Editorial Board
—
29 June 2026
One Year of the European Accessibility Act: What the Enforcement Looks Like
The picture is not one of sweeping crackdowns or overnight transformations. It is something more instructive: a set of real cases that show exactly how the law operates and what it takes to navigate it well.

Introduction
This Privacy Notice aims to clearly and transparently explain which personal data we collect when you visit our website, why we collect it, how we use it, and what Your rights are.
We process your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws. We are committed to ensuring that all processing activities are carried out in accordance with the principles of lawfulness, fairness, transparency, data minimization, integrity, and confidentiality.
Specifically, in this notice you will find information about:
-
which data we collect about you and for what purposes;
-
the legal bases on which we process such data;
-
who we may share your data with;
-
how long we retain your data;
-
your rights and how to exercise them.
While we sometimes need Your data for example, to respond to your requests or improve our website), we do so with respect, care and only when truly necessary.
Our Privacy Promises
-
We deeply value your privacy, and for this reason, we guarantee that:
-
We treat your data as if it were our own.
-
We use your data only for the purposes outlined in this notice.
-
We retain your data only for as long as strictly necessary.
-
We do not share your data with third parties without a valid legal basis or your explicit consent.
1. Who Processes Your Personal Data
The Data Controller — that is, the entity that determines the purposes and means of the processing of Your personal data — is AccessiWay S.a.S., with registered office at 7 Rue du Général Henrion Bertier, 92200 Neuilly-sur-Sein registered with the Nanterre Trade and Companies Register under number 914 022 595.
AccessiWay is part of the team.blue group and, in certain cases, acts as joint controller together with team.blue NV, with registered office at Skaldenstraat 121, 9042 Ghent, Belgium. In this context, Your personal data may be shared within the group for statistical, administrative, operational, and service improvement purposes.
AccessiWay and team.blue have defined their respective roles and responsibilities under a joint controllership agreement pursuant to Article 26 of the GDPR, ensuring full compliance with data protection regulations.
For more information regarding joint controllership or to exercise Your rights, you may contact AccessiWay via email at the following email addresses:
📧 legal.fr@accessiway.com or info@accessiway.com.
2. Who This Privacy Notice Applies To
This notice applies to:
-
users who browse the website www.accessiway.com,
-
individuals who contact us through the form available on the website or via email;
-
users who interact with tools we have implemented (e.g. widgets, cookies);
-
individuals who, through the website or other channels, access external platforms or third-party entities through which they may submit a job application (e.g. recruiting portals or employment agencies).
-
In such cases, the privacy notices of the third parties involved — independent from AccessiWay — also apply.
3. What Data We Process
To manage your interaction with our website, we may process the following categories of personal data:
-
Identification and contact details such as name, surname, company, job title, email address, and phone number.
-
These data may be partially processed through our customer relationship management (CRM) system.
-
Data relating to your interaction with our services such as information collected via the website or through Hubspot, such as communication history, preferences, requests, and commercial or technical notes.
-
Technical data such as IP address, device type, operating system, browser, access times, and other data automatically recorded by our systems or servers.
-
Browsing data and preferences such as collected via cookies or similar technologies, in accordance with the choices expressed through the cookie consent banner.
-
Application data such as personal information included in your CV or other documents submitted through third-party platforms (e.g. professional experience, education, contact details).
-
These data are processed by AccessiWay only after being transmitted by the third party, which remains autonomous in the initial processing.
4. Purposes and Legal Basis of Processing
We process Your personal data in compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection laws. Your data may be processed for the following purposes:
-
Technical operation of the website
We process technical data, using technical cookies and similar tools, to allow You to access the site, view it correctly, and ensure it functions properly (e.g. browsing, content loading, storing preferences).
📌Legal basis: this processing is necessary to provide a service requested by the user, pursuant to Article 6(1)(b) of the GDPR. Your consent is not required for these cookies.
-
Handling contact or support requests
When you send us a request — via the contact form or by email — we process your data to respond and provide the information requested.
📌 Legal basis: this processing is necessary to take steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
-
Compliance with legal obligations
In certain cases, we may need to process your data to comply with legal obligations, such as tax, accounting, or IT security requirements.
