WCAGpilot
Check a site
Sign in

Enforcement: what's actually happening

Statutory penalties exist on paper across the EU and EEA. Active enforcement runs in only a handful of countries. Sweden's DIGG issued 175 formal notices in 2025. Norway fined Helseplattformen NOK 50,000 a day in December 2025. The same week, the EFTA Court found Iceland in treaty infringement. Continental EU regulators do run cases, but since 2023 GDPR practice keeps respondent names off the public registers. EAA enforcement is still in its first market-surveillance cycle.

The honest picture

Three things hold simultaneously:

  • WAD applies across the EU-27 and the three EEA-EFTA states (Iceland, Liechtenstein and Norway); the EFTA Court has now confirmed this explicitly for Iceland. Switzerland and the UK are not bound by WAD but keep equivalent public-sector rules. Active enforcement clusters in four or five places: Sweden, Norway, Slovakia, France since 2024, and the EFTA Court for EEA states. The rest run ombudsman or advisory regimes with no public fines.
  • EAA has applied since 28 June 2025. Statutory penalty maxima are in place across all 27 Member States. The first market-surveillance cycle is still under way, so no public named EAA cases exist yet.
  • Continental EU registers anonymise respondent names from 2023 onwards as a GDPR practice. Cases from Italy, Slovakia, Malta and Slovenia after 2023 are happening, but the names stay off the public record.
For service providers: the statutory maxima (Germany's BFSG €100k, Slovakia's 3% of turnover, and the rest) are live from 28 June 2025. The shortage of named cases reflects the early stage of EAA enforcement and the continental anonymisation practice, not a soft regime.

WAD enforcement track record

Named or aggregated WAD enforcement actions on the public record from national regulators and courts.

EAA: the first cycle is in progress

Penalty maxima are set in all 27 Member States. The first market-surveillance cycle began on 28 June 2025. No named EAA enforcement actions are on the public record yet.

Why no named EAA cases exist yet

  1. Recency. The directive only applied from 28 June 2025. Compliance investigations and decisions typically lag 12 to 24 months, so the first wave of meaningful actions won't surface before mid-2026.
  2. Member State setup. Sector supervisors are still consolidating procedures and triage frameworks, especially in France, Italy, Ireland and the Netherlands, the four most fragmented regimes. Several countries transposed extremely late: Cyprus in May 2024, Bulgaria in April 2025, Croatia three weeks before application, and the Commission opened an infringement procedure against Greece in March 2025.
  3. Continental anonymisation. The pattern that already governs WAD enforcement in Italy, Slovakia, Malta and Slovenia carries over to EAA. Decisions are issued; respondent names stay off the public register as a data-protection practice.
What this means in practice: the statutory maxima (Germany €100k, Czechia around €200k, Slovakia 3% of turnover, and the rest) are not theoretical. They are enforceable from 28 June 2025. Waiting for the first big public case to gauge the regime is misreading it. EAA plus the market-surveillance framework under Regulation (EU) 2019/1020 creates pressure independently of named-and-shamed cases.

Per-country enforcement profile

Where enforcement is active, where regimes exist but cases stay anonymised, and where the framework is dormant.

Country WAD activity EAA penalty maximum Public visibility
Austria Pending
Belgium Pending
Bulgaria Pending
Croatia Pending
Cyprus Pending
Czech Republic Pending
Denmark Pending
Estonia Pending
Finland Pending
France Pending
Germany Pending
Greece Pending
Hungary Pending
Iceland Pending
Ireland Pending
Italy Pending
Latvia Pending
Liechtenstein Pending
Lithuania Pending
Luxembourg Pending
Malta Pending
Netherlands Pending
Norway Pending
Poland Pending
Portugal Pending
Romania Pending
Slovakia Pending
Slovenia Pending
Spain Pending
Sweden Pending

The GDPR-anonymisation pattern

Italy, Slovakia, Malta and Slovenia all run active enforcement frameworks and used to publish named cases. Since 2022 the practice across all four has flipped: respondent names stay off the public register.

Italy is the clearest illustration. Before 2022, the Difensore Civico per il Digitale (Digital Ombudsman) at AgID published named invitations to comply. Comune di Palermo (2018) and Comune di Pedara (2020) are the documented examples. From 2023, the same register publishes only anonymous decision numbers and outcome categories such as "Archiviazione per adempimento spontaneo" (archived for spontaneous compliance). The decisions exist; the names do not.

This is a deliberate data-protection position, not a gap in enforcement. The continental reading of GDPR holds that public-body respondent names, when individual officials are identifiable, can constitute personal data warranting redaction in administrative-decision publication. Anglo-Nordic regulators (uutilsynet in Norway, DIGG in Sweden) publish; continental regulators generally don't.

The practical consequence: the publicly available picture rests on aggregate figures (Sweden's 175 notices) and historical pre-2022 named cases (Palermo, Pedara). Post-2022 named continental cases are exceptions, not the norm.

Check your site against these requirements

Free WCAG audit aligned with EN 301 549 and your country's accessibility law. Takes under 30 seconds.

Run audit