Knowledge Article
How to Meet Digital Accessibility
and Security Standards
with Pega Constellation
Accessibility and security in digital applications are no longer an optional extra, they are now a necessity. Here’s how Pega’s Constellation can help make sure you’re compliant.
Accessibility and security standards are huge concerns in modern digital systems. They dictate who you can sell to, what you can deploy, and how fast you can move.
If you’re still on a legacy Pega UI like UI-Kit or Theme Cosmos with lots of custom code, keeping up with ever-evolving compliance gets harder every day.
Constellation changes that by offering built-in accessibility compliance and a more secure, simplified design that makes auditing and updating much more manageable.
Below is a clear, fact-led guide to digital accessibility and cloud security standards and how a Pega upgrade can help.
Accessibility and security standards are huge concerns in modern digital applications. They dictate who you can sell to, what you can deploy, and how fast you can move.
If you’re still on a heritage Pega UI like UI-Kit or Theme Cosmos with lots of custom code, keeping up with ever-evolving compliance gets harder every day.
Constellation UI architecture changes that by offering built-in accessibility compliance and a more secure, simplified design that makes auditing and updating much more manageable.
Below is a clear, fact-led guide to digital accessibility and cloud security standards and how Pega modernization can help.
Digital Accessibility Standards
While it could be argued that digital accessibility used to be a bonus, today it has become a baseline expectation.
The Web Content Accessibility Guidelines (WCAG) 2.2 became an official W3C Recommendation on October 5, 2023. It built on the previous version 2.1 by adding nine new success criteria to further help people use digital services.
The guidelines are designed to ensure a better digital experience all round, specifically making content more accessible to people with learning disabilities and physical disabilities relating to hearing, sight, speech, and movement.
There are three tiers to WCAG 2.2: A, AA, and AAA. A is the minimum level of accessibility, which is easy to achieve, but does not provide the best experience. Conversely, AAA is the highest level of accessibility, but hard to implement. As such, AA is the level most enterprises aim for as it finds the right balance between experience and achievability.
While WCAG 2.2 is, in itself, not enforceable, these guidelines do underpin enforceable accessibility compliance that is either in place or in development in many countries around the world. As such, adhering to WCAG 2.2 is the best way to ensure global compliance now and into the future.
EU, UK, and US Accessibility Rules
In the EU, the European Accessibility Act (EAA) came into effect on 28 June 2025, expanding accessibility requirements across products and services and making enforcement a member-state responsibility. For many organizations, the related standard EN 301 549, which integrates WCAG 2.2, provides a practical reference for building and buying accessible ICT.
In the UK, the Public Sector Bodies Accessibility Regulations (PSBAR) 2018 require public bodies to meet accessibility requirements and publish an accessibility statement, grounded in the WCAG principles. UK government information explicitly references WCAG 2.2 AA as the target standard.
There are similar standards in place in the US, such as Section 508 of the Rehabilitation Act, which requires federal agencies and suppliers to meet WCAG 2.2 guidelines. Additionally, the Americans with Disabilities Act (ADA) has been applied in courts to digital services, with WCAG 2.1/2.2 AA often cited in settlements and consent decrees.
In an era where accessibility expectations are clearer and tougher, meeting them with bespoke, screen-by-screen fixes is time consuming and risky. Standardizing on a modern design system reduces that burden.
How Constellation Helps Meet WCAG 2.2 Accessibility Guidelines
WCAG 2.2 adds criteria that improve keyboard focus visibility, reduce reliance on drag-and-drop, and make authentication more accessible, among others.
Constellation’s templated design system and standard components are built to align with WCAG 2.2 requirements by default. Pega provides Voluntary Product Accessibility Template (VPAT) documentation for Constellation-based products, detailing conformance with WCAG.
That means you can rest assured that you are compliant out of the box. What’s more, any updates to the guidelines will be incorporated into future Pega updates, ensuring you meet requirements long term.
If you rely on custom UI code in a legacy front end, every change risks introducing new accessibility gaps. This can be difficult to keep on top of and time consuming to rectify.
Cloud Security Standards
Security frameworks evolve too. Key drivers are the explosion of digital data in both volume and value, combined with the prevalence of cloud-native systems in the modern digital landscape.
The threats are ever-increasing, and with the democratization of AI, they are advancing at a phenomenal rate. Consistency and simple auditing processes are key to ensuring compliance.
EU, UK, and US Cloud Security Rules
In the US, FedRAMP defines security standards for cloud services and is constantly evolving and updating in line with developments in technology.
In the UK, the NCSC Cloud Security Principles set expectations for data in transit, asset protection, separation of customers, secure authentication, and more. They are widely referenced in public-sector procurement.
