QualiBooth

compliance

What GDPR Taught Us About the EAA

The European Accessibility Act is following the same enforcement path GDPR did. If your organization learned GDPR the hard way, here's how not to repeat it.

5 min read QualiBooth
An EU flag in front of a European government building, representing EU digital regulation.

We’ve been here before

In 2018, GDPR came into force and the response from most organizations followed a predictable arc. A period of near-silence. Then, as the deadline approached, a scramble. Then, as enforcement actually arrived, genuine urgency and a rush to become compliant on a timeline that was far shorter than it should have been.

The European Accessibility Act is on the same trajectory. The deadline — June 28, 2025 — has passed. Enforcement is underway. And the organizations that treated accessibility as a “we’ll deal with it eventually” matter are now discovering that eventually has arrived.

If you went through GDPR, much of what follows will feel familiar.

What they have in common

A compliance deadline that most organizations missed

When GDPR came into force in May 2018, surveys showed that a majority of EU businesses were not compliant — in some reports, the figure was over 60%. The story with EAA looks similar. Research published shortly before the June 2025 deadline consistently showed that only a small fraction of the businesses covered by the act had achieved meaningful compliance.

Both laws share the same basic pattern: a long lead-in period during which most organizations take limited action, followed by a rush of activity as the deadline approaches, followed by ongoing enforcement for those who didn’t move fast enough.

A territorial scope that many businesses underestimated

GDPR applies to any organization that processes data on EU residents, regardless of where the organization is based. The EAA operates similarly: if your digital product or service is sold to customers in the EU, and your organization meets the size thresholds (more than 10 employees and more than €2 million in turnover), you need to comply — regardless of whether you’re headquartered in Munich or San Francisco.

Many non-EU businesses were surprised by GDPR’s reach. The same is happening with EAA.

A penalty framework with real teeth

GDPR’s fines — up to 4% of global annual turnover or €20 million, whichever is higher — made headlines. Organizations found themselves on the receiving end of multi-million euro penalties for failures that, in many cases, were preventable.

EAA penalties are set at the national level, so they vary across member states. But they’re not trivial. Italy and France both provide for fines in the range of tens of thousands of euros per violation. Germany’s Barrierefreiheitsstärkungsgesetz (BFSG) implementation includes substantial penalties. And unlike GDPR, where many violations were discovered through data breaches or complaints, accessibility failures are visible to anyone who visits your website with a screen reader — which includes the disability advocacy organizations that file accessibility complaints.

Where EAA differs from GDPR

Accessibility violations are visible from the outside

GDPR violations often required an insider complaint or a breach notification to come to light. Accessibility failures are publicly discoverable. Anyone can open your website, run an automated scan, or test it with a screen reader and document what they find. Disability advocacy groups do exactly this, systematically.

This means the pool of potential complainants is much larger, and the barrier to filing a complaint is much lower. You don’t need access to internal systems or leaked documents. You just need a browser.

The technical standard is already specified

GDPR required organizations to implement “appropriate technical and organizational measures” to protect data — a standard that was deliberately vague to allow for technological change. The EAA specifies a concrete technical standard: EN 301 549, which references the Web Content Accessibility Guidelines (WCAG 2.1/2.2) at Level AA.

This clarity is a double-edged sword. On one hand, organizations know exactly what they need to achieve. On the other hand, it makes it easy to demonstrate non-compliance — automated tools can generate a detailed violation report in seconds.

Early enforcement is already happening

GDPR had a relatively quiet first year of enforcement before the major fines arrived. EAA enforcement is moving more quickly. French authorities began issuing notices to major retailers shortly after the deadline. A Paris court ruled on a school platform accessibility case that included potential fines of €25,000 per year. Advocacy organizations across EU member states are actively filing complaints.

The GDPR lessons that apply to EAA

”We’ll become compliant before enforcement reaches us” is not a strategy

Many organizations made this calculation with GDPR and found that enforcement was faster and more targeted than they expected. Accessibility complaints are being filed now. The organizations that get ahead of this are the ones who start auditing and remediating before they receive a formal notice.

Documentation matters as much as the technical fix

GDPR required organizations to maintain records of processing activities, data protection impact assessments, and evidence of consent. EAA requires accessible platforms and, in many national implementations, accessibility statements that document current conformance levels, known exceptions, and contact mechanisms for users to report barriers.

Having an accessibility statement that accurately reflects your current state — and being able to demonstrate ongoing improvement — is meaningful evidence of good-faith compliance.

Compliance is a process, not a project

The GDPR mindset trap was treating compliance as a box to tick: engage a legal team, update the privacy policy, add cookie banners, done. Many organizations then stopped — only to find they needed to revisit their compliance as they launched new products or updated existing ones.

Accessibility works the same way. Every new feature, every third-party component, every design refresh can introduce new barriers. Sustainable compliance requires integrating accessibility into your development and content workflows, not treating it as a one-time remediation. Our guide on accessibility in the software development lifecycle covers what this looks like in practice.

Start with a baseline

Before you can plan remediation, you need to understand where you currently stand. That means running an audit — both automated and manual — to document the failures, prioritize them by impact and frequency, and create a realistic remediation plan.

If you haven’t done this yet, the fastest starting point is a free automated scan, which gives you an immediate picture of the automatable violations. For the full picture — including the roughly 60–70% of barriers that automated tools cannot detect — manual testing by people who use assistive technology is necessary.

The organizations that dealt with GDPR well didn’t wait for enforcement. They assessed their position, made a plan, and executed it with the same urgency they would apply to any other material business risk. The EAA deserves the same treatment.

Find out if your site meets EAA requirements