The €900,000 Accessibility Fine: Why the Netherlands Is Europe's Toughest EAA Enforcer
Giriprasad Patil·· 8 min read·Scary Stats
A compliance report request from the ACM — the Netherlands Authority for Consumers and Markets — is not a lawsuit. There is no plaintiff, no settlement negotiation, no attorney looking for a quick resolution. There is a government regulator with statutory authority to issue a **€900,000 fine**, a mandatory compliance form you should have filed months ago, and a deadline for your response.
The Netherlands has the highest EAA compliance penalty in Europe. Any business selling digital products or services to Dutch customers needs to understand exactly why — and what the ACM is actively doing in 2026.
## Why the Netherlands Has Europe's Highest EAA Fine
When the EU enacted Directive 2019/882 — the European Accessibility Act — it harmonised accessibility requirements across all 27 member states but left penalty structures to individual national legislatures. Most EU countries landed in the €50,000–€250,000 range. The Netherlands set its maximum at **€900,000 per serious violation, or 1–10% of annual turnover**, whichever figure is larger.
For a business generating €12 million in annual European revenue, the turnover-based calculation could reach €1.2 million — exceeding the nominal cap. For a €50 million-a-year platform, it could mean €5 million.
The EAA became enforceable on **June 28, 2025**, simultaneously across all 27 EU member states. All new digital products and services serving EU consumers were required to comply immediately. Existing products have a transition period until **June 28, 2030** — but that window comes with obligations that began the day enforcement started.
What separates the Netherlands from most other EU enforcement frameworks isn't only the fine ceiling. It's the **mandatory proactive reporting requirement** that took effect in October 2025. Companies offering in-scope digital services to Dutch consumers were required to file an accessibility compliance report with the ACM — unprompted, before receiving any complaint or inquiry. Businesses that missed this deadline have been flagged for priority enforcement review through mid-2026, according to ACM guidance published in late 2025.
In most EU jurisdictions, enforcement begins when a user complains. In the Netherlands, enforcement can begin when your name is absent from the compliance registry.
## What the EAA Actually Requires
The European Accessibility Act mandates conformance with **EN 301 549** — the European technical standard that incorporates WCAG 2.1 Level AA. For e-commerce businesses, SaaS platforms, and any company with a digital product or app, this translates directly to WCAG 2.1 AA requirements — the same standard referenced by US ADA guidance and UK Equality Act case law.
The EAA's scope follows your customers, not your servers. In-scope businesses include:
- Any company selling products or services to EU consumers, regardless of company headquarters
- E-commerce websites and mobile apps
- Online banking and financial services
- SaaS platforms with EU subscribers
- Booking and ticketing systems
- Digital media and streaming services
A US-based Shopify merchant shipping to Rotterdam must comply. A UK SaaS company with Amsterdam subscribers must comply. A Canadian fintech with German customers must comply. Post-Brexit status provides no exemption for UK companies with EU-facing services. The directive is territorial — it follows where your customers are, not where your company is incorporated.
## EAA Fines Across Europe: How Countries Compare
The Netherlands' position at the top of the fine schedule becomes clearer when viewed against the full European picture:
| Country | Max Fine | Enforcement Agency | Key Feature |
|---------|----------|------------------|-------------|
| **Netherlands** | **€900,000** or 1–10% turnover | ACM | Mandatory reporting since Oct 2025; priority audits in 2026 |
| Spain | €1,000,000 (very serious tier) | AEPD + sector regulators | Three-tier system: minor €30K–€90K, serious €90K–€300K, very serious up to €1M. Immediate penalties — no warning period. |
| Sweden | €1,000,000+ serious | PTS | Strong enforcement culture; high-fine jurisdiction |
| France | €250,000 (repeat violations) | ARCOM, ARCEP, DGCCRF | Formal notices issued to Carrefour, Auchan, and Leclerc in late 2025 |
| Germany | €100,000 per violation | Bundesnetzagentur + BFIT | Private Abmahnungen (competitor warning letters) started August 2025 |
| Italy | Up to 5% annual revenue | AgID | 90-day cure period before fine — most generous in EU |
| Belgium | €50,000–€200,000 | Various sector regulators | |
As of May 2026, no formal EAA fines have been publicly issued in any EU member state. But that absence reflects the early stage of enforcement mechanisms — not an absence of risk. France's ARCOM issued formal notices to three of the country's largest retailers in late 2025. Germany saw the first private Abmahnungen — competitor-initiated warning letters — in August 2025, just two months after enforcement began. The ACM has communicated directly that businesses which missed the October 2025 reporting deadline are in the enforcement priority queue.
