EAA compliance for FinTech and financial services
Financial services organisations face a dual compliance problem: EAA obligations and sector-specific enforcement authorities that differ by market. Here is what that means in practice.
FinTech and financial services organisations often assume that existing regulatory compliance (PSD2, GDPR, DORA) provides a foundation for EAA readiness. In practice, accessibility is a distinct obligation with its own requirements, its own enforcement authorities, and its own evidence standards. The Barómetro de Accesibilidad Web 2025 found financial services among the worst-performing sectors for accessibility, with the highest full non-compliance rate of any sector surveyed.
The enforcement authority differs by market
One of the most important things for FinTech organisations to understand is that the EAA enforcement authority for financial services is not the same as for general e-commerce in some markets. Getting this wrong means engaging the wrong regulator, or worse, assuming you have no current exposure when you do.
Netherlands
For financial services organisations operating in the Netherlands, the enforcement authority is the AFM (Authority for Financial Markets), not the ACM which covers e-commerce and telecoms. The AFM has the same fine ceiling: up to 10% of annual turnover, with a maximum of €900,000. The Netherlands also requires proactive mandatory reporting of your compliance position, with documentation and a compliance declaration ready for the AFM on request.
Ireland
ComReg is the enforcement authority for digital financial communications services. Ireland has criminal sanctions: where a company commits an EAA offence, directors, managers and other officers can be held personally liable. For serious cases prosecuted in the higher courts, the penalty is a fine up to €60,000 and/or imprisonment up to 18 months. This applies to FinTech executives directly.
Sweden
PTS oversees digital financial services under the EAA in Sweden. Sweden has launched 28 supervisory investigations across multiple sectors. Digital banking apps, payment platforms, and investment portals are all in scope. The maximum fine is SEK 10,000,000 (approximately €900,000).
Germany
The BFSG covers digital financial services offered to German consumers. The private enforcement mechanism (Abmahnungen) applies: competitors and law firms can send legal demands without any regulator being involved. The Bundesnetzagentur can separately impose fines up to €100,000 for serious violations.
What financial services products are in scope
The EAA covers digital services and products offered to consumers. For FinTech and financial services, this includes:
- Mobile banking applications and web banking portals
- Payment services and digital wallets
- Investment platforms and trading apps
- Insurance product portals and quote engines
- Lending and credit application platforms
- Customer onboarding and identity verification flows
- Account management and billing systems
B2B-only financial products used exclusively by other businesses rather than consumers may fall outside scope. However, many FinTech platforms have both business and consumer users, and the consumer-facing elements bring the whole product into scope for accessibility assessment purposes.
The intersection with other financial regulation
PSD2, DORA, and MiCA all create overlapping obligations for digital financial services. The EAA adds accessibility as a distinct layer. Unlike those regulations, EAA compliance is not primarily about data, security, or operational resilience: it is about whether the product actually works for users with disabilities. The two types of compliance are complementary but separate, and an organisation that is fully compliant with PSD2 may still have significant EAA exposure.
The accessibility statement is the starting point for enforcement. In Ireland, it is the first document ComReg requests. In the Netherlands, it forms part of the mandatory reporting declaration to the AFM. An organisation without a published accessibility statement starts any enforcement interaction at a disadvantage, regardless of how much technical work has been done on the product itself.
What EAA compliance requires
For a FinTech or financial services organisation, full EAA compliance requires four things: technical conformance against EN 301 549 (WCAG 2.1 Level AA), a published accessibility statement, active governance with a named owner and regular testing rhythm, and documentary evidence of ongoing management. Most organisations we speak with have addressed at most one of the four.
Find out where your organisation stands
Our free initial assessment covers your sector-specific exposure, which of the four EAA requirements you have addressed, and what a proportionate next step looks like.
Book your free assessment