EAA penalties Ireland: SI 636/2023 criminal liability

When the Irish government transposed the European Accessibility Act into national law, it took a different path from every other EU member state. S.I. No. 636 of 2023, the European Union (Accessibility Requirements for Products and Services) Regulations 2023, includes criminal penalties. Not administrative fines with a referral to a regulator. Criminal liability: fines and imprisonment, applicable to company directors and officers personally. That legislative choice was deliberate and its practical implications for Irish businesses are worth understanding clearly.

No other EU member state went this far. France, Germany, Belgium and the Netherlands all implemented the EAA with administrative fines only. Ireland chose prosecution.

This matters practically for Irish SMBs selling online. Understanding the penalty structure is the first step to deciding how seriously to treat compliance.

---

Check your site's accessibility now

Our scanner runs an automated WCAG 2.1 AA audit and flags the most common barriers. Takes 60 seconds.

Scan my website for free →

---

The penalty structure under S.I. 636/2023

Summary conviction (District Court)

For less serious cases, or where the accused opts for summary disposal, the District Court can impose:

• A fine of up to €5,000
• Imprisonment of up to 6 months
• Or both

Summary conviction is the typical route for a first offence with no aggravating factors.

Conviction on indictment (Circuit Court or higher)

For more serious or repeated non-compliance, prosecution on indictment carries:

• A fine of up to €60,000
• Imprisonment of up to 18 months (Regulation 32(6)(b) of S.I. 636/2023)
• Or both

Who faces criminal liability

The criminal penalty provisions extend beyond the company itself. Under the regulations, where an offence is committed by a body corporate and is proved to have been committed with the consent, connivance or wilful neglect of a director, manager, secretary or other officer, that individual is guilty of the offence and liable to the same penalties.

This is the element that makes Irish EAA law unusual. A managing director of an Irish SMB could personally face prosecution if the company's online shop is non-compliant and the non-compliance is shown to be deliberate or negligent at a senior level.

Comparison with other EU member states

Ireland sits at the lower end for maximum fines compared to Belgium, but is the only jurisdiction with personal criminal exposure.

---

Who enforces: CCPC and the sectoral split

The CCPC (Competition and Consumer Protection Commission) is the primary EAA supervisor for consumer-facing services and e-commerce. If you run an online shop, a booking service or a subscription platform, the CCPC is the relevant authority.

Enforcement is split by sector:

• ComReg: electronic communications services (broadband, mobile, VoIP)
• Central Bank of Ireland: consumer financial services (online banking, insurance)
• Coimisiún na Meán: audiovisual media services
• National Transport Authority (NTA): passenger transport information

The NDA (National Disability Authority) and its Centre for Excellence in Universal Design publish technical guidance and conduct research, but are not an enforcement body.

How CCPC investigations work

The CCPC's approach differs from continental DPAs in one important way: it is procedurally cautious. Before pursuing criminal prosecution, the CCPC typically follows a graduated process:

1. Compliance engagement: informal contact, request for information
2. Compliance notice: formal written notice with a deadline
3. Prohibition notice: direction to stop the non-compliant activity
4. Criminal referral to the Director of Public Prosecutions (DPP): for persistent or wilful non-compliance

The DPP decides whether to prosecute. This means criminal proceedings require a second decision-maker, which adds procedural time and a prosecutorial-interest filter. Realistic outcome for an Irish SMB: the CCPC issues a compliance notice with a correction deadline well before any criminal referral.

That said, the criminal pathway is genuinely available. If a business ignores a compliance notice or the non-compliance causes harm to disabled users, the CCPC has every legal basis to refer.

---

What triggers enforcement

The CCPC can open an EAA case in two ways. It can act on a complaint from a consumer or an organisation representing disabled people, or it can open an own-volition investigation based on its own compliance monitoring work.