📌 Legal basis: this processing is based on compliance with a legal obligation, pursuant to Article 6(1)(c) of the GDPR.
-
Statistical analysis and website improvement
We use analytical tools (e.g. analytical cookies) to collect aggregated data in order to understand how the website is used and to improve its content and functionality.
📌 Legal basis: we process this data only with your freely given and specific consent, pursuant to Article 6(1)(a) of the GDPR.
-
Marketing and Profiling
If you authorize us to do so, we may use your data to send you promotional communications or provide personalized content (e.g. through profiling cookies).
📌 Legal basis: this processing is carried out only with your explicit consent, pursuant to Article 6(1)(a) of the GDPR. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
-
Management of job applications through third parties
We may receive job applications via third-party platforms (e.g. job portals) or through recruitment agencies. In such cases, we process the submitted data to assess your suitability for the proposed role.
📌 Legal basis: this processing is necessary to take steps at your request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
Note: the privacy policies of the third-party platforms or agencies involved also apply, independently of AccessiWay.
5. Cookies and Tracking Tools
This website uses a cookie management system provided by iubenda, which allows you to:
-
view a full and transparent list of the cookies in use;
-
modify or withdraw your consent at any time;
-
access the complete Cookie Policy, integrated in the cookie widget.
You can manage your preferences by clicking on the cookie widget icon located at the bottom left corner of every page on the site.
Technical cookies are necessary and therefore enabled by default. Other non-essential cookies (analytical, profiling) are only enabled with your consent.
For more information, please refer to the full Cookie Policy accessible from the cookie widget.
6. Use of accessWidget
This website integrates accessWidget, an automated accessibility tool developed by accessiBe Ltd. and distributed by AccessiWay. The widget allows users to personalize their browsing experience based on their needs.
When the user activates the widget, their IP address is technically transmitted, but:
-
it is not stored, tracked, or associated with identifiable individuals;
-
it is anonymized via a proxy located in the European Union;
-
it is not used for profiling or marketing purposes.
📌 Legal basis: provision of a service requested by the user (Article 6(1)(b) of the GDPR).
7. Data Security
We adopt appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of the personal data we process. These measures are designed to prevent unauthorized access, loss, disclosure, or alteration of your data. In particular, we implement:
-
secure connections via HTTPS (SSL/TLS);
-
authentication systems and access control;
-
access limitation and internal access tracking mechanisms;
-
regular audits and verification procedures;
-
continuous updates to systems and security measures according to the level of risk.
8. Data Retention
Your personal data is stored only for the time strictly necessary to achieve the purposes for which it was collected. Specifically:
-
Contact data: up to 10 years if relevant for contractual or legal purposes;
-
Technical and browsing data: according to what is outlined in the Cookie Policy;
-
Marketing data: until consent is withdrawn.
9. Your Rights (Data Subject Rights)
As a data subject, you may exercise the rights provided under Articles 15–22 of the GDPR at any time. In particular, you have the right to:
-
Obtain confirmation as to whether or not your personal data is being processed and access such data (right of access);
-
Request the rectification of inaccurate personal data or the completion of incomplete data (right to rectification);
-
Request the erasure of your data, if the conditions set out in the GDPR are met (right to erasure);
-
Obtain restriction of processing where applicable (right to restriction);
-
Object to the processing of your data, in whole or in part, under certain circumstances (right to object);
-
Receive your data in a structured, commonly used, and machine-readable format, and, where technically feasible, have it transmitted directly to another controller (right to data portability);
-
Withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
📧 You can exercise Your rights at any time by contacting us at: legal.fr@accessiway.com.
🔗 If you are located in France and believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) via the website: www.cnil.fr.
*If you have difficulty accessing our form, please feel free to contact us. Send an e-mail to info@accessiway.com
The European Accessibility Act came into force on June 28, 2025. It was the most significant piece of digital accessibility legislation in European history, extending binding obligations to private sector products and services across every EU member state, for the first time.
Twelve months on, we have a factual record of what enforcement looks like in practice.
Here is what has happened in Europe, country by country.
