Guide · 30 Jun 2026

EAA compliance checklist — four requirements, what each one means in practice

Most organisations have addressed one of the four EAA compliance requirements. The other three are where the gap lives. This checklist covers what each requirement means and what evidence you need to demonstrate it.

EAA compliance is not a single task. It has four distinct requirements, each of which must be met independently. Meeting one does not contribute to meeting the others. An organisation that has run an accessibility audit but has no governance process, no accessibility statement, and no documentary evidence of ongoing management has met approximately one quarter of what the EAA requires.

This checklist is structured around the four requirements. Use it to identify which you have addressed, which you have partially addressed, and which have not been started. The free assessment covers all four in detail.

Before using this checklist: EAA compliance applies to organisations that provide products or services to EU consumers. If you are not certain whether the EAA applies to your organisation, the free assessment is the right starting point. Applying the checklist to an organisation that is out of scope wastes resource. Assuming an organisation is out of scope without checking is a more common and more significant error.

Requirement 1 — Technical conformance with EN 301 549

EN 301 549 is the harmonised European accessibility standard. In practice it requires conformance with WCAG 2.1 at Level AA across your digital products and services. This is the requirement most organisations have at least begun to address.

Checklist — Technical conformance

What you need to be able to demonstrate

Your primary digital product has been assessed against WCAG 2.1 Level AA. The assessment was conducted by a qualified assessor, not an automated tool alone. Automated tools identify approximately 30–40% of accessibility barriers. A genuine conformance assessment includes manual review and assistive technology testing.

The assessment covered your most commercially critical user journeys: checkout, account creation, booking, payment, onboarding — whichever applies to your product. A homepage that passes technical testing is not a compliant product if the checkout is broken.

Known barriers have been documented. Either they have been remediated, or they are recorded as known barriers with a timeline for remediation. Ignoring findings is not an option. Documenting them with a remediation plan is.

The assessment has a date. Compliance is not a permanent state — it needs to be maintained. An assessment from two years ago is not evidence of current compliance.

  • Check

    Has your primary digital product been assessed against WCAG 2.1 Level AA by a qualified assessor?

  • Check

    Did the assessment include manual review and assistive technology testing, not only an automated scan?

  • Check

    Were your most critical user journeys tested — not only the homepage or marketing pages?

  • Common gap

    Most organisations have run an automated scan and consider this an EAA compliance audit. Automated tools find approximately 30–40% of accessibility barriers. The remaining 60–70% require human testing. An automated scan result is not a compliance position.

  • Common gap

    AI-assisted development tools produce non-compliant code by default. If your development team uses AI coding tools without an accessibility review step in the workflow, non-compliant features accumulate with every release. See the AIMAC benchmark findings.

Requirement 2 — A published accessibility statement

A published accessibility statement is a mandatory EAA requirement. It is not optional and it is not satisfied by a generic privacy-style statement. The EAA specifies what it must contain.

Checklist — Accessibility statement

What your statement must contain

A clear statement of conformance — whether your product is fully conformant, partially conformant, or non-conformant with EN 301 549. Most organisations are partially conformant. Claiming full conformance without evidence is a greater risk than accurately stating partial conformance with known exceptions documented.

A list of known exceptions — specific barriers that have not yet been remediated, with the reason and a timeline. "We are working on it" is not sufficient. Named barriers with named timelines are what the standard requires.

A feedback mechanism — a way for users to report accessibility barriers and request accessible alternatives. This must be a real mechanism that receives and responds to reports, not a form that disappears into a void.

Contact details for the responsible body — who is responsible for accessibility within the organisation, and how to reach them.

The date the statement was last reviewed. Statements that have not been reviewed since they were first published are a compliance risk — they claim a conformance position that may no longer be accurate.

  • Check

    Does your organisation have a published accessibility statement?

  • Check

    Does it reference EN 301 549 (not only WCAG or the old EU Web Accessibility Directive)?

  • Check

    Does it include a dated list of known exceptions with remediation timelines?

  • Check

    Does it include a working feedback mechanism?

  • Check

    Has it been reviewed within the last twelve months?

  • Common gap

    ComReg in Ireland requests the accessibility statement first in any complaint investigation. An absent or inadequate statement is the first signal that an organisation is not managing compliance actively. Most accessibility statements on Irish and European consumer websites were written for WCAG or the old Web Accessibility Directive — not the EAA.

