How does an official compliance inspection of your website according to the EAA work?

note

Because we are based in Germany, the explanations in this article are Germany-centric. But the core principles also apply to the European Accessibility Act (EAA) in other countries of the EU.

So, you have made your website compliant with the European Accessibility Act (EAA), but a residual uncertainty remains: What actually happens when an authority reviews the whole thing? Does a letter arrive? Do they test secretly? And what happens if they find an error?

The EAA regulates this quite detailedly. For you as the operator of a website (which counts as a "service" in the sense of the law), Section 28 (Market Surveillance of Services) and Annex 1 (Surveillance of Services) are particularly crucial [1].

Here, I show you step-by-step how such an audit proceeds and what the consequences can be.

How is an EAA Compliance Inspection triggered?

There are two main ways the market monitoring body becomes aware of you:

1. Proactive Sample (The Normal Case): The authority does not have to wait until someone complains. It is obliged to audit websites "even without concrete reason based on appropriate samples" (according to Section 28, Para. 2 EAA [1]). Your website can thus simply be selected randomly.
2. Consumer Request (The Complaint Case): A consumer or an association (e.g., an organization for people with disabilities) submits a request to the authority to initiate proceedings against you (according to Section 32, Paras. 1 and 2 EAA [1]). This happens when a user cannot operate your website and initiates an official review.

The Inspection Process: What exactly does the authority look at?

When your website is reviewed, it doesn't happen "just somehow." Annex 1 of the EAA [1] prescribes a precise "surveillance method" and "sample" definition for the authority.

tip

Exactly this Annex 1 is also the basis for our Accessibility Audit, with which you can have your website tested by us even before the official review. This way you are on the safe side!

The authority reviews your website, technology-neutral, against the four principles of accessibility: perceivability, operability, comprehensibility, and robustness.

What is reviewed? (The Sample according to Annex 1 No. 2)

The authority selects a sample of pages that includes at least the following areas:

• The "Classics":
  • Homepage
  • Login page
  • Sitemap
  • Contact page
  • Help pages
  • Legal information (Imprint, Privacy Policy)
• Your Core Service:
  • At least one relevant page for each type of service. In e-commerce, this would be, for example, a category page, a product detail page, and the entire check-out process.
• The Mandatory Page:
  • The page containing your information on accessibility. (This information is mandatory according to Section 14, Para. 1 No. 2 EAA [1]. For details, see our Template for the Accessibility Statement according to EAA.)
• Randomness & Diversity:
  • Pages with significantly different layout or content.
  • At least 10% more, randomly selected pages.

Process Trap

The most important thing is stated in Annex 1 No. 2 letter c [1]: If one of the reviewed pages includes a step in a procedure, all procedural steps will be reviewed.

This means: If the authority reviews your shopping cart, they test the entire check-out process up to the "Buy" confirmation. A single non-operable button in step 3 of 4 makes the entire process non-compliant.

The Procedure: What happens if deficiencies are found?

Here is the escalation process prescribed by the law in Section 29 (Substantive Defects) and Section 30 (Formal Defects) [1].

The two types of deficiencies

1. Formal Non-Compliance (Section 30 EAA): This is essentially a "paperwork" error. For example, you lack the legally required information on how accessible your website is (which you need according to Section 14 in conjunction with Annex 3 EAA).
2. Substantive Non-Compliance (Section 29 EAA): This is the "real" accessibility error. Your contact form is not operable via keyboard, font contrasts are too low, images lack alternative texts, etc.

