EAA Impact on Indian IT Services Exports

Q: We are an offshore IT services company in India. Does the EAA directly regulate us?

The directive directly regulates your European enterprise customer. You are the supplier whose deliverables form part of the regulated service, so your customer cascades the requirement to you through the MSA or DPA.

Q: We have 40+ European clients. How do we scale the documentation?

Pack pricing for portfolios of 10+ reports. Email hello@solidwaretools.com with the number of reports needed and we come back within one business day.

Why the directive reaches an Indian IT services exporter

Directive (EU) 2019/882 applies to services provided to consumers in the EU, regardless of where the service provider is headquartered. That includes services delivered by Indian IT firms on behalf of their European enterprise customers: banking portals, insurance claim platforms, telecom self-service, public-sector citizen services, e-commerce checkouts, e-learning platforms, hospital scheduling interfaces. If your Indian team writes the code that a European consumer uses, the directive attaches to the service the European customer provides, and your customer flows the requirement down to you through the MSA.

The enforcement structure is familiar to anyone who lived through GDPR. Each EU member state has its own competent authority and its own fine range under the national transposition. Spain, Germany, France, Italy, the Netherlands each with their own regulator. For Indian compliance teams, this is the same multi-jurisdictional mapping exercise that cost your legal team six weeks of work in 2018. EAA-Report includes the country-specific enforcement data for the five largest EU markets inside each 9-page PDF, so the mapping exercise happens once, not forty times.

The GDPR playbook still works, with three adjustments

The structural similarity with GDPR is real and your muscle memory is an asset. A cascade in 2018 looked like this: inventory the customer portfolio, identify who is regulated, draft the vendor response template, roll out across the portfolio, maintain and refresh. The EAA cascade looks identical. The three adjustments are:

Adjustment 1

Different legal basis

Directive (EU) 2019/882 instead of GDPR (Regulation (EU) 2016/679). Same shape, different citation. The cascade mechanism is identical.

Adjustment 2

Different document format

The European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882, defines the accessibility statement format. It is not a DPA, not SCCs, not a VPAT — it has its own structure.

Adjustment 3

Different technical standard

EN 301 549 V3.2.1 incorporating WCAG 2.1 Level AA, instead of GDPR technical organisational measures. Your WCAG knowledge from ADA work is portable.

Your team already knows how to run a cascade. EAA-Report is the document layer that plugs into the playbook you already built.

What’s in the 9-page PDF every service line needs

Cover page

Global compliance score, country-specific enforcement data, unique verification reference (EAA-XXXXXXXX).

Service owner identification, scope and evaluation method

Under the European harmonised model — Commission Implementing Decision (EU) 2018/1523.

3–4

Compliance status + criterion-by-criterion evaluation

All 17 WCAG 2.1 AA criteria with Yes / Partial / No / N/A across Perceivable, Operable, Understandable, Robust.

5–6

Official W3C remediation guidance

Per failed or partial criterion, extracted from “Understanding WCAG 2.1” — real fixes, not generic advice.

Non-accessible content declaration

Under Annex V, Directive 2019/882.

Feedback mechanism and enforcement procedure

Competent national authority for your service country, applicable national transposition law, exact fine range.

Legal basis

Directive (EU) 2019/882, the European harmonised model of Decision (EU) 2018/1523 (adapted to the scope of Directive 2019/882) and EN 301 549 V3.2.1.

Enforcement reality — why your European customers are asking this quarter

🇪🇸

Vueling — Spain, sentence Feb 2024

€90,000

Fine upheld by the Audiencia Nacional Contentious-Administrative Chamber Section 8 in February 2024 (sanction originally imposed October 2020), plus a six-month ban on concurring in proceedings for the granting of official aid.

🇪🇸

Endesa — Spain, 2018

€30,001

Fine after a CERMI complaint. CENTAC and OADI technical reports confirmed failure to meet WCAG Level AA.

