Cascading EAA Compliance for IT Services

Q: How many documents does a cascade across 30-50 European clients produce?

Usually one per customer-service-line combination. A 40-client portfolio typically produces 50-80 documents the first time, then reduces to annual refresh cycles.

Q: Can one document cover multiple clients?

Technically yes if scope is broad enough, but most cascades ask for per-customer documents so each customer has their own scope statement, reference and date.

What cascading means operationally

A cascade is what happens when a regulatory obligation on a principal flows contractually down through the supply chain to every supplier whose work contributes to the regulated service. Under the European Accessibility Act, the regulated principal is typically the EU service provider delivering the end-user experience — a consumer bank, an insurer, a retailer, a public-sector body. Their accessibility obligation attaches to the whole service, including the components built by third parties.

Vendor management teams close the supply-chain gap by amending contracts. A typical cascade clause reads: “Supplier shall deliver a current accessibility statement conforming with Directive (EU) 2019/882, structured following the European harmonised model of Commission Implementing Decision (EU) 2018/1523 adapted to the scope of Directive (EU) 2019/882, for each service line in scope, refreshed at least annually.” That clause goes out to everyone. Tier-1 implementation partners, tier-2 offshore dev shops, tier-3 niche SaaS vendors. One clause, fifty vendors, one deliverable per vendor — that is the cascade.

Why it works the same as GDPR did

The cascade mechanism is identical to how GDPR Article 28 obligations flowed through the supply chain from 2018 onward. Every SaaS vendor, every managed service provider, every offshore development partner ended up with a data processor agreement in their contract inbox during that year. The EAA cascade uses the same legal mechanism — the contract amendment — and the same operational response: accept the clause, produce the document, maintain it, refresh it annually.

The compliance teams that ran the GDPR cascade in 2018 already know the shape. EAA-Report is the document that plugs into the shape.

What each document in the cascade must contain

EAA-Report generates a 9-page PDF per service line following the European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882, containing:

Cover page

Global compliance score, country-specific enforcement data, unique verification reference (EAA-XXXXXXXX).

Service owner identification, scope and evaluation method

Under the European harmonised model — Commission Implementing Decision (EU) 2018/1523.

3–4

Compliance status + criterion-by-criterion evaluation

All 17 WCAG 2.1 AA criteria with Yes / Partial / No / N/A across Perceivable, Operable, Understandable, Robust.

5–6

Official W3C remediation guidance

Per failed or partial criterion, extracted from “Understanding WCAG 2.1” — real fixes, not generic advice.

Non-accessible content declaration

Under Annex V, Directive 2019/882.

Feedback mechanism and enforcement procedure

Competent national authority for your service country, applicable national transposition law, exact fine range.

Legal basis

Directive (EU) 2019/882, the European harmonised model of Decision (EU) 2018/1523 (adapted to the scope of Directive 2019/882) and EN 301 549 V3.2.1.

Why cascades are moving fast this quarter

🇪🇸

Vueling — Spain, sentence Feb 2024

€90,000

Fine upheld by the Audiencia Nacional Contentious-Administrative Chamber Section 8 in February 2024 (sanction originally imposed October 2020), plus a six-month ban on concurring in proceedings for the granting of official aid.

🇪🇸

Endesa — Spain, 2018

€30,001

Fine after a CERMI complaint. CENTAC and OADI technical reports confirmed failure to meet WCAG Level AA.

🇫🇷

Auchan, Carrefour, E. Leclerc, Picard Surgelés — France, November 2025

Pending

Four supermarket giants summoned before the Tribunal Judiciaire de Paris on 12 November 2025 by ApiDV and Droit Pluriel.

🇺🇸

FTC vs accessiBe — April 2025

$1,000,000

Civil penalty for deceptive overlay claims, final consent order 22 April 2025 (Docket C-4817). Overlays are not a legal defence in the US or the EU.

“Free templates exist. Why pay €149?”

Alternative	Cost	What you actually get
Manual accessibility audit (BarrierBreak, Deque, Level Access)	€4,000 – €8,000	Thorough, 3-week lead time — right for third-party audit demands, overkill for cascade documentation
Annual SaaS compliance subscription	€500 – €2,000 / year	Recurring cost, US-focused format
Accessibility overlay (legally discredited)	€490 – €1,990 / year	Not a defence in US or EU. FTC penalised accessiBe $1M.
EAA-Report	€149, one-time	9-page PDF, 15 min, European harmonised model adapted to Directive 2019/882 — pack pricing for portfolios

Portfolio pricing for 10+ reports

For large European customer portfolios requiring 10, 20, 50 or more accessibility statements, we offer pack pricing with volume discounts. Tell us the size of your cascade and we'll reply within one business day.

Request Portfolio Pricing

One-business-day response · Direct quote by email · No sales call

Frequently asked questions

How many documents does a typical cascade across 30–50 European clients actually produce?

Usually one per customer-service-line combination. A customer running two distinct service lines in scope asks for two statements. A customer running one service line asks for one. A 40-client portfolio typically produces 50–80 documents the first time it is mapped, then reduces to annual refresh cycles for the same set.

Can one document cover multiple clients?

Technically yes, if the scope definition is broad enough to cover the shared service. Practically, most cascades ask for per-customer documents because each customer wants their own scope statement, their own reference, their own date, and their own file in their vendor folder.

How do we manage the annual refresh without re-running the full process every year?

Same as GDPR DPA refreshes — annually, aligned with your SOC 2 Type II cycle or ISO 27001 recertification. EAA-Report regeneration is 15 minutes per service line. For portfolios, we support pack refresh pricing — email hello@solidwaretools.com with the refresh volume.

Who signs off on each document internally — compliance, legal, engineering?

Usually compliance owns the document, engineering provides the WCAG criterion-level input, legal reviews the scope clause. EAA-Report structures the questionnaire so that the engineering input takes about 10 minutes per service line, not the multi-day back-and-forth a manual audit requires.

What if our cascade hits a service line we have not WCAG-tested yet?

The harmonised format allows for partial-conformance and non-conformance statements with a declared remediation roadmap. Honest declaration is the expected baseline, not full conformance from day one. Procurement teams accept partial-conformance statements with a credible plan; they reject statements that claim 100% conformance without evidence.

Is this document a certified third-party audit?

No. It is a structured self-assessment following the European harmonised model, generated from the data you provide under your own responsibility. It is the document your European customer’s cascade clause expects — not a third-party audit.

⚠️ Important notice: EAA-Report is a structured self-assessment tool, not legal advice and not an overlay. All enforcement cases cited are sourced from identified public documentation.

Cascading EAA Compliance Across an IT Services Portfolio: The Document Layer Your Cascade Needs

40 European clients in your portfolio? One report at a time is not a plan.