Legal & Compliance Pathway

What it means in practice

Start with a duty mapping for your client. For each product line and each service, work out which operator role applies. A SaaS company building its own product is a service provider, end of story. A retailer selling third-party hardware is a distributor. A company that builds its own hardware is a manufacturer. A reseller that white-labels someone else's software and ships it under their own brand becomes the manufacturer of that software for EAA purposes. The duty mapping changes the documentation load dramatically. Manufacturers need a complete technical file under Annex IV, including design documentation, the conformity assessment, and a record of any harmonised standards used (typically EN 301 549). Distributors need to keep verification records for ten years and respond to authority requests. Service providers need the Annex V statement plus the evidence behind the conformity assessment. For multi-role clients — the typical mid-size enterprise — produce one document that lists every product, every service, the operator role for each, and what documentation exists or still needs to exist. That document is your master compliance register. When the regulator asks for the technical file for product X, the register tells you whether one exists and where to find it. Don't forget the contract chain. If your client integrates a non-conformant third-party component, the regulator will hold your client responsible for what they sell, regardless of what the upstream contract says. Indemnification clauses are useful, but they don't replace the obligation to assess and document the thing in the first place.

Common pitfalls

• ×Assuming the 'manufacturer' label only applies to physical goods. Software shipped under your client's brand makes them the manufacturer of that software too.
• ×Treating the supplier's CE marking as enough due diligence when your client is the importer or distributor. The duty to verify sits with the importer, not the supplier.
• ×Writing one set of policies for the whole organisation when different product lines have different operator roles. Each line needs its own conformity assessment and its own statement.

How to verify it

Walk through the master compliance register with the product team. For each line, confirm: operator role correct, technical documentation either complete or scheduled, conformity assessment current, accessibility statement published and accurate. Anything red on the register is an outstanding obligation. The Conformity Generator on this site produces an EU Declaration of Conformity in the Annex IV format and works well as a starting template for the technical file. The Statement Wizard handles the Annex V output. Both are starting points — the underlying technical evidence still needs to come from your engineering and QA teams.

What it means in practice

Treat Annex VI assessments like patent claims. Every word matters. This is the document the regulator reads first the moment they push back on a non-conformance. If it's vague, generic, or boilerplate, the exemption fails and your client has been operating in non-compliance the whole time. Write each assessment for one specific requirement against one specific product. Something like: 'WCAG 1.4.5 (Images of Text) is a disproportionate burden for the legacy product catalogue because the existing 47,000 product images would each require manual recreation at an estimated cost of €X, against an operator turnover of €Y, and the affected images are viewed an average of Z times per month.' That's the level of specificity Annex VI is asking for. Keep the cost numbers honest. The regulator will compare them against industry benchmarks. Claim €100 per image to remediate when the going rate is €5 and the assessment falls apart. The Burden Calculator on this site walks through the Annex VI factors and gives you a structured estimate. Treat it as a starting point, not a final number. Review each assessment when the facts change. If the operator's turnover doubles, the same compliance cost is no longer disproportionate. If new technology makes the remediation cheaper, the assessment needs revisiting. The five-year review is the absolute floor. The practical review is whenever the underlying numbers move.

Common pitfalls

• ×Treating the exemption as company-wide. It applies to specific requirements on specific products. Never to the operator as a whole.
• ×Citing 'small business' as the reason. There's no small-business exemption under Article 14 — that's a different mechanism (the microenterprise exemption under Article 4, services only).
• ×Writing the assessment once and never reviewing it. The regulator can request a current document at any time.

How to verify it

Pull a sample of assessments from the compliance register. For each one: is it about a specific requirement, does it cite the Annex VI factors, are the numbers current, is the next review date within five years? Any 'no' means the assessment is invalid and the operator is in non-compliance. When an assessment looks weak, the right response is usually to fix the underlying issue rather than patch the assessment. Article 14 isn't a permanent escape hatch — it's a transitional tolerance for cases that are genuinely impractical.

What it means in practice

Add a standing accessibility clause to every supplier contract that touches a customer-facing product. The clause should require conformance with EN 301 549 (specify the version), provision of a current VPAT or ACR on request, notification of any known accessibility defects, remediation within an agreed SLA, and indemnification against regulatory enforcement arising from non-conformance of the supplied component. For SaaS and services contracts, layer on a right to audit accessibility test results, a requirement that the supplier maintains an accessibility statement covering the supplied service, and a termination right if the supplier loses conformance and fails to remediate. For procurement RFPs, accessibility belongs in the mandatory criteria, not the desirable ones. Vendors who can't meet WCAG 2.1 AA shouldn't get past the technical evaluation. The RFP Generator on this site produces a 12-point requirement set you can drop into any tender. The Legal Pack on this site contains template contract clauses aligned with WCAG 2.2 and EN 301 549. Use them as starting points and tailor them to the deal — but don't ship a contract without an accessibility clause now that the EAA is in force.

Common pitfalls

• ×Accepting a vendor's VPAT at face value without checking the date or the WCAG version it claims against. A VPAT against WCAG 2.0 is not a WCAG 2.2 conformance claim.
• ×Burying the accessibility clause in 'general provisions' where the procurement team will never enforce it. Make it a numbered clause in the main body of the contract.
• ×Allowing 'commercially reasonable efforts' language. It gives the supplier an opt-out and your client no recourse.

How to verify it

Audit your existing contract templates for accessibility clauses. Any template missing one goes into the amendment queue. For active contracts that pre-date the EAA, the realistic move is to add an accessibility addendum at the next renewal. On the inbound side, check the supplier conformance documentation. Every active SaaS supplier should have a current VPAT or accessibility statement. If they don't, raise a compliance ticket against that supplier and ask for remediation.

What it means in practice

Build a register of the national authorities for the markets your client operates in. The Authorities Directory on this site lists all 27 with contact details and links to the underlying national legislation. For each one, capture the authority name, the complaint procedure, typical response timescales, and the maximum penalty. That register becomes your operational reference the moment an enquiry lands. When a complaint or enquiry comes in, treat it as a deadline-driven workflow. Acknowledge promptly. Investigate. Document the findings. Communicate the outcome. If remediation is needed, give a realistic timeline and then meet it. The thing that escalates an enquiry into a full investigation is almost never the original issue — it's the operator failing to respond properly. For user-facing complaint handling, the accessibility statement needs to describe the procedure clearly. Users should know how to submit a complaint, what response time to expect, and how to escalate to the national authority if nothing happens. The Fine Calculator on this site shows the maximum penalty per country — useful for risk modelling and for board reporting. Keep an internal incident log. Every complaint, every regulator enquiry, every remediation deadline goes in with dates, status, and an owner. When the regulator comes back six months later to check progress, the log is your evidence.

Common pitfalls

• ×Treating an early-stage enquiry as harmless and ignoring it. Authorities often open with a soft enquiry that escalates the moment it gets ignored.
• ×Sending boilerplate responses that don't address the specific issue raised. The complainant feels ignored and escalates anyway.
• ×Missing the difference between fines (paid to the state) and remediation orders (forced fixes). Both are enforcement outcomes. Only one shows up on the balance sheet.

How to verify it

For each market the operator sells into, can you name the authority, the complaint procedure, and the maximum penalty? If not, the register is incomplete. For each enquiry in the last 12 months, can you show the acknowledgement, the investigation, and the outcome? If not, the workflow has gaps.