Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

← Back to Blog
Cluster post · ADA Title II + WCAG · Federal mandate vs enhancement layer

Why federal compliance targets WCAG 2.1 — not 2.2 — and what 2.2 adds on top.

acipta · Agent-based defensibility platform — workflow-grounded.

The ADA Title II Final Rule (published April 2024, codified at 28 CFR § 35.200-203) adopts WCAG 2.1 Level AA as the federal technical standard — not WCAG 2.2. That choice is not a mistake or a lag — it's a layered design. Here's why DOJ picked 2.1, what 2.2 adds as an enhancement layer, and the audit posture that defends both regulatory floors with a single signed-evidence pack.

If you read the ADA Title II Final Rule and the Section 508 VPAT 2.5 in the same sitting, you will find two different WCAG version numbers. The Final Rule (federal mandate, effective for large public entities April 24, 2026 and small entities April 24, 2027) targets WCAG 2.1 Level AA. VPAT 2.5 (modern procurement) references WCAG 2.2. A reasonable reading is that DOJ is behind. A more accurate reading is that the federal architecture has always been: set the legal floor on a stable, broadly-adopted standard; let the enhancement layer move faster. The choice of 2.1 isn't a lag — it's the floor.

This post is the cluster companion to our WCAG 2.1 AA compliance pillar (federal-floor breakdown) and WCAG 2.2 AA pillar (enhancement-layer breakdown). The pillars cover full implementation; this post covers the legal-floor logic, the precise version delta, and the layered audit posture that satisfies both.

Why DOJ chose WCAG 2.1, not 2.2

Two reasons, both architectural:

(1) Regulatory timing. The Final Rule text was finalized inside DOJ in 2023, before WCAG 2.2 was published as a W3C Recommendation (October 2023). DOJ does not update a standard reference mid-rulemaking; doing so would force restart of the public-comment cycle. The 2.1 choice was locked when the rule text was locked.

(2) Backward-compatibility logic. WCAG 2.1 AA conformance is a strict subset of WCAG 2.2 AA conformance — all 50 Level A + AA success criteria from 2.1 remain in 2.2 (the lone exception, 4.1.1 Parsing, was retired as obsolete). Picking 2.1 as the federal floor means anyone targeting 2.2 is already over-compliant with the federal mandate. The federal architecture is layered by design: 2.1 = legal defensibility, 2.2 = procurement and enhancement.

The practical implication: if your accessibility evidence is per-success-criterion (not per-page), conforming to WCAG 2.2 AA gives you a single signed-evidence pack that defends ADA Title II Final Rule (federal floor) + Section 508 VPAT 2.5 (federal procurement) + EU Accessibility Act (EN 301 549 referencing WCAG 2.1) + ISO/IEC 40500 (the ISO version of 2.0/2.1). The cost of layering 2.2 on top of 2.1 is 9 net criteria. The benefit is multi-regime defensibility from a single audit pack.

The federal floor: what 2.1 requires

WCAG 2.1 Level AA = 50 success criteria organized under four POUR principles (Perceivable, Operable, Understandable, Robust). The Final Rule codifies this at 28 CFR § 35.200-203. Each criterion is a measurable conformance test. Conformance is per-criterion, per-page — not "the site is accessible" as a posture, but "this page conforms to criterion 1.4.3 Contrast on this date." Full per-criterion breakdown lives on our WCAG 2.1 AA pillar page.

The other thing 2.1 brings — that 2.0 didn't — is mobile-first thinking. 2.1's additions over 2.0 were primarily mobile (Orientation 1.3.4, Reflow 1.4.10, Pointer Gestures 2.5.1). DOJ's choice of 2.1 over 2.0 was the move that made the rule meaningful for mobile public-services apps.

The enhancement layer: what 2.2 adds on top

WCAG 2.2 added 9 new success criteria, retired 1 obsolete one, and shifted emphasis toward cognitive accessibility, touch targets, and authentication friction. None of the 9 new criteria are federally mandated under Title II. All 9 are procurement-relevant under Section 508 VPAT 2.5, and increasingly expected in EU procurement contexts as EN 301 549 updates. Here's the precise gap, by criterion.