The Escalation Stages

As you can see in the diagram, the process for both types of deficiencies is almost identical and is intended to give you a chance to improve:

• Stage 1 (Request): The authority finds a deficiency and sends you a notice. It states what is non-compliant, and you are given an "appropriate deadline" to remedy the deficiency (Section 29, Para. 1 / Section 30, Para. 1 EAA).
• Stage 2 (Threat): You let the deadline pass. The authority sends a second request, again with a deadline, but this time with the "threat of prohibition" (Section 29, Para. 2 / Section 30, Para. 3 EAA). This is the "last warning shot."
• Stage 3 (Measure): You also ignore the second deadline. Now it gets serious. The authority can take "the necessary measures" to remedy the non-compliance. Explicitly mentioned is the authorization to "discontinue the offering or the provision of the service" (Section 29, Para. 3 EAA). In plain terms: The authority can prohibit you from operating your website.

Here is the diagram of the procedure:

Flowchart: Process of Official Review and Escalation

Open textual description for "Flowchart: Process of Official Review and Escalation"

This flowchart describes the step-by-step process followed by the market surveillance authority when reviewing a service under the EAA.

1. The process begins at "Start: Official review (Random under § 28 or request under § 32)" (A).

2. First decision: "Deficiencies found?" (B)

   • No: Leads to "Perfect! Procedure completed." (C, green).
   • Yes: Leads to "Deficiency identified (Whether formal § 30 or material § 29)" (D).

3. Stage 1 (Request): "Request for correction (with reasonable deadline)" (F).

4. Second decision: "Deadline expired?" (G)

   • No (deficiency corrected): Leads to "Perfect! Procedure completed." (C, green).
   • Yes (not corrected): Proceeds to Stage 2.

5. Stage 2 (Warning): "Second request (with threat of prohibition)" (H).

6. Third decision: "Deadline expired?" (I)

   • No (deficiency corrected): Leads to "Perfect! Procedure completed." (C, green).
   • Yes (not corrected): Proceeds to Stage 3.

7. Stage 3 (Enforcement): "Enforcement action (e.g., prohibition of the website)" (J, red).

8. After the enforcement action, an "Administrative fine procedure (§ 37) may run in parallel" (Z, red) can be initiated.

Risks: What looms during an inspection?

The prohibition of your website (Stage 3) is the "worst-case" scenario. Much more likely—and possible in parallel—is a fine.

Fines up to 100,000 Euros

Offering a non-accessible service (e.g., website) is a regulatory offense (according to Section 37, Para. 1 No. 8 EAA [1]).

This regulatory offense can be penalized with a fine of up to one hundred thousand euros (according to Section 37, Para. 2 EAA [1]).

However, this is not the only violation that can be penalized. You can find more about this in our article "Risks and Fines for Non-Compliance with the EAA".

An Applied Example: Inspection of barrierenlos.com

Let's look at the whole thing using a practical example, our website barrierenlos.com.

B2B or B2C? The "Consumer" Trap

Your first thought might be: "You are B2B, the EAA does not apply to you." Caution! The law applies to services "for consumers" (Section 1, Para. 3 EAA).

• Our Accessibility-Hub is read by everyone, including consumers.
• The EAA checklist can be downloaded by a consumer for their private project.
• A consumer could buy our Semanticality™ Plugin for their private website.

warning

As long as you do not actively and effectively exclude consumers (which is hardly possible on the web), your website counts as a "service in electronic commerce" (Section 1, Para. 3 No. 5 EAA) and is therefore subject to the law.

What would the authority review? (The Sample)

Based on Annex 1, a review of our website would likely look like this:

• The "Classics":
  • Homepage
  • "Welcome to the Accessibility-Hub"
  • Imprint, GTC, Privacy Policy
• The Mandatory Page:
  • Our accessibility statement (formal review according to § 30)
• Our Core Services (The Processes!):
  1. Landing Page "EAA Checklist"
  2. Landing Page "Accessibility Audit"
  3. Landing Page "Semanticality Plugin"
• Randomness & Diversity:
  • One or two random blog articles (review of headings, contrasts, alt texts, etc.)

The Critical "Processes" (The Stumbling Blocks)

This is where it gets most exciting for us, because here the "Process Trap" (Annex 1 No. 2c EAA) takes effect. The authority reviews the entire path.

