TL;DR: The European Accessibility Act requires covered products and services to meet accessibility requirements by June 28, 2025, and OneTrust says its consent and DSAR interfaces are being updated to align with WCAG 2.2 guidance, according to OneTrust. Accessibility is now a governance, design, and evidence problem, not a late-stage legal review.
NHIMG editorial — based on content published by OneTrust: Understanding the European Accessibility Act and WCAG 2.2
By the numbers:
- Businesses offering those products and services need to align with the EAA's requirements by June 28, 2025.
Questions worth separating out
Q: How should organisations prepare digital journeys for EAA compliance?
A: Start with the workflows users must complete to exercise rights or access regulated services, such as consent, preference management, login, and DSAR portals.
Q: Why do accessibility requirements matter to privacy and identity teams?
A: Because privacy and identity controls are often delivered through user interfaces.
Q: What do organisations get wrong when they treat WCAG as a web design checklist?
A: They often check static pages while ignoring live workflows.
Practitioner guidance
- Map regulated customer journeys Identify every consent, preference, login, and DSAR flow that falls under the EAA and assign an accountable owner for each journey.
- Test accessibility at the interaction layer Validate keyboard navigation, touch target size, focus order, and assistive-technology compatibility in end-to-end workflows, not just on template pages.
- Preserve compliance evidence Retain VPATs, accessibility test results, exception assessments, and remediation records in a single audit trail so you can show how each covered service meets the EAA and WCAG expectations over time.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Updated VPAT approach and how OneTrust is documenting accessibility alignment for covered products.
- Product-specific notes on consent, preference, and DSAR interfaces that the article says are being updated.
- The article's discussion of EAA scope, exceptions, and enforcement assumptions for service providers.
- The WCAG 2.2 capability changes OneTrust highlights for customers planning remediation work.
👉 Read OneTrust's explanation of EAA and WCAG 2.2 compliance →
European accessibility act compliance: what identity teams should watch?
Explore further
Accessibility governance is now part of identity governance. The EAA touches the same customer journeys that privacy, IAM, and compliance teams already own, including consent, self-service, and DSAR flows. That means accessibility defects can create governance failures even when policy logic is correct. The practitioner conclusion is that accessibility must be reviewed alongside authentication, authorisation, and records handling, not after deployment.
A question worth separating out:
Q: Who is accountable when an inaccessible consent or DSAR flow fails?
A: Accountability usually sits with the service owner, privacy lead, and the team responsible for the affected digital journey. In regulated environments, legal responsibility may also extend to manufacturers, importers, distributors, or service providers depending on the role defined by the EAA. Organisations should document ownership before a failure occurs.
👉 Read our full editorial: European accessibility act compliance is now a digital governance issue