Cloudflare faces €14.2 million fine from Italian regulator over piracy enforcement

Italy’s telecommunications regulator AGCOM yesterday announced a €14,247,698.56 effective in opposition to Cloudflare Inc. for failing to adjust to content material blocking orders issued underneath the nation’s anti-piracy laws. The penalty represents 1% of Cloudflare’s world income and marks one of many largest enforcement actions taken underneath Italy’s 2023 anti-piracy legislation.

The effective stems from Cloudflare’s refusal to implement DNS-level blocking of domains and IP addresses flagged by means of Italy’s Piracy Defend platform, which launched in February 2024 to fight unauthorized streaming of dwell sports activities occasions. AGCOM issued the preliminary blocking order on February 18, 2025, giving service suppliers half-hour to disable entry to over 15,000 domains and IP addresses recognized by rights holders as internet hosting pirated content material.

Background of the dispute

AGCOM first contacted Cloudflare on March 14, 2024, requesting the corporate designate a authorized consultant in Italy as required underneath the EU’s Digital Providers Act. The regulator famous that over the earlier decade, a considerable share of internet sites topic to copyright enforcement actions had utilized Cloudflare’s providers to distribute protected content material with out authorization.

On Might 8, 2024, AGCOM despatched a second communication after observing that Cloudflare inspired its clients to file complaints in opposition to Piracy Defend blocks. The regulator invited Cloudflare to register with the platform to obtain blocking notifications instantly.

When Cloudflare didn’t reply to both communication or take part in technical working group conferences held underneath the anti-piracy legislation, AGCOM issued deliberation 401/24/CONS on October 23, 2024. This resolution formally referred to as on VPN suppliers, public DNS operators, search engines like google and yahoo, and data society service suppliers concerned in accessing unlawful content material to register with Piracy Defend.

The blocking order got here on February 18, 2025, directing Cloudflare to disable DNS decision and visitors routing to particular domains and IP addresses. Italian legislation requires compliance inside half-hour of notification. Cloudflare didn’t implement the blocks or inform AGCOM of its response inside the required seven-day reporting interval, violating Article 9 of the Digital Providers Regulation.

Cloudflare’s protection

Cloudflare filed an administrative attraction with Italy’s Lazio Regional Administrative Court docket on March 7, 2025, difficult the blocking order. The corporate argued it couldn’t comply as a result of it had not been enrolled in Piracy Defend and due to this fact lacked entry to the precise domains and IP addresses requiring motion.

On April 7, 2025, Cloudflare requested entry to paperwork referenced within the blocking order. A follow-up letter on Might 2, 2025, sought clarification about which rights had been allegedly violated, who held these rights, what complaints had been filed, what investigations AGCOM carried out, and which Cloudflare providers had been supposedly used for infringement.

In July 2025 defenses submitted to AGCOM, Cloudflare maintained its providers “don’t give rise to the transmission of content material current on the websites of service customers” and that the corporate “has no technical risk to know, management, modify or intervene in any method with the content material revealed on web sites that use its providers.” The corporate argued that suspending its providers wouldn’t have an effect on web site accessibility since content material stays obtainable on third-party net servers no matter Cloudflare’s involvement.

Cloudflare contended that implementing DNS filtering can be “unreasonable, disproportionate and incapable of concrete implementation” as a result of making use of such filters to roughly 200 billion every day DNS queries would negatively influence latency and deprive the system of effectivity. The corporate additionally urged that filtering its 1.1.1.1 DNS resolver would adversely have an effect on decision for all different non-blocked websites.

The corporate submitted an knowledgeable opinion from Professor Juan Carlos De Martin, a pc engineering professor at Politecnico di Torino, supporting its technical arguments.

Regulatory findings

AGCOM rejected Cloudflare’s arguments, figuring out the corporate qualifies as a service supplier underneath Italy’s anti-piracy legislation whatever the particular nature of providers provided. The regulator famous that Article 2 of Legislation 93/2023 designates “service suppliers, together with community entry suppliers, VPN service suppliers, publicly obtainable DNS suppliers wherever resident and wherever positioned, search engine operators and data society service suppliers concerned in any capability within the accessibility of unlawful web sites or providers” as topic to blocking orders.