Requirement 3 — Active governance

Technical conformance without governance regresses. Every product release, every new feature, every AI-assisted development cycle can introduce new accessibility barriers. The EAA requires active management of the compliance position — not a one-off audit.

Checklist — Governance

What active governance requires

A named owner for accessibility within the organisation. Someone whose role includes responsibility for maintaining the compliance position, reviewing the accessibility statement, and ensuring accessibility is considered in the product development process. This does not need to be a full-time role — but it needs to be a named responsibility, not a collective assumption.

A testing cadence. Accessibility is assessed on a schedule, not only when a complaint arrives or a new product launches. How frequently depends on how often the product changes. A product that releases weekly needs weekly accessibility review. A product that releases quarterly needs quarterly review.

A remediation workflow. When barriers are identified — whether through an audit, a user complaint, or a development review — there is a process for triaging, prioritising, and addressing them. Findings do not sit in a spreadsheet indefinitely.

Accessibility in the product development process. New features are reviewed for accessibility before release, not after. This is the only way to prevent the compliance position from degrading with every release cycle.

  • Check

    Is there a named owner for accessibility within your organisation?

  • Check

    Is there a defined testing cadence — scheduled accessibility review, not only reactive assessment?

  • Check

    Is there a remediation workflow — a process for triaging and addressing identified barriers?

  • Check

    Is accessibility reviewed before new features go to production?

  • Common gap

    Most EAA non-compliance is a governance failure, not a technical one. Organisations that have done accessibility work but have no named owner and no testing cadence are not in a compliant position. The technical work regresses without governance to maintain it. See the EAA governance guide.

Requirement 4 — Documentary evidence

The fourth requirement is the one most organisations have not considered at all. EAA compliance is not only about what you have done — it is about what you can demonstrate. If enforcement contact arrives, the question is not "are you compliant?" It is "what can you show?"

Checklist — Documentary evidence

What you need to be able to produce

Dated records of accessibility assessments. Who conducted them, when, what methodology was used, what was found. Internal assessments and external audits both count, but an external audit from a qualified assessor is stronger evidence of due diligence.

Remediation records. What barriers were identified, what actions were taken, when they were resolved. This does not need to be elaborate — a structured log in a shared document is sufficient. What it cannot be is absent.

Evidence of governance activity. Meeting notes where accessibility was discussed. Review records. Sign-off records showing accessibility was considered before a release. Named ownership. These documents demonstrate that compliance is being actively managed, not assumed.

In Ireland specifically, the due diligence defence under S.I. No. 636/2023 requires demonstrating that the organisation exercised due diligence to prevent the offence. This defence is only available to organisations that can produce evidence of active management. The evidence cannot be created retrospectively.

  • Check

    Do you have dated records of your most recent accessibility assessment?

  • Check

    Do you have records of what was found and what actions were taken?

  • Check

    Do you have evidence of governance activity — named ownership, review records, sign-off processes?

  • Common gap

    In Ireland, the due diligence defence against criminal prosecution requires evidence that cannot be created after the fact. An organisation that has done genuine accessibility work but has kept no records of it has no defence available to it. The records are as important as the work.

  • Common gap

    A documented compliance position is what the Complete Compliance Framework delivers. For organisations with significant compliance risk — particularly those in Ireland — having a dated, documented record of active management is the thing enforcement bodies actually look for.

What most organisations find when they use this checklist

Most organisations that go through this checklist find they have partially addressed Requirement 1 (technical conformance), have not adequately addressed Requirement 2 (accessibility statement), have not addressed Requirement 3 (governance) at all, and have not considered Requirement 4 (documentary evidence).

That is not a reason for alarm. It is a reason for a clear next step. The free assessment covers all four requirements in twenty minutes and identifies which of these gaps is most urgent for your specific organisation, market, and product.

A note on disproportionate burden. The EAA provides an exemption where compliance would impose a disproportionate burden on the organisation. This exemption is a safeguard with conditions, not an opt-out. Assuming it applies without conducting the required assessment is a compliance failure in itself. See the disproportionate burden guide for what qualifying actually requires.

Find out where your organisation stands

Our free initial assessment covers your current accessibility position, which of the four EAA compliance requirements you have addressed, and what a proportionate next step looks like.

Book your free assessment

Related guides

← Back to Insights