• Process 1: Checklist Download

  • The authority reviews not only the landing page, but the entire process:
  • Is the email form operable via keyboard?
  • Are the fields (label) correctly labeled?
  • Are error messages (e.g., "Invalid email") accessible?
  • Is the confirmation page / "Thank you" message accessible?

• Process 2: Audit Purchase (Stripe Link)

  • Here, "only" a link to Stripe is set. The authority checks whether this link is accessible (e.g., "Book Audit Now" instead of "click here").
  • The Stripe checkout page itself is tricky. It could be considered "third-party content" (Section 1, Para. 4 No. 4 EAA) that we do not control. However, it is more likely that Stripe, as a payment service provider, must itself be EAA/EAA compliant. Our responsibility largely ends behind the link here. Find out more in our article "Understanding Exceptions for Website Content".

• Process 3: Plugin Purchase (Freemius Pop-up)

  • This is our biggest risk. The Freemius checkout pop-up opens on our website. It is an integral part of our sales process.
  • The authority reviews this process completely:
    • Can the pop-up be opened and closed via keyboard?
    • Does the focus remain within the pop-up (focus management)?
    • Can all form fields, buttons, and price options in the pop-up be read and operated by a screen reader?
  • If this pop-up is not accessible, our "service" (sale of the plugin) is non-compliant. In this case, it is difficult for us to argue that it is "third-party content," since the pop-up appears on our page and is part of our sales process. The safest approach would be if Freemius itself offered an accessible version of the pop-up, or if we used a payment link, as with Stripe.

Conclusion

An official review is not rocket science, but a clearly regulated process. The authority must give you deadlines for remediation.

1. Two Triggers: The review happens either randomly (sample) or because someone has complained.
2. Clear Review Rules: The authority reviews according to the scheme in Annex 1 and tests all your core processes (e.g., the entire check-out).
3. Deadline System: You get (at least) two chances for remediation before the operation of your website can be prohibited.
4. High Fines: Regardless of the deadlines, an established non-compliance can be penalized as a regulatory offense with a fine.

The best protection is to not let it get that far in the first place. Ensure that your core processes and the "mandatory pages" (contact, imprint, etc.) are implemented cleanly and accessible.

Frequently Asked Questions (FAQ)

Does the authority also review my app?

Yes. The EAA applies to "services in electronic commerce" that are offered via "webpages and applications on mobile devices" (Section 1, Para. 3 No. 5 EAA). The review process described here according to Section 28 and Annex 1 applies equally to your website and your native app.

Do I have to assist the authority in any way?

Yes. As a service provider, you have a duty to cooperate. Upon "justified request," you must provide the authority with all information it needs to verify compliance and cooperate with measures to establish compliance (Section 14, Para. 5 EAA).

What if I have invoked Section 17 (Disproportionate Burden)?

That is an important point. If the authority carries out a review, it will also examine your invocation of an exception. It then checks (according to Section 28, Para. 3 EAA):

1. Whether you conducted the assessment at all.
2. Whether your assessment (e.g., the cost-benefit analysis) is correct.
3. Whether you comply with all other requirements (those not covered by the exception).

If your invocation of the exception is deemed unjustified, your website is considered "non-compliant," and the process from Section 29 (see diagram above) is triggered.

Disclaimer

This article is for informational purposes only and does not constitute legal advice. The representation of the review procedure is simplified. I assume no liability for the accuracy or completeness of the information presented here. Please consult a specialized lawyer for your specific situation.

1. Bundesministerium der Justiz und für Verbraucherschutz, “Gesetz zur Umsetzung der Richtlinie (EU) 2019/882 des Europäischen Parlaments und des Rates über die Barrierefreiheitsanforderungen für Produkte und Dienstleistungen (Barrierefreiheitsstärkungsgesetz – BFSG).” 2023. [Online]. Available: https://www.gesetze-im-internet.de/bfsg/ ⤴