🇫🇷

Auchan, Carrefour, E. Leclerc, Picard Surgelés — France, November 2025

Pending

Four supermarket giants summoned before the Tribunal Judiciaire de Paris on 12 November 2025 by ApiDV and Droit Pluriel.

🇺🇸

FTC vs accessiBe — April 2025

$1,000,000

Civil penalty for deceptive overlay claims, final consent order 22 April 2025 (Docket C-4817). Overlays are not a legal defence in the US or the EU.

“Free templates exist. Why pay €149?”

Alternative	Cost	What you actually get
Manual accessibility audit (BarrierBreak, Deque, Level Access)	€4,000 – €8,000	Thorough, 3-week lead time — right for third-party audit demands, overkill for cascade documentation
Annual SaaS compliance subscription	€500 – €2,000 / year	Recurring cost, US-focused format
Accessibility overlay (legally discredited)	€490 – €1,990 / year	Not a defence in US or EU. FTC penalised accessiBe $1M.
EAA-Report	€149, one-time	9-page PDF, 15 min, European harmonised model adapted to Directive 2019/882 — pack pricing for portfolios

Portfolio pricing for 10+ reports

For large European customer portfolios requiring 10, 20, 50 or more accessibility statements, we offer pack pricing with volume discounts. Tell us the size of your cascade and we'll reply within one business day.

Request Portfolio Pricing

One-business-day response · Direct quote by email · No sales call

Frequently asked questions

We’re an offshore IT services company in India. Does the EAA directly regulate us, or only our European client?

The directive directly regulates the service provider to the European consumer, which in most cases is your European enterprise customer — the bank, insurer, retailer or hospital group. You are not the primary obliged party. You are, however, the supplier whose deliverables form part of the regulated service, so your customer will cascade the requirement to you through the MSA or DPA. The practical deliverable is the same in either case.

How is this different from GDPR in operational terms?

Structurally very similar — multi-jurisdictional enforcement, cascading flow-down through contracts, national competent authorities. Technically different — the standard is EN 301 549 V3.2.1 (WCAG 2.1 AA) and the document format is the harmonised accessibility statement, not a DPA with SCCs. Your GDPR playbook applies; the document output is new.

We have 40+ European clients across multiple service lines. How do we scale the documentation?

For portfolios of 10+ reports we offer pack pricing — email hello@solidwaretools.com with the number of reports needed and a brief description of the service lines, and we come back within one business day with a quote. Many Indian IT services teams generate one report per regulated customer-service-line combination.

Does the EAA affect Indian IT companies that only serve internal enterprise clients, not consumers?

The directive’s direct services obligations target services provided to consumers, so pure B2B services not offered to the general public are outside the direct scope. But if your customer’s end product is consumer-facing and you build part of it, the flow-down reaches you regardless.

Is the 9-page PDF a certified third-party audit we can submit to a European regulator on our customer’s behalf?

No. It is a structured self-assessment following the European harmonised model of Commission Implementing Decision (EU) 2018/1523, adapted to the scope of Directive (EU) 2019/882, generated from the data you provide under your own responsibility. It is the documented self-assessment that the EAA framework expects every obliged service provider to have on file, and the document European procurement teams ask for during vendor onboarding.

Can we rely on BarrierBreak, Deque or another consultancy for this instead?

For enterprise-grade manual audits, yes — and if your European customer specifically demands an independent third-party audit, that is the right path. For the documented self-assessment that most flow-down clauses require, a specialist engagement is overkill for the portfolio-scale volume Indian IT services teams typically face. EAA-Report produces the same document layer at €149 per report with pack pricing for volume.

⚠️ Important notice: EAA-Report is a structured self-assessment tool, not legal advice and not an overlay. All enforcement cases cited are sourced from identified public documentation.

The European Accessibility Act and Indian IT Services Exports: The Playbook for the Next GDPR-Shaped Cascade

40 European clients in your portfolio? One report at a time is not a plan.