Norway: A fine with no ceiling
Norway is not an EU member, but it is fully bound by the EAA through the EEA Agreement. And its enforcement story is among the most significant signals for the region as a whole.
After the EAA deadline, the Authority for Universal Design of ICT (Tilsynet for universell utforming av IKT) inspected HelsaMi, a patient portal used by approximately 425,000 residents in central Norway to access medical records, view test results, manage appointments, and communicate with healthcare providers.
The inspection found 119 accessibility errors across 12 of 14 legal requirements. A formal remediation order was issued with a deadline. When it passed, 64 issues remained unresolved.
The authority's decision: fix the outstanding problems by December 19th, 2025, or pay NOK 50,000 per day (approximately €4,500 per day) until every issue is corrected. There is no cap on the total. The fine accumulates every single day until full remediation is confirmed. Depending on the pace of remediation, total exposure could reach hundreds of thousands of euros.
Several EU member states are now examining this escalating daily penalty model as a template for their own enforcement frameworks.
Source: Tilsynet for universell utforming av IKT
Sweden and the Netherlands: Regulators who come to you
These two cases matter most for businesses operating at scale, because they signal a structural shift in enforcement logic.
In Sweden, the Post and Telecom Authority (PTS) launched its first regulatory cases in October 2025, targeting large e-commerce operators. Not because a complaint had been filed, but because the PTS had designed a structured programme to select businesses and audit them proactively. In the Netherlands, the Authority for Consumers and Markets (ACM) set an October 15th, 2025 deadline for non-conformance reports from companies in covered sectors. Those who submitted incomplete reports were flagged for priority audits in early 2026.
The message from both countries is the same: you do not need to be reported on to be found. Regulators are building systematic surveillance programmes. Being below the radar is not a compliance strategy.
Sources: Swedish PTS · Dutch ACM
Austria: What the gap between "fixed" and verified looks like
Austria's case is one of the most instructive for any organization currently working through remediation.
A company in the gambling sector* had previously worked with Accessiway on an accessibility audit. When the EAA deadline arrived, they had held off on re-auditing: their platform was under continuous development, making it difficult to pin down a stable baseline to work from.
Shortly after the June 2025 deadline, they received a formal letter from the Austrian Ministry of Social Affairs, asking what they had done on accessibility, what barriers remained, and what their roadmap looked like. Their response was not considered sufficient. The Ministry issued a defined list of requirements with a deadline of the end of Q1 2026.
The company came back to Accessiway to update their Accessibility Conformance Report. They believed they had addressed everything on the Ministry's list. When we ran the audit, there were still many open points.
This is one of the most consistent patterns we see: the gap between what a team believes has been fixed and what independent verification confirms. It is not a failure of intent. It is a structural feature of how accessibility remediation works and it is precisely what structured, expert-led auditing exists to close.
The company was not fined, but the time and resources spent managing the Ministry's process would have been avoided entirely with a timely independent re-audit in place.
*The company’s name is not disclosed, being Accessiway client with an accessibility project currently going on.
France: The first court cases in the EU
Just days after the June 2025 deadline, two disability rights organizations, ApiDV and Droit Pluriel, joined forces with the legal collective Intérêt à Agir to test four major grocery retailers: Auchan, Carrefour, E.Leclerc, and Picard. They recruited blind and low-vision users to attempt one task: to do their weekly shopping online.
The results were unambiguous. On every platform tested, core functions were broken for screen reader users: product listings, checkout, delivery slot selection, cart management, and price information. Formal legal notices went out on July 7th, 2025. The retailers were given until September 1st to comply. When no meaningful action followed, injunctions were filed before multiple regional courts.
On June 4th, 2026, the Tribunal judiciaire de Caen ruled against Carrefour. Six months to reach full RGAA compliance, a €500 daily penalty for non-compliance, and €10,000 in damages. Carrefour's defence, a claimed 71% compliance rate, was rejected outright. The court was clear: an e-commerce platform "cannot be only somewhat accessible, it must be fully accessible."
Accessibility is an obligation of result, not of effort.
This is the first court decision against a private company under the EAA framework in the European Union. France has demonstrated it is fully prepared to litigate.