The 9 new criteria, by what they actually require

2.4.11AA

Focus Not Obscured (Minimum)

What it requires: When a UI element receives keyboard focus, it must not be entirely hidden by author-created content. Partially covered is allowed at AA.

What fails this today: Sticky headers that cover the focused element, cookie banners that overlay form fields, sticky footer CTAs on mobile, modal close-buttons covered by virtual keyboards. The most common failure mode in 2026.

2.4.12AAA

Focus Not Obscured (Enhanced)

What it requires: Focused element must not be obscured at all (no partial coverage allowed).

Target this on: Payment flows, healthcare patient portals, authentication. Universal AAA on this criterion is impractical because of standard sticky-header design patterns.

2.4.13AAA

Focus Appearance

What it requires: Focus indicators must meet specific size (minimum 2 CSS pixels thick perimeter) and contrast (3:1 against adjacent colors) requirements. Browser default focus rings often fail.

Where this bites: Custom-styled buttons and inputs where the design team removed the default focus ring without a compliant replacement. Almost every brand-customized site fails this somewhere.

2.5.7AA

Dragging Movements

What it requires: Any functionality that uses a single-pointer drag interaction must have a single-pointer (click/tap) alternative — unless dragging is essential.

What fails this today: Slider inputs without keyboard alternatives, drag-to-reorder list UIs without explicit move buttons, signature-pad inputs without a typed-name fallback, map zoom-by-drag without zoom buttons. Affects roughly 60% of modern SPAs.

2.5.8AA

Target Size (Minimum)

What it requires: Interactive targets (buttons, links, form inputs) must be at least 24×24 CSS pixels — or have an adjacent spacing of 24 CSS pixels in a circle around the target. Exceptions exist for inline text links and user-agent-controlled targets.

What fails this today: Dense mobile navigation, icon buttons in toolbars, social-share button rows, footer link clusters. We have not scanned a mid-market site since the October 2023 publication that doesn't fail this somewhere on the page.

3.2.6A

Consistent Help

What it requires: If help mechanisms (contact info, help link, FAQ link, chat) appear on multiple pages, they must appear in the same relative order to other content. This is a Level A criterion — the easiest to satisfy.

Subtle failure mode: Sites that include the help link in the header on most pages but move it to the footer on checkout or account pages. Architecturally simple to fix; commonly missed in audits.

3.3.7A

Redundant Entry

What it requires: Within a single user flow, information the user already provided must be either auto-populated or available for selection — not required to be re-entered. Exceptions: when re-entry is essential (e.g., security confirmations), or when previously entered info is no longer valid.

What fails this today: Multi-step checkout that asks for shipping address, then again for billing address. Multi-step forms that lose progress and re-prompt. Account-creation flows that ask for email twice. Easy to fix; often invisible to non-disabled users.

3.3.8AA

Accessible Authentication (Minimum)

What it requires: A cognitive function test (transcribing text from an image, performing visual identification, solving puzzles) cannot be required to authenticate, unless an alternative is provided OR the test relies on object/personal-content recognition (e.g., "name your first pet") OR the user is providing biometrics.

What fails this today: Hand-typed CAPTCHAs, "find all the traffic lights" image-grid challenges (without an audio alternative), math-problem CAPTCHAs. reCAPTCHA v3 (the invisible scoring version) passes; v2 (the checkbox + image challenge) typically fails. This criterion is forcing a real migration in 2026.

3.3.9AAA

Accessible Authentication (Enhanced)

What it requires: Same as 3.3.8 but tighter — even object/personal-content recognition exceptions don't apply at AAA. Pure passwordless or biometric authentication.

Target this on: High-risk surfaces with disabled-user populations (healthcare portals, government services, financial account recovery).

The retired criterion: 4.1.1 Parsing

4.1.1 Parsing (Level A) was retired in WCAG 2.2 because modern HTML parsers (browsers since around 2015) recover gracefully from most HTML syntax errors. The criterion was originally written when XHTML strictness was an open question; it became obsolete. If your audit report from 2022 flagged 4.1.1 violations, those are no longer WCAG findings — though they are still worth fixing for general code quality.

