EAA SaaS Compliance: Which Web Apps Are in Scope and How to Conform

The EAA covers products and services placed on the EU market, and it deliberately follows the customer rather than your company's location. A US-based SaaS billing EU subscribers is just as in scope as a Berlin startup. The act lists specific service categories, and a large share of SaaS touches at least one of them:

• E-commerce and any product with a checkout — subscription sign-up, plan upgrades, and in-app purchases all count as e-commerce functionality.
• Banking, payments, and consumer finance — consumer-facing financial services carry stricter expectations.
• Telecoms and electronic communication features — chat, video, and messaging inside your app.
• E-books, ticketing, and access to audiovisual media services where your SaaS delivers them.

There is one genuine carve-out worth knowing precisely. Microenterprises that provide services, meaning fewer than 10 staff and under €2,000,000 annual turnover, are largely exempt for services. The conjunction matters: cross either threshold and the exemption is gone. Even while exempt, you will still face accessibility clauses in enterprise contracts and public-sector tenders, so treating conformance as optional is a short-lived strategy.

The EAA states outcomes, not line-by-line technical rules. The bridge to concrete requirements is the European harmonised standard EN 301 549, which for web content points to WCAG 2.2 Level A and AA. Conform to every applicable A and AA success criterion and you earn a presumption of conformity.

WCAG is organised around four principles, often abbreviated POUR: content must be Perceivable, Operable, Understandable, and Robust. For SaaS interfaces, a handful of criteria do the heaviest lifting. Colour contrast requires 4.5:1 for normal text and 3:1 for large text — 18pt or 14pt bold and above (WCAG 1.4.3) — and 3:1 for UI components and meaningful graphics (WCAG 1.4.11). That last clause catches a lot of modern SaaS design: a 2:1 grey icon button or a faint focus ring on a clean white dashboard fails even when your body text passes. Run your live product through the free AccessScan scanner to flag contrast and structural issues before a manual review.

Every SaaS user passes through auth, which makes it the worst place to have a barrier. WCAG 2.2 added Accessible Authentication (3.3.8, AA), which prohibits cognitive function tests, such as transcribing a distorted CAPTCHA or solving a puzzle, unless an accessible alternative exists. Allowing the browser or a password manager to paste into the password field satisfies the requirement, so do not block paste.

• Label every field with a real <label> or aria-label; placeholder text alone disappears on focus and fails for screen readers.
• Expose validation errors with aria-describedby tied to the input, not just a red border, which relies on colour alone.
• Make multi-factor flows keyboard-operable end to end, and never auto-advance focus between OTP digit boxes in a way that traps or skips for assistive tech.
• Keep a visible focus indicator on every interactive element (WCAG 2.4.7), including custom social-login buttons.

Our accessible forms guide and keyboard accessibility guide walk through the exact markup.

SaaS apps are full of asynchronous feedback: "Saved," "Payment failed," "3 records imported," toasts that fade after a few seconds. A sighted user sees these instantly. A screen-reader user hears nothing unless you mark them up correctly. This is WCAG 4.1.3 Status Messages (AA), one of the most commonly missed criteria in single-page apps.

The fix is an ARIA live region. Use role="status" (which maps to aria-live="polite") for confirmations and non-urgent updates, and role="alert" (aria-live="assertive") for errors that need immediate attention. The container must already exist in the DOM when the page loads; injecting a brand-new live-region node at the same moment you insert the text often means nothing is announced. Update the text content of the existing region instead. Avoid wrapping a whole results table in aria-live — announcing every cell on each filter change is far worse than silence.

Dashboards are where SaaS accessibility is won or lost, because they concentrate every hard pattern: data tables, charts, filters, drag-and-drop, and modals. Practical, high-impact moves:

• Use real semantic <table> markup with <th scope> headers, not a grid of <div>s, so screen readers can navigate rows and columns.
• Never encode meaning in colour alone (WCAG 1.4.1). A red-versus-green status pill needs a text label or icon too — colour-blind users and grayscale displays lose the distinction otherwise.
• Give charts a text alternative: a visually-hidden summary or an accessible data table behind a toggle. Decorative chart flourishes can take empty alt text.
• Ensure every control reachable by mouse is reachable by keyboard, including row-action menus, sortable column headers, and custom dropdowns.
• Respect prefers-reduced-motion for auto-refreshing widgets and animated transitions.

Test by unplugging your mouse and navigating a core workflow with Tab, Enter, and arrow keys, then repeat with VoiceOver or NVDA running. The gaps surface fast.

You do not need to fix everything at once. Sequence the work by user impact: auth first, then primary workflows, then settings and admin. Pair an automated scan, which reliably catches contrast, missing labels, and structural errors, with manual keyboard and screen-reader testing for the things tooling cannot judge.

Then document what you have done. The EAA expects an accessibility statement, and enterprise buyers will request one during procurement. Work through the accessibility checklist, generate a public statement with the accessibility statement generator, and if you are weighing overlapping regimes, our ADA vs WCAG vs EAA comparison clarifies how they relate. Penalties vary by member state and can reach tens of thousands of euros, but the stronger motivation is commercial: accessible SaaS clears procurement faster and serves more of the market.