In Europe, the EU Cloud Services (EUCS) scheme is being developed to standardize cloud security assurance across member states. While it is still evolving and indeed currently facing a political deadlock, it points towards consistent, certifiable standards in the future.
How Constellation Helps Meet and Maintain Security Standards
There are a number of ways Constellation helps to ensure your application conforms to security standards.
One of the biggest is that Constellation’s client-side engine reduces server-side rendering, lowering risk exposure and making performance more predictable under load.
Additionally, Constellation offers standardized authentication patterns, such as single sign-on (SSO) and multi-factor authentication (MFA). This consistency reduces audit risk and improves overall user journey.
This is complemented by DX API v2 providing a clean separation between UI and logic, which ensures consistent controls across channels. DX API v2 only ever delivers exactly what’s needed, no ad-hoc adaptions.
With less glue code overall, upgrades are cleaner and risk is reduced, minimizing the amount of testing required for each release.
These principles align with what auditors and assessors look for: clarity, consistency, and demonstrable control coverage.
What This Means for Heritage Pega UIs
Older front ends like UI-Kit and Theme Cosmos were designed for a different era. They rely on server-rendered pages and often include custom JavaScript or JSP fragments to handle edge cases.
Back when browsers were less capable and loads were lighter, that approach worked fine, but in modern times, it presents problems on three fronts:
- Accessibility: Remediation happens screen by screen, so each update risks creating gaps
- Security: Bespoke code paths are harder to trace, test, and evidence against control frameworks
- Performance and cost: Server-heavy rendering increases load and spend, especially at peak times
Of course, you can achieve compliance on legacy stacks, but it usually costs more and takes longer than building on Constellation’s modern, standardized UI layer.
Our strong recommendation would be adopting Pega Constellation sooner rather than later to minimize risk and ensure up-to-date compliance is seamlessly maintained.
Pega Upgrades Made Easy
There’s no doubt Pega Constellation offers a more reliable and efficient solution for meeting and maintaining digital accessibility and cloud security standards.
It helps you meet WCAG 2.2 AA, conforming to EAA, PSBAR, ADA, and Section 508 of the Rehabilitation Act. It also helps you align with recognized security principles, such as FedRAMP and NCSC Cloud Security Principles, while preparing you for future EUCS implementation.
While the benefits are obvious, modernizing your Pega platform can feel like a daunting prospect – and for good reason. It is a highly complicated process that should not be taken lightly. However, with the right guidance, it can still be straightforward, and that’s where labb’s Modernization service comes in.
Our experts know the Pega platform better than anyone and can plot a Pega Modernization roadmap that’s tailored to your specific requirements.
Download our white paper, The Pega Modernization Roadmap, for a full checklist, migration phases, and ROI model. It shows how to plan a low-risk, high-value upgrade to Constellation, and how we can help you implement it.
Pega Upgrade FAQs
What is WCAG 2.2 AA and why does it matter?
WCAG 2.2 is the latest global benchmark for digital accessibility. It added nine testable improvements over version 2.1 and became a W3C Recommendation in October 2023. Level AA is the enterprise-standard target.
Does the European Accessibility Act (EAA) apply to me?
Yes, if you provide covered digital services in the EU after 28 June 2025, the EAA applies. Enforcement varies by member state. EN 301 549 provides a harmonized standard aligned with WCAG.
What are the accessibility rules in the US?
Two frameworks matter most: Section 508 of the Rehabilitation Act, which applies to federal agencies and suppliers, and the Americans with Disabilities Act (ADA), which courts have applied to digital services. Both use WCAG as the technical yardstick. Suppliers are expected to provide VPATs documenting conformance.
How does the UK regulate accessibility?
The Public Sector Bodies Accessibility Regulations (2018) require UK government sites/apps to meet WCAG 2.2 AA and maintain a published accessibility statement.
Is FedRAMP relevant outside the US?
FedRAMP sets standards for US federal cloud security. Outside the US, equivalent standards include the UK’s NCSC Cloud Security Principles and the upcoming EU Cloud Services (EUCS) certification. All emphasize secure architecture, encryption, identity rules, and auditability.
How does Pega Constellation support SSO and MFA?
Constellation supports modern authentication standards like SAML and OpenID Connect, meaning single logins and two-factor logins work without custom UI code. Because its interface is modular and consistent, authentication flows behave predictably across apps. Upgrades to security policies are also easier to apply.
How does Constellation's DX API v2 enhance compliance?
Constellation’s DX API v2 clearly separates the user interface (UI) from business logic and case data. That means you can update or audit business rules without touching the UI, making governance cleaner and reducing compliance risk.
The Pega Modernization Roadmap
A Practical Guide to Adopting Constellation Architecture