The layered audit posture — what to actually do

Four actions, in order:

  1. Confirm WCAG 2.1 AA conformance first. This is the federal floor under ADA Title II Final Rule. Per-success-criterion evidence is what defends. See our WCAG 2.1 AA pillar for the per-criterion breakdown.
  2. Layer WCAG 2.2 AA on top. Test the 9 new criteria on top of your existing 2.1 conformance. Don't redo the full audit; just add the 9 new tests. Most existing 2.1 conformance carries forward.
  3. Update your VPAT to 2.5 (which references WCAG 2.2). Section 508 procurement buyers now request 2.5 specifically. Title II conformance evidence does not require a VPAT but procurement contracts increasingly do.
  4. Remediate 2.2 deltas in failure-rate order: 2.5.8 Target Size (highest failure rate, easiest to fix), 2.4.11 Focus Not Obscured (high impact on real users), 3.3.8 Accessible Authentication (regulatory pressure increasing), then the AAA criteria selectively on high-risk surfaces.

What "audit-defensible" looks like across both standards

A single signed-evidence pack should answer all of these questions for any URL on any date:

If the answer to the fourth question is "we have a screenshot of a dashboard," that's scan output. It's not audit evidence. The distinction matters when the demand letter arrives — and 2026 is the year demand letters arrived in volume.

How acipta handles both layers simultaneously

Because acipta's A11Y suite is built on a per-success-criterion architecture, the 2.1 floor and the 2.2 enhancement layer are both tested per URL, per deploy, every time. Every signed-evidence pack in the Evidence Locker is tagged with both WCAG version verdicts; a single page's history shows "passed WCAG 2.1 AA on 2026-05-15" and "passed WCAG 2.2 AA on 2026-05-15" as separate signed events, with full replay capability against the source artifact at each date. The federal floor and the enhancement layer are not two audits — they're two cross-sections of the same per-criterion ledger. That's what makes the layered posture practical at production scale, not just at audit time.

For the full operator's guide to ADA Title II Final Rule (who's covered, deadlines, demand-letter response playbook, audit-defensibility checklist for legal counsel), read our complete ADA Title II compliance guide.

Frequently asked questions

Why does ADA Title II Final Rule target WCAG 2.1 AA instead of WCAG 2.2?
Two reasons. (1) Regulatory timing: DOJ's Final Rule text was locked in 2023, before WCAG 2.2 published in October 2023. DOJ does not update standard references mid-rulemaking. (2) Backward-compatibility logic: WCAG 2.1 AA is a strict subset of WCAG 2.2 AA. Picking 2.1 as the federal floor means anyone targeting 2.2 is already over-compliant with the mandate. The federal architecture is layered by design: 2.1 = legal defensibility, 2.2 = procurement and enhancement.
Do I have to redo my audit to move from 2.1 to 2.2?
No. WCAG 2.2 is backward compatible — all 50 WCAG 2.1 Level A+AA criteria remain in 2.2 (except 4.1.1 Parsing, retired as obsolete). Test the 9 new 2.2 criteria specifically and update your VPAT to reference 2.5. Most existing 2.1 conformance carries forward.
What's the safest audit posture in 2026 — target 2.1 or 2.2?
Layered. Target WCAG 2.1 AA for ADA Title II Final Rule defensibility (federal floor). Layer WCAG 2.2 AA on top for Section 508 VPAT 2.5, EU Accessibility Act alignment, and modern procurement contracts. A single signed-evidence pack then defends across regimes — the cost of layering 2.2 is 9 net criteria; the benefit is multi-regime defensibility.
Which WCAG 2.2 criteria do most sites fail today?
Three: 2.5.8 Target Size (mobile nav fails the 24×24 CSS pixel requirement), 2.4.11 Focus Not Obscured (sticky headers cover focused elements), and 3.3.8 Accessible Authentication (typing-CAPTCHAs are non-conformant). Plan remediation in that order. None are federally mandated under Title II; all are procurement-relevant under VPAT 2.5.

Defend the federal floor. Layer the enhancement on top.

One signed-evidence pack covers both WCAG 2.1 AA (ADA Title II Final Rule) and WCAG 2.2 AA (Section 508 VPAT 2.5). Free first scan: per-success-criterion verdict for all 86 criteria, draft VPAT 2.5 in 48 hours.

Request a free scan → Read the 2.1 federal-floor pillar