The European Act on Accessibility 2025
From 28 June 2025, a new European law on accessibility will come into force. It extends accessibility obligations for websites and applications, and will apply to all companies with more than 10 employees and a turnover in excess of €2 million, as well as public service websites. E-commerce sites will have to comply with current standards, with full RGAA compliance for France, compliance with European standard 3015 49, and as a minimum level AA of the WCAG standard for the rest of the world (particularly the US).
Services existing before 28 June 2025 will have until 28 June 2030 to comply, while new sites launched after June 2025 will have to apply the standard as soon as they are launched. Penalties for non-compliance will be increased and could reach up to €300,000, depending on the type of service. After a period of 6 months without correction, the penalties may be applied again.
It is important to start complying now, at the very least:
- Carrying out an audit and drawing up an accessibility declaration
- Drawing up a 3-year plan and multi-year action plan
- Ensuring that all new content is accessible
Adobe Commerce 2.4.8 and end of support
Currently in beta testing, the next patch version of Adobe Commerce is scheduled for public release on 8 April 2025 under the number 2.4.8. In line with its new release policy, this version will not include any new functions, but plans to improve performance and security and update the libraries it uses (e.g. composer 3, phpunit 10).
In terms of PHP compatibility, this version no longer supports PHP 8.1, so you’ll need to be on PHP 8.2 or 8.3 (we have no official announcement for 8.4 compatibility at present). As for the database, you’ll need to switch to MySQL 8.4 or MariaDB 11.4. Note that compatibility with ElasticSearch will no longer be supported, as Adobe prefers to concentrate on supporting OpenSearch 2.x.
A number of improvements to the GraphQL APIs will be included, and in terms of configuration the indexers will now be in “Update by Schedule” mode by default in order to follow Adobe’s best practices.
This version 2.4.8 should be supported until the 2nd quarter of 2028.
Finally, 2025 will mark the end of support for 2 versions:
- version 2.4.4 on 24 April
- version 2.4.5 on 8 August
Think about anticipating version upgrades if your platforms are still using them
Edge Delivery Services
The Adobe Commerce 2025 roadmap is not detailed, but the publisher should continue to gradually improve its Cloud, Live Search, Product Recommendation, Payment Service and Catalog Service services, as well as the new arrival: Edge Delivery Services. Edge Delivery Services is a new technology that should be democratised in 2025. It is a new front-end technology already used in Adobe Experience Manager.
It promises very good performance, the ability to publish content from Microsoft Word or Google Docs documents, and native integration of A/B testing and image generation or page variation using artificial intelligence. This technology is complemented by a library of reusable e-commerce components for integrators (shopping basket, product page, customer dashboard, etc.), which will be added to as and when required.
This technology is set to mature in 2025, and should be of particular interest for composable architectures.
PCI DSS 4.0
On 31 March 2025, version 4.0 of the PCI DSS security standard will come into force, and must be complied with in order to claim compliance. This version of the standard includes 2 requirements that particularly affect Magento 2 / Adobe Commerce sites and their payment pages:
- Requirement 6.4.3: The execution of scripts on payment pages must be authorised and justified.
- Requirement 11.6.1: Scripts on payment pages must not have undergone any unauthorised changes.
These requirements make it possible to secure the entry of payment information by site users and considerably minimise Magecart-type attacks. These attacks, which target poorly secured sites, consist of modifying the payment page in the victim’s browser by replacing it with a malicious form that retrieves their bank card details.
These requirements are the responsibility of both the payment service provider and the e-merchant. To meet these requirements, 2 technical features have been introduced into Adobe Commerce:
- CSP (Content Security Policy) in strict mode, which makes it possible to explicitly define which domains and which scripts are authorised to interact with the page.
- Subresource Integrity, which checks the integrity of scripts on the page.
These features have been introduced and activated by default since Adobe Commerce 2.4.7. Your integrator may need to make adjustments to the platform so as not to block legitimate scripts, such as tracking or payment services.
Above all, this security policy requires you to adapt the procedures for adding scripts (by the marketing department, for example) and to monitor the errors reported by the site. Although these functionalities can be deactivated to facilitate integration of the platform, it is recommended that they are kept active to ensure an optimum level of security and compliance with the PCI standard.
Tools such as Sansec Watch or CSP whitelist generators can simplify the procedure.
Hyvä commerce
The year 2025 will see the release of the new Hyvä Commerce product, a module package for Magento 2 Open Source that improves the front and back office experience by adding new features, as well as Hyvä Theme and Hyvä Checkout. The feature roadmap is not yet known, but they are planning to focus on features dedicated to marketing.
Knowing the publisher, there’s no doubt that this product will be of the highest quality, with simple installation and integration and a competitive licence price.
Blocking third-party cookies and server-side tracking
Third-party cookies have long been a basic solution for tracking users on different websites. Their blocking, already in place on Firefox and Safari and now being followed by Google Chrome (which holds a large share of the browser market), puts an end to this widely used approach. This is prompting companies to look for alternatives to collect reliable data without relying on third-party cookies.
Chrome’s blocking is expected to come into effect in 2025, speeding up the introduction of server-side tracking. Here are the advantages of this method:
Adapting advertising tracking (SEA)
With the disappearance of third-party cookies, advertising platforms (Google Ads, Meta, etc.) are encouraging their customers to adapt tracking scripts so that they can continue to feed their algorithms with relevant (first-party) data. The implementation of these adaptations is greatly simplified by server-side tracking. Companies need to adapt quickly to remain competitive.
Better data accuracy
Ad blockers and browser restrictions make the data collected via client-side (browser-side) tracking less reliable. With server-side tracking, data is collected directly from the server, reducing the risk of loss or manipulation. What’s more, the accuracy and completeness of the data increases, as this method bypasses the limits imposed by browsers (ITP, ETP).
Optimising technical performance
Blocking third-party cookies is also an opportunity to improve website performance, by reducing the number of requests sent on the client side and centralising data processing on dedicated servers, which reduces the load on users’ browsers.
Finally, it is important to understand that server-side tracking complies with confidentiality standards (RGPD, CCPA), since user consent via cookie banners is still required.