Germany: A new authority, and a private enforcement mechanism that changes the stakes
Germany's enforcement infrastructure took longer to establish, but it is now fully operational.
All 16 federal states agreed to create a single joint authority by state treaty: the MLBF (Marktüberwachungsstelle der Länder für die Barrierefreiheit von Produkten und Dienstleistungen), based in Magdeburg. It formally began operations on September 26th, 2025 and published its Market Surveillance Strategy in January 2026, a documented framework defining its inspection priorities, risk-based approach, and how it selects organizations to investigate. Penalties for non-compliance reach €100,000 per violation.
The MLBF works both reactively, responding to complaints from consumers or businesses, and proactively, running sector-based audits on its own initiative. Being unreported is not the same as being safe.
But the enforcement dynamic that makes Germany genuinely distinct has nothing to do with the MLBF. Under the German Unfair Competition Act (UWG), accessibility obligations under the BFSG are classified as market conduct rules. A competitor whose website is accessible can argue that yours is not and that your non-compliance gives you an unfair cost advantage, because you saved money they invested in getting compliant.
They can then send you an Abmahnung: a formal cease-and-desist letter demanding remediation, a signed commitment, and often covering their legal costs, with no regulator involved at any stage.
This mechanism is well-established in German copyright and trademark law. It is now being applied to accessibility for the first time. It is fast; an Abmahnung can arrive very shortly after a violation is identified. Consumer protection associations can use it, not only direct competitors.
Source: mlbf-barrierefrei.de, UWG
Italy: The enforcement chain is complete
Italy's transposition, D.lgs. 82/2022, entered into force on June 28th, 2025. What came next was a deliberate, phased construction of the full enforcement infrastructure.
March 4th, 2026: AgID published its official Guidelines, giving the legal basis for penalties concrete operational meaning.
March 11th, 2026: AgID launched a public complaints platform, opening enforcement to anyone, not just regulators. A screen reader user who cannot complete a checkout. A blind customer who cannot read their bank statement. Anyone can now initiate a formal process.
May 15th, 2026: A new market surveillance regulation defined AgID's sanctioning powers: fines of up to €40,000 for violations.
Guidelines, complaints mechanism, sanctioning powers. The chain is complete.
Source: https://www.agid.gov.it/it
Twelve months in: what the pattern shows
Across all six markets, three things stand out consistently.
Enforcement reaches you even without a complaint. Sweden and the Netherlands are running proactive inspection programmes. Germany's MLBF has a published surveillance strategy. Italy's complaints platform opens the process to any member of the public. Waiting to be reported is not a risk mitigation strategy.
The gap between remediation and verification is real. Teams that have worked hard on accessibility fixes routinely discover, when an independent audit is run, that genuine gaps remain. It is the structural reason independent verification exists.
Documentation is part of what regulators assess. What the Austrian case shows clearly is that regulators want to see evidence of a structured approach. An Accessibility Conformance Report is not only a compliance deliverable. It is a record of good faith that becomes material the moment a regulator or court gets involved.
How Accessiway supports organizations navigating this landscape
The Accessiway Platform was built for exactly this environment.
It runs structured, expert-led audits and provides Accessibility Conformance Reports that give you the documented, independent baseline regulators look for. It supports continuous monitoring, so your compliance status reflects the platform you have today. And it gives your teams a structured way to manage and track remediation, so the gap between "we believe we've fixed it" and "we can demonstrate we've fixed it" stays closed.
The cases above are not stories of organizations that ignored accessibility entirely. Several had done genuine work. What they lacked was verified, documented, and continuously maintained compliance, and that is exactly where exposure lives when enforcement arrives.
Want to understand where your digital estate stands today?

Paolo Berro
How Italy, France, Austria and Germany have adopted the European Accessibility Act and what's changed with its entry into force
Legislation
.jpg)
Cecilia Pirchio
Italy's AGID has published a new regulation formalizing how digital accessibility violations are investigated and sanctioned under Law 4/2004 and D.Lgs. 82/2022. Here's what organizations need to know.
Legislation

Editorial Board
Analysis of FTSE 100 consumer-facing websites finds widespread barriers affecting everyday digital journeys, from shopping and banking to travel and insurance
News