both compliance and enforcement.

• However, there is no harmonized EU-wide template for accessibility statements, and national implementing laws have diverged significantly, as explained in more detail in our March 2026 Update.  

For companies whose websites or apps target customers in multiple Member States, this creates the following compliance choices:

• Either draft one consolidated accessibility statement that covers all national requirements, or
• Provide separate national statements tailored to local law.

5. Technical standards: EN 301 549 and WCAG

The EAA and BFSG set high‑level functional accessibility requirements but leave technical implementation to standards. Compliance with European harmonized standards creates a presumption of conformity with accessibility obligations.

The central standard for digital accessibility is EN 301 549. At present, EN 301 549 largely builds on the Web Content Accessibility Guidelines WCAG 2.1, which has become the de facto baseline for web and mobile accessibility in many sectors.

EN 301 549 is currently undergoing revision to fully integrate the EAA’s requirements. A first draft of version 4.1.0 was published in November 2025, and an approved version is expected to be published in the Official Journal of the EU in Q3 2026. The forthcoming version 4.1.1 is expected to reference WCAG 2.2, meaning businesses should already plan for an evolution beyond WCAG 2.1 when designing or upgrading their digital offerings.

6. EU policy outlook: accessibility as a horizontal goal to 2030

Accessibility is not only an EAA-specific topic but is increasingly treated as a horizontal policy objective in EU lawmaking. According to the EU’s 2030 disability and accessibility agenda, the Commission aims to mainstream accessibility into all relevant policy areas, including audiovisual media, electronic communications, consumer protection and transport, and to actively support implementation and standardization linked to the EAA.  For businesses, this means that decisions taken now on accessibility architectures and governance are likely to have long-term implications far beyond the immediate EAA horizon.

7. Practical implications: what businesses should do now

Given the maturing enforcement landscape and emerging supervisory practice, businesses within scope of the EAA and BFSG should move beyond initial compliance projects towards embedded accessibility governance. In particular, we recommend:

1. Recalculate your risk profile based on the MLBF’s strategies: services and products with high user reach, relevance for autonomous living or businesses with monopoly positions are likely to be prioritized.
2. Conduct a targeted accessibility gap analysis against WCAG 2.1 and the evolving EN 301 549 requirements across all in-scope products and services.
3. Review and, if necessary, update accessibility statements to ensure they accurately reflect actual implementation and comply with country‑specific requirements.
4. Set up internal processes to handle complaints and authority inquiries, with clear ownership, timelines and escalation paths. Also prepare a robust documentation set for any non‑compliance notifications and for any reliance on exemptions for fundamental alteration or disproportionate burden.
5. Align development and procurement processes with EN 301 549 and the WCAG 2.1 (and the soon expected 2.2), making accessibility a standard acceptance criterion rather than an afterthought.