How flow-down actually works under the EAA
When an EU bank, insurer, hospital group, university or government agency buys your SaaS, they remain accountable for the accessibility of the service they deliver to their consumers. If your product is embedded in their consumer-facing workflow — customer portal, patient scheduling, student registration, retail checkout — any accessibility failure in your interface becomes their regulatory problem. Their legal teams know this, and they close the gap through the contract.
The mechanism is identical to how SOC 2, GDPR, ISO 27001 and HIPAA BAAs cascade through the supply chain. The prime contractor (your customer) pushes a compliance requirement onto the sub-provider (you) via contract language, and collects evidence of conformance through a questionnaire or a document request. The EAA is the newest layer on that stack.
What the flow-down clause usually says
Three common patterns in contract amendments and DPAs from EU enterprise buyers:
Standalone accessibility clause
References Directive (EU) 2019/882 and requires the vendor to deliver an accessibility statement structured under the European harmonised model.
Vendor security questionnaire row
"Does your service conform with EN 301 549 V3.2.1 and can you provide a current accessibility statement?" The expected answer is a 9-page PDF attachment, not a yes/no.
MSA schedule with periodic re-attestation
Lists "applicable accessibility standards" including WCAG 2.1 Level AA as a binding conformance target, with periodic re-attestation aligned to SOC 2 cycles.
What the customer wants back is not a marketing paragraph. It's a structured self-assessment following the European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882, with the 17 applicable WCAG 2.1 AA criteria evaluated and the legal basis cited. EAA-Report produces that document in 15 minutes.
What's in the 9-page PDF your customer can file in their own compliance folder
Cover page
Global compliance score, country-specific enforcement data, unique verification reference (EAA-XXXXXXXX).
Service owner identification, scope and evaluation method
Under the European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882.
Compliance status by WCAG principle + criterion-by-criterion evaluation
All 17 WCAG 2.1 AA criteria with Yes / Partial / No / N/A across Perceivable, Operable, Understandable, Robust.
Official W3C remediation guidance
Per failed or partial criterion, extracted from "Understanding WCAG 2.1" — real fixes, not generic advice.
Non-accessible content declaration
Under Annex V, Directive 2019/882.
Feedback mechanism and enforcement procedure
Competent national authority for your service country, applicable national transposition law, exact fine range.
Legal basis
Directive (EU) 2019/882, the European harmonised model of Decision (EU) 2018/1523 (adapted to the scope of Directive 2019/882) and EN 301 549 V3.2.1.
It's not ADA, but your team already has the skills
If you've worked through ADA Title III exposure, Section 508 VPATs or a WCAG-tied customer audit, you already have most of what EAA-Report needs. The 17 applicable criteria are the same WCAG 2.1 AA criteria your engineers already test against. The difference is the wrapper: European legal basis, European harmonised format, European enforcement references. Your team doesn't need to re-learn accessibility — they need to re-package what they already know into a document the customer will accept.
Enforcement reality — why your customer is suddenly urgent about this
Fine upheld by the Audiencia Nacional Contentious-Administrative Chamber Section 8 in February 2024 (sanction originally imposed October 2020), plus a six-month ban on concurring in proceedings for the granting of official aid.
Fine after a CERMI complaint. CENTAC and OADI technical reports confirmed failure to meet WCAG Level AA.
Four supermarket giants summoned before the Tribunal Judiciaire de Paris on 12 November 2025 by ApiDV and Droit Pluriel over inaccessible online grocery services.
Civil penalty for deceptive overlay claims, final consent order 22 April 2025 (Docket C-4817). UsableNet documented 119 defendants with accessibility widgets sued in May 2025 alone. Overlays are not a legal defence in the US or the EU.
"Free templates exist. Why pay €149?"
Free generators produce one generic paragraph. Procurement teams processing flow-down clauses are specifically filtering for the harmonised format. They know what a generic template looks like, and they mark the questionnaire as insufficient. The 9-page PDF is the minimum viable deliverable.
| Alternative | Cost | What you actually get |
|---|---|---|
| Manual accessibility audit (Deque, Level Access) | €4,000 – €8,000 | Thorough, 3-week lead time |
| Annual SaaS compliance subscription | €500 – €2,000 / year | Recurring cost, US-focused format |
| Accessibility overlay (legally discredited) | €490 – €1,990 / year | Not a defence in US or EU. FTC penalised accessiBe $1M. |
| EAA-Report | €149, one-time | 9-page PDF, 15 min, European harmonised model adapted to Directive 2019/882, yours forever |
Need multiple reports? One PDF per product, per customer, per country.
SaaS compliance teams often need reports per product line, per EU market or per enterprise customer. We offer volume pricing on packs of 10 or more. Tell us how many you need and we'll send a quote within one business day.
Request Volume PricingFrequently asked questions
Does the European Accessibility Act directly regulate my B2B SaaS company?
My customer sent me a DPA amendment referencing Directive (EU) 2019/882. What do I actually have to return?
We already published a VPAT on our trust center. Why isn't that enough?
Do we need a different PDF for each EU country?
Will a one-paragraph accessibility statement copied from a free template satisfy a flow-down clause?
Is EAA-Report a certified third-party audit for my customer's records?
⚠️ Important notice: EAA-Report is a structured self-assessment tool, not legal advice and not an overlay. All enforcement cases cited are sourced from identified public documentation.