Most pharma accessibility audits happen too late. The website is live, the components are shipped, the brand has rolled out across four markets, and only then does someone run a WCAG check and surface 200 issues, half of them repeated across every page because they are baked into the design system itself.
That is not a content problem. It is a source problem. And since 28 June 2025, when the European Accessibility Act (Directive (EU) 2019/882) became enforceable across all 27 EU Member States, it is also a legal exposure problem.
The penalty ceiling, up to €100,000 or 4% of annual turnover, is the headline number. The operational cost of last-minute remediation across multi-market portals is the number that quietly does more damage.
A live-site audit tells you what is broken on the surface. A design system audit tells you why it keeps breaking. The distinction matters because component libraries are force multipliers in both directions: one well-built button with strong contrast scales accessibility across every product surface, and one poorly built button does the opposite.
The workflow we recommend has four steps:
A recent Promedia design system audit illustrates why source-level work pays off. A full accessibility lint across 1,098 nodes returned 132 critical findings and 57 warnings, with an overall score of 78/100. The Accessibility dimension scored lowest at 33/100, while Naming & Semantics scored 99/100. The decisive finding: nearly all issues traced back to master components and shared tokens, not individual instances. Two token updates alone resolved roughly 150 of the 163 findings automatically.
That is the structural leverage you do not get from auditing the live site.
Manual WCAG audits across a mature design system take weeks. The plugin approach takes minutes. It runs directly inside Figma, scans every element in the component library against WCAG 2.2, and returns a prioritized list of fixes before anything ships. No IT review, no procurement cycle, no waiting for a third-party agency to schedule the work.
For pharma specifically, this matters because patient-facing surfaces (disease awareness platforms, patient information portals, HCP resource hubs, mobile apps) are typically built on shared brand systems that propagate across markets. A contrast failure on a CTA button in the master library becomes a contrast failure on every market site that consumes that library. Auditing the source means auditing once, not 27 times.
The quarterly cadence we suggest is straightforward: run the accessibility agent every quarter, build a backlog, fix issues first at the design system level, then verify on the live website. The live audit still matters because real-world implementation introduces factors the design file cannot model: dynamic content, third-party widgets, CMS quirks, screen reader behavior across browsers.
The economics of shift-left accessibility are not subtle. A single button component used 80 times across a patient portal is one fix at the source or 80 fixes in production. Multiply that across a component library with 200+ elements and several brand variants, and the cost gap becomes the kind of number that ends up on a board slide.
Three practical levers compound the savings:
The other cost worth naming is reputational. There are roughly 87 million people in Europe living with a disability, about one in four adults. A patient information portal that fails them is not just a compliance liability, it is a brand liability in a category where trust is the product.
EAA compliance is achieved by meeting EN 301 549, which incorporates WCAG 2.1 Level AA as the baseline for digital content accessibility. WCAG 2.2 is the current published version and the safer target for new work, since regulators and national enforcement bodies are unlikely to penalize teams for exceeding the floor.
For pharma teams still mapping their EAA readiness, a workable sequence looks like this:
New products and services introduced to the EU market from 28 June 2025 must meet the requirements now. Existing services have until 28 June 2030. That sounds like runway. In practice, for any brand running quarterly campaign launches or annual portal refreshes, the next design system update is already inside the enforcement window.
A live site audit checks the implemented product: the rendered HTML, the actual content, the real user journeys. A design system audit checks the source: the component library, the tokens, the master elements that get consumed across products. Live audits find surface issues. Source audits find root causes. You need both, but auditing the source first reduces how much the live audit finds.
EAA compliance is achieved by meeting EN 301 549, the European harmonized standard, which incorporates WCAG 2.1 Level AA as the baseline. WCAG 2.2 is the current version of the guidelines and a safer target for new design and development work, since it includes additional success criteria and aligns with where enforcement is heading.
Because components in a design system are reused. One button component might appear 80 times across a patient portal. Fixing the source component once corrects all 80 instances automatically. Fixing it in production means 80 separate code changes, 80 regression tests, and 80 opportunities for the issue to reappear in the next release.
If your team is preparing for EAA and your design system has not been audited yet, the first move is not a procurement cycle. It is a scan of the component library to find out what you are actually dealing with. Most teams discover that a small number of token and component fixes resolve the majority of findings, which reframes accessibility from a compliance burden into a structural design decision.
Accessibility is cheaper when it is structural, not corrective. The teams that internalize this before the next portal refresh will spend the rest of the EAA timeline designing, not patching. If you want to see what a source-level audit surfaces inside your own Figma library, the Promedia team can walk you through it.
One short email when we publish. No spam, no sales pitch. Unsubscribe whenever.
