BFSG Germany — what the Abmahnung wave means for your business

The Barrierefreiheitsstärkungsgesetz (BFSG) — Germany's implementation of the European Accessibility Act — came into force on 28 June 2025. Within weeks, the first private warning letters (Abmahnungen) began arriving at businesses with consumer-facing digital products and services.

Which businesses the BFSG covers

The BFSG applies to any business providing consumer-facing digital products or services in Germany. This includes e-commerce, SaaS platforms, banking and financial services apps, booking and travel portals, digital customer portals, and telecommunications services. The law is not limited to e-commerce — any B2C digital touchpoint is in scope.

Microenterprises (fewer than 10 employees and annual turnover or balance sheet total not exceeding €2 million) are exempt. All other businesses with German consumer exposure are covered.

What an Abmahnung is

An Abmahnung is not a notification. It is a demand. Under German competition law (UWG), any competitor or law firm can send an Abmahnung when they identify a legal violation — no regulator needs to be involved.

An Abmahnung demands:

• Immediate cessation of the alleged violation
• A signed declaration of future compliance — with a contractual penalty clause if breached again
• Reimbursement of the sender's legal costs — typically €1,000–3,000 per letter

Ignore it and the case goes to court. It is a self-funding private enforcement mechanism, and the exposure is live regardless of whether you have heard from the Bundesnetzagentur or any other regulatory authority.

The enforcement timeline

The first Abmahnungen arrived within six weeks of the BFSG taking effect. By the end of 2025, letters were arriving across Germany in steady numbers, and the volume intensified through Q1 2026. A second wave of letters — from different law firms, with attached accessibility audit reports — is now emerging and is more legally substantive than the early letters.

The market surveillance authority (MLBF) entered its active enforcement phase in January 2026. Formal enforcement decisions are expected in Q2 2026. The European Commission has had an open infringement procedure against Germany over BFSG implementation gaps since 2022; the mid-May 2026 deadline for Germany to respond has now passed, with ECJ referral the next step if unresolved.

The pressure is increasing, not easing.

What the Bundesnetzagentur can impose

Separately from any Abmahnung, the Bundesnetzagentur (Federal Network Agency) can impose fines of up to €100,000 for serious or repeated BFSG violations. This is entirely independent of the private enforcement track. A business can face both simultaneously.

What is coming in Q3 and Q4 2026

The Abmahnung risk is increasing, not stabilising. Industry analysts and specialist law firms are predicting the systematic deployment of automated scanning tools from Q3 2026 onwards, enabling law firms and competitors to identify accessibility violations at scale across thousands of websites simultaneously. Organisations that have not addressed accessibility before that point face a significantly higher probability of receiving a warning letter.

The pattern mirrors what happened with cookie consent enforcement: early letters were legally thin and easily challenged, but the volume and legal quality increased steadily as law firms refined their approach. BFSG is following the same trajectory. The window for addressing compliance proactively, before automated scanning begins in earnest, is narrowing.

The cookie consent parallel

The pattern is familiar to anyone who watched cookie consent enforcement unfold. Law firms moved first there too — sending Abmahnungen for missing cookie banners before regulators had issued a single fine. By the time regulatory cases arrived, the market had already been reshaped: businesses had paid legal costs, signed compliance declarations, and updated their sites. The mechanism is identical here, and the same law firms are already using it.

A nuance worth knowing

Specialist firms including Heuking assessed the early BFSG letters as legally weak — blanket allegations without specific evidence of which functions were inaccessible. But legally weak does not mean cost-free. Recipients still have to engage a lawyer to respond, and the compliance declaration carries its own contractual penalty clause if later breached. And the second wave of letters, with attached audit reports, is more substantive.

What compliance requires

BFSG compliance requires the same four things as EAA compliance generally: technical conformance against EN 301 549 (WCAG 2.1 AA in practice), a published accessibility statement, active governance, and documentary evidence of ongoing management. The accessibility statement is frequently the first document requested in any formal enforcement action.