Compliance Officer Pathway

What it means in practice

Set up an annual conformity assessment cycle for each in-scope product or service. Quarter one: re-scope. Has anything changed in what we sell, where we sell, or who we sell to? Quarter two: re-test. Run the EN 301 549 test plan against the changed surfaces. Quarter three: re-document. Update the conformity assessment, the technical file if you have one, the accessibility statement. Quarter four: review and sign-off — the responsible director signs the updated assessment. That cadence works for stable products. For products under heavy development, the cycle compresses — the assessment needs touching at every major release, not just annually. Build the touchpoints into the release process as a checklist item for the release manager. Maintain an evidence library next to the assessment. For each clause claimed as 'pass', the library should hold the actual evidence: a test result, a screenshot, a recording, a code reference. When the regulator asks how you verified clause 9.2.4.7, you pull the evidence from the library, not from memory. Keep the assessment in version control. Each year's version archived with its evidence intact. If a regulator asks about the state of compliance two years ago, you can pull that version. Without versioning, you can only describe the current state, which is almost never what the regulator is actually asking about. The Self-Assessment Pipeline on this site is built around exactly this cycle. Use it as the operational tool. The Compliance Report Builder produces the formal final output.

Common pitfalls

• ×Treating the conformity assessment as a launch deliverable. It needs annual review and re-signing, not a one-off tick in a box.
• ×No evidence library behind the assessment. When asked to substantiate a 'pass' claim, you can't, and the assessment becomes an unsubstantiated assertion.
• ×Assessments stored on shared drives with no version control. The current version is often unclear and the historical versions are gone.

How to verify it

For your largest in-scope product, when was the conformity assessment last signed and by whom? If the answer is 'I don't know' or 'over a year ago', the cycle isn't running. The right answer is a date within the last 12 months and a name from the executive layer.

What it means in practice

The audit register is a single spreadsheet (or a table in your governance tool) with one row per in-scope product or service. Columns: product name, operator role, EAA scope status, last assessment date, next review date, current conformance status, accessibility statement URL, owner, evidence library link, open complaints, open audit findings. One row per product is the discipline. Products that share an assessment because they share a codebase still get one row each, with a note. Acquisitions get added on day one. Products being sunset stay on the register until they're actually withdrawn from sale, then move to an archived sheet. Review the register monthly. Any row with a stale date, an overdue review, or an unresolved finding gets flagged. The flagged rows are the standing agenda for the monthly accessibility working group. For document retention, the rule is five years after the last unit is sold (manufacturers) or for the lifetime of the service plus a reasonable buffer (service providers — most legal teams advise seven years). Retention applies to the conformity assessment, the technical file, test results, complaint records, remediation records, and the full accessibility statement history. Storage matters. The retention requirement is meaningless if the documents are scattered across personal drives, ex-employees' laptops, and old Slack messages. Pick one document management system and put everything in it.

Common pitfalls

• ×Multiple registers in different teams that don't agree with each other. Compliance can only point to one of them, and the others become discoverable evidence of confusion.
• ×A retention policy that exists on paper but not in practice. The next time you need a document from 2024 you can't find it.
• ×Storing evidence in personal Google Drives or Dropbox accounts. When the employee leaves, the evidence walks out the door with them.

How to verify it

Pull the register. For the top five largest in-scope products: is the assessment date current, is the statement live, is the owner correct, is the evidence accessible? Any 'no' is something to fix before the next monthly review. Now try to retrieve a document from 18 months ago. If you can't find it within ten minutes, your retention system has failed and needs a rebuild.

What it means in practice

When a regulator enquiry arrives — usually by email, sometimes by formal letter — treat it as a P1 incident. Acknowledge within 48 hours. Establish a single point of contact (you, or General Counsel, depending on the structure). Identify the specific question being asked, the deadline for response, and the documents that need to be provided. Don't volunteer more than you're asked. A regulator asking about clause 9.2.4.7 wants the test results for clause 9.2.4.7, not your full audit. Over-disclosure can expand the scope of the enquiry. Do respond fully to what is asked. Partial or evasive responses drag out the enquiry timeline and damage trust. If the answer is 'we don't have that document', say so plainly and offer what you do have. If the answer is 'we have a known gap and here's the remediation timeline', say that. Honesty under regulator scrutiny is almost always the right play. Keep a regulator interaction log: date received, authority, subject, deadline, documents provided, response date, follow-up status. The log becomes evidence in itself — when the next enquiry lands, you can show a track record of cooperation. For formal external audits (commissioned by the operator, not by a regulator), treat the auditor as a partner rather than an adversary. Give them access to the evidence, provide the working space, debrief findings the same day. The auditor's report becomes part of your evidence library and demonstrates due diligence to any future regulator enquiry.

Common pitfalls

• ×Slow or non-existent response to an early enquiry. The regulator escalates to a formal investigation, which is much harder to scope back down later.
• ×Defensive or evasive answers. Regulators are experienced at spotting them and they damage your credibility for the rest of the interaction.
• ×Treating the external auditor as an opponent. You waste the engagement and end up with a report that documents tension instead of findings.

How to verify it

Look at the regulator interaction log for the last 12 months. For each entry: was the response on time, was it complete, was the outcome resolved? If you don't have a log at all, that's the first thing to fix. If you have one and the responses are slow, you've got a process problem to escalate.