The machinery is operational. It is simply warming up before it runs at full speed.
## What ACM's Enforcement Focus Looks Like in Practice
The Dutch ACM has published guidance making its enforcement priorities clear. It is targeting:
**1. Businesses that failed to submit the mandatory compliance report** by the October 2025 deadline. These companies are identifiable by their absence from the ACM's registry and represent the first enforcement wave.
**2. Companies with systematic, repeated violations** across core digital touchpoints — checkout flows, login portals, navigation, and account management areas where accessibility failures cause measurable harm to users with disabilities.
**3. High-traffic e-commerce platforms** serving Dutch consumers at scale, because consumer harm is proportionally larger and enforcement creates the most visible deterrence signal.
The ACM is not operating on a tip-by-tip complaint model. It is building a market-level view of EAA compliance and will use it to target companies with demonstrable, systemic failures. The €900,000 ceiling isn't meant as a penalty for a single missing alt attribute — it's the upper bound for companies that have ignored accessibility requirements across their entire digital surface.
That said, ACM guidance confirms that fines can apply to serious individual violations: inaccessible checkout flows, keyboard navigation that completely blocks users, or login processes that screen reader users cannot complete represent the category of violations that trigger serious-tier penalties even in isolation.
## Why Standard Scanning Tools Won't Satisfy ACM Auditors
Here's the challenge even well-intentioned businesses face: the most common accessibility scanners were designed for developer feedback loops, not regulatory compliance documentation.
Static HTML scanners — tools that parse your page's source code — can detect structural violations: missing alt attributes, skipped heading levels, unlabelled form fields in the original HTML. These are real issues. But an expanding proportion of web violations exist only in the **rendered page**, after JavaScript has executed, third-party widgets have loaded, and your CMS has assembled the final DOM that users actually interact with.
The violations ACM auditors observe — because they're loading your live, rendered site — include:
- Keyboard traps inside dynamically generated modal dialogs
- Unlabelled input fields in JavaScript-rendered checkout components
- ARIA misuse in React or Vue components that appear correct in source HTML but break in the live DOM
- Colour contrast failures that only appear in hover or focus states
- Marketing overlays and pop-ups that block screen reader navigation entirely
ADAGuard evaluates your site using a **full JavaScript-rendered browser session** — the same environment an auditor, a screen reader user, or an ACM investigator encounters. Covering approximately **78% of WCAG 2.2 AA violations** automatically across 23 check modules — 22 custom accessibility checkers plus axe-core — it identifies live-DOM violations that tools scanning only source HTML systematically miss. WAVE catches approximately 40% of WCAG violations; axe-core alone approximately 57%. The gap between those figures and 78% represents your actual regulatory exposure on the rendered site.
Authenticated scanning matters specifically for EAA compliance. Your checkout, login portal, and account management area are behind authentication barriers — and those are precisely the flows ACM auditors examine, because they're the highest-stakes user journeys for people with disabilities. A scanner that cannot authenticate will never see violations in those flows.
## What to Do When Your Scan Returns Violations
EAA violations divide into two remediation tracks. First: violations your platform or CMS may be able to address through configuration or template settings — no custom code required. Second: violations in custom JavaScript components, third-party widgets, or bespoke theme code that require a developer or vendor to fix.
For developer and vendor escalations, provide the **WCAG criterion number** from your scan report. Don't describe the symptom — name the criterion. "Your cart drawer fails WCAG 2.1.2 — No Keyboard Trap" is a precise, actionable ticket. Vendors with accessibility competency can act on criterion numbers directly and respond with specific remediation timelines, which is the kind of documented evidence the ACM will accept as part of a compliance posture.
Scan first. The report maps your actual violations — not the theoretical set of issues any website might have. What applies to your specific checkout configuration or account portal is distinct from what applies to your homepage.
## The 30-Second Fix
The ACM's October 2025 reporting deadline has passed. If your business operates in the Netherlands or serves Dutch consumers, your EAA compliance posture needs to be documentable now — not when an enforcement notice arrives.
Paste your URL at **[adaguard.io](https://www.adaguard.io)** — no signup required. You'll receive a full WCAG 2.2 AA compliance report across 23 check categories, covering the live-DOM violations that static tools don't reach. If your checkout flow, login portal, or account management area needs authenticated scanning, ADAGuard handles that too — testing the protected flows ACM auditors actually care about.
Know your exposure before the ACM's priority list does.