Under S.I. 636/2023, the CCPC has powers to:

• Require the production of documents and information
• Enter and inspect premises (including digital audit of a service)
• Apply to the High Court for orders where a business refuses to cooperate

For an online shop, a practical enforcement trigger is a complaint from a screen reader user who cannot complete a purchase because form fields have no labels, or from a user with low vision who finds that colour contrast makes product prices illegible. These are exactly the kinds of barriers that automated accessibility tools detect. Disability advocacy organisations across the EU have begun filing complaints with national supervisory authorities. In France, Inter-Êtres Agir referred Auchan, Carrefour, E.Leclerc and Picard Surgelés to the Tribunal judiciaire in November 2025. Similar patterns are likely in Ireland once the CCPC's compliance-monitoring phase produces visible cases.

---

The technical standard: WCAG 2.1 AA

The EAA requires that covered services meet the technical requirements set out in the harmonised standard EN 301 549 V3.2.1, which incorporates WCAG 2.1 Level AA for web content. There is no separate Irish national standard analogous to the French RGAA.

WCAG 2.1 AA is structured around four principles. Each carries concrete requirements for web services:

Perceivable: text alternatives for images, sufficient colour contrast (minimum 4.5:1 ratio for normal text), captions for video content, content that doesn't rely on colour alone to convey information.

Operable: all functionality is available by keyboard, users can pause or stop moving content, sufficient time to complete forms, no content that flashes more than three times per second.

Understandable: page language is declared in the HTML, error messages on forms explain what went wrong, navigation is consistent across pages.

Robust (the WCAG 2.1 principle name): HTML is clean enough for assistive technologies to interpret correctly, ARIA attributes are used correctly, interactive elements have accessible names.

Automated scanning tools such as axe-core catch roughly 30-57% of WCAG issues depending on the type of content (Deque, WebAIM Million). The remainder requires manual testing. For EAA compliance purposes, an audit that includes both automated and manual components carries more weight than an automated report alone.

---

What the CCPC expects to see

If the CCPC opens a compliance check on your business, the documents it will likely request include:

• An accessibility statement published on the site, accessible from every page
• Results of a WCAG 2.1 AA audit with a date, method and summary of findings
• A documented plan to address the failures identified
• Evidence that the plan is being implemented

An accessibility statement that simply says "we are committed to accessibility" without specifics does not meet the requirement. The statement should name the standard (WCAG 2.1 AA / EN 301 549), state the current conformance level (fully conformant, partially conformant or non-conformant), identify the known gaps and provide a contact mechanism for reporting barriers. Updating the statement after each remediation cycle demonstrates active, documented progress and is treated favourably by the CCPC.

The disproportionate burden exception

Article 14 of the EAA directive allows a business to claim that full compliance would impose a disproportionate burden relative to its resources. This exception must be documented, must be proportionate to the actual barrier (you cannot claim disproportionate burden for adding an alt text to an image) and must be re-assessed periodically as your financial capacity changes. Claiming disproportionate burden without documentation is not a defence.

---

Practical risk assessment for Irish SMBs

The realistic enforcement timeline looks like this for a typical Irish SMB:

A complaint is filed with the CCPC by a disabled user or an advocacy organisation. The CCPC writes to the business requesting information. The business has weeks to months to respond and demonstrate compliance activity. If the business cooperates and shows documented remediation efforts, the matter typically closes at the compliance engagement stage.

Criminal prosecution is reserved for cases where a business ignores notices, actively misrepresents its compliance status or causes demonstrable harm through repeated and wilful failure to act.

The risk is not zero. Ireland chose criminal penalties precisely because it wanted the deterrent effect. A business that takes reasonable documented steps is in a very different position from one that ignores the law entirely.

For the compliance steps themselves, see our EAA small business guide for Ireland.

---

EAA penalties in other EU jurisdictions

• EAA penalties across the EU (English overview)
• EAA penalties in the Netherlands (ACM, up to €900k)
• EAA penalties in Belgium (SPF Économie / FOD Economie, up to €200k)
• Sanctions EAA en France (DGCCRF, ARCOM)
• Sanciones EAA en España (OADIS, hasta €1M)
• EAA Strafzahlungen in Deutschland (BFSG, bis €100k)

---

Sources

• S.I. No. 636 of 2023 (irishstatutebook.ie)
• Directive (EU) 2019/882, European Accessibility Act (EUR-Lex)
• CCPC: European Accessibility Act
• NDA: Centre for Excellence in Universal Design

---

This is technical analysis, not legal advice. Consult a solicitor for advice specific to your situation.