Verification checks carried out by AGCOM in Might 2025 earlier than issuing the violation discover and once more in October 2025 confirmed that domains and IP addresses topic to the blocking order remained accessible by means of Cloudflare’s public DNS providers. This demonstrated persevering with violation of the contested order.

The regulator emphasised that each one domains and IP addresses listed within the February order’s Annex A had been “solely destined for violation of copyright and associated rights.” These sources consisted solely of streaming or IPTV websites instantly distributing protected content material with out authorization. None had been topic to appeals by means of Piracy Defend’s grievance mechanism.

AGCOM famous that implementing the unlocking process launched by the August 2024 Omnibus decree happens both when platform capability limits are reached or upon rights holder request, even earlier than the six-month blocking interval expires if sources are now not used for criminal activity. Since Piracy Defend grew to become operational on February 1, 2024, the regulator had already reactivated sources blocked for over six months or these now not used for unlawful functions. The checklist transmitted to Cloudflare due to this fact contained solely not too long ago reported sources nonetheless used for criminal activity.

Two Italian courts have dominated in opposition to Cloudflare in separate copyright circumstances unbiased of the AGCOM continuing. Rome’s specialised enterprise court docket discovered that Cloudflare’s exercise “seems to be configurable as participation within the realization of illicit acts dedicated by third events” underneath Article 2055 of the Civil Code as a result of “offering reverse proxy exercise for the area identify, the defendant masks the associated internet hosting supplier, in order that the participation within the illicit seems to happen within the type of a contribution facilitating the transmission of protected applications.”

The court docket discovered Cloudflare “acts as an middleman that helps optimize the supply of those contents to customers, hides the originating area and protects it within the case of blocking by ferrying customers to the not but blocked area identify and however worries about how this knowledge arrives to guests in a quick and safe method, making transmission extra environment friendly and dashing up knowledge downloading.”

Penalty calculation

AGCOM calculated the effective at 1% of Cloudflare’s world income for 2024, the final fiscal 12 months closed earlier than the June 10, 2025, violation discover. Cloudflare reported $1,669.6 million in worldwide income for 2024, a 29% year-over-year improve.

The regulator thought-about a number of aggravating components when figuring out the penalty quantity. The violation was deemed extremely severe as a result of Cloudflare “assumes a figuring out position for the dissemination of content material in violation of copyright, producing vital financial injury in financial and social phrases.”

Analysis by FAPAV/Ipsos on audiovisual piracy in Italy for 2024 estimated 12 million misplaced viewings and €350 million in financial injury for dwell sports activities content material, will increase from 2023. Complete estimated misplaced income throughout all sectors of the Italian financial system from movie, sequence, and dwell sports activities piracy reached €2.2 billion. The potential injury estimated to the Italian financial system in GDP phrases was €904 million. Cloudflare seems as a service supplier in roughly 70% of measures taken by AGCOM relating to on-line copyright safety.

Whereas this represents the primary utility of anti-piracy legislation sanctions in opposition to Cloudflare, the regulator famous this as a mitigating issue justifying imposition of a penalty under the two% most.

AGCOM emphasised that Cloudflare “presents its providers in quite a few European and non-European international locations and, due to this fact, they transcend nationwide borders alone.” The corporate operates a world community protecting over 330 cities in additional than 100 international locations, reaching 95% of the internet-connected inhabitants. This world construction proves instrumental to offering providers that allow customers to entry content material worldwide.

The regulator decided the penalty ought to be primarily based on worldwide income fairly than Italian operations alone as a result of “the violation is dedicated by Cloudflare Inc. and bearing in mind above all that its world construction is instrumental to the supply of providers that enable customers to take pleasure in content material.”

This strategy aligns with different regulatory frameworks such because the Digital Providers Act and GDPR, which base penalties on world income no matter violators’ company buildings, even when violations relate to particular geographic areas.

When Italian income knowledge later grew to become obtainable, Cloudflare disclosed €[redacted] for 2023 and €[redacted] for 2024, exhibiting comparable progress developments domestically.

AGCOM discovered Cloudflare demonstrated no effort to eradicate or mitigate violation penalties after receiving the blocking order. The corporate’s Might 2, 2025, clarification request was deemed pretextual since each the deliberation and referenced determinations contained all requested data, and Cloudflare had been a direct recipient of these acts.

The regulator famous the violation’s significantly prolonged and presumably steady period, given the February 18, 2025, blocking order was notified to Cloudflare on March 7, 2025, and the anti-piracy legislation requires compliance inside half-hour of notification.

Trade and technical context

Cloudflare’s providers allow web customers to achieve web sites even when these websites are topic to blocking orders, significantly by means of VPN and publicly obtainable DNS providers. A VPN creates an encrypted digital tunnel between a tool and the net, masking the origin IP handle and permitting customers to bypass geographic blocks by assigning a brand new IP handle from a overseas server.

Public DNS providers translate domains into IP addresses. When provided by entities that don’t adjust to blocking orders, such providers enable customers to avoid blocks and attain obscured domains, lowering the effectiveness of regulator-imposed measures.

Since Piracy Defend’s February 2024 launch by means of January 2026, the platform has disabled over 65,000 totally certified domains and roughly 14,000 IP addresses designated for accessing unlawful content material. The system operates with a 30-minute response time requirement for all designated service suppliers.

Italy’s anti-piracy legislation, Legislation 93/2023, was enacted on July 14, 2023, with subsequent amendments by means of Decree-Legislation 123/2023 (transformed with modifications by Legislation 159/2023 on November 15, 2023) and Decree-Legislation 113/2024 (the August 2024 Omnibus decree, transformed with modifications by Legislation 143/2024 on October 7, 2024).

The laws grants AGCOM authority to order service suppliers to disable entry to content material disseminated unlawfully by blocking DNS decision of domains and blocking visitors routing to IP addresses predominantly used for unlawful actions. Orders additionally apply to “every other future area identify, subdomain, or IP handle, attributable to anybody, together with variations of the identify or easy declension or extension (so-called prime stage area), which permits entry to the identical content material disseminated unlawfully and to content material of the identical nature.”

Article 2, paragraph 5 of the anti-piracy legislation requires community entry service suppliers, search engine operators, and data society service suppliers “within the case the place they’re concerned in any capability within the accessibility of the web site or unlawful providers” to execute AGCOM orders “with none delay and, in any case, inside the most interval of thirty minutes from notification, disabling the DNS decision of domains and the routing of community visitors to IP addresses indicated within the checklist or in any case adopting the technological and organizational measures essential to make the content material disseminated unlawfully unusable by finish customers.”

Piracy Defend’s technical and operational necessities had been established by means of AGCOM deliberation 321/23/CONS on December 5, 2023, and up to date by deliberation 48/25/CONS on February 18, 2025. The platform was developed in collaboration with Italy’s Nationwide Cybersecurity Company by means of a technical working group established underneath Article 6, paragraph 2 of the anti-piracy legislation.

Cloudflare CEO’s response

On January 8, 2026, Cloudflare CEO Matthew Prince posted on X (formerly Twitter) about the fine, calling Italy’s piracy enforcement scheme “DISGUSTING.” Prince acknowledged that the regulator fined Cloudflare “$17 million for failing to associate with their scheme to censor the Web.”

Prince characterised the system as requiring Cloudflare “inside a mere half-hour of notification to completely censor from the Web any websites a shadowy cabal of European media elites deemed in opposition to their pursuits. No judicial oversight. No due course of. No attraction. No transparency.”

He acknowledged the scheme required Cloudflare “to not simply take away clients, but additionally censor our 1.1.1.1 DNS resolver that means it risked blacking out any website on the Web. And it required us not simply to censor the content material in Italy however globally. In different phrases, Italy insists a shadowy, European media cabal ought to be capable to dictate what’s and isn’t allowed on-line.”

Prince introduced Cloudflare is contemplating 4 response actions: discontinuing hundreds of thousands of {dollars} in professional bono cybersecurity providers for the upcoming Milano-Cortina Olympics; discontinuing free cybersecurity providers for any Italy-based customers; eradicating all servers from Italian cities; and terminating plans to construct an Italian workplace or make any investments within the nation.

He referenced U.S. Vice President JD Vance “taking a management position in recognizing the sort of regulation is a elementary unfair commerce problem that additionally threatens democratic values,” and agreed with Elon Musk that “free speech is important and underneath assault from an out-of-touch cabal of very disturbed European coverage makers.”

Prince acknowledged he would meet with U.S. administration officers in Washington and with the Worldwide Olympic Committee in Lausanne to stipulate dangers to the Olympic Video games if Cloudflare withdraws cybersecurity safety.

He concluded: “We imagine Italy, like all international locations, has a proper to manage the content material on networks inside its borders. However they have to achieve this following the Rule of Legislation and rules of Due Course of. And Italy definitely has no proper to manage what’s and isn’t allowed on the Web in the US, the UK, Canada, China, Brazil, India or anyplace exterior its borders.”

Implications for digital infrastructure suppliers

The effective represents a major escalation in regulatory stress on infrastructure corporations to actively take part in content material moderation past conventional internet hosting suppliers. Whereas platforms and internet hosting providers have lengthy confronted copyright enforcement obligations, extending comparable necessities to DNS suppliers and community providers raises questions in regards to the acceptable boundaries of middleman legal responsibility.

Cloudflare’s argument that it can not management content material hosted on buyer servers displays the standard understanding of “mere conduit” providers underneath middleman legal responsibility frameworks. Nevertheless, each Italian courts and AGCOM have decided that Cloudflare’s reverse proxy, CDN, and DNS providers contribute sufficiently to content material accessibility that blocking obligations apply.

The 30-minute compliance timeframe poses operational challenges for world infrastructure suppliers, significantly when blocking determinations come from automated platform submissions fairly than judicial orders. Cloudflare’s issues about filtering 200 billion every day DNS queries spotlight the technical complexity of implementing country-specific content material restrictions at web infrastructure layers.

AGCOM’s rejection of technical feasibility arguments suggests regulators anticipate infrastructure suppliers to develop capabilities for speedy content material blocking no matter operational impacts. The regulator’s place that world income ought to decide penalty quantities for providers that function internationally creates monetary incentives for compliance which will outweigh technical objections.

The dispute additionally raises jurisdictional questions in regards to the extent to which nationwide regulators can require world providers to implement native content material restrictions. Prince’s assertion that Italy seeks to “regulate what’s and isn’t allowed on the Web” past its borders displays broader tensions between territorial regulation and borderless web structure.

For advertising and marketing and promoting expertise corporations, the case demonstrates rising regulatory willingness to carry infrastructure suppliers accountable for content material distribution, even when these suppliers don’t host content material instantly. Related enforcement approaches may prolong to advert tech providers that facilitate monetization of pirated content material.

The precedent additionally alerts that DNS-level blocking has turn into a longtime software in regulators’ enforcement arsenals. Promoting platforms and verification providers might face stress to combine with content material blocking programs or danger comparable penalties for enabling monetization of blocked properties.

European regulatory context

Italy’s aggressive anti-piracy enforcement exists inside a broader European regulatory surroundings that has expanded digital service supplier obligations. The Digital Providers Act, which grew to become totally relevant in February 2024, establishes complete content material moderation necessities for on-line platforms and intermediaries.

Whereas the DSA usually prohibits imposing common monitoring obligations, Article 9 particularly authorizes competent authorities to problem orders requiring suppliers to behave in opposition to particular unlawful content material. These orders have to be clear, unambiguous, and duly reasoned, with suppliers required to tell authorities “with out undue delay” about actions taken.

The European Fee has expressed issues about Italy’s Piracy Defend implementation, although particular particulars of these issues stay unclear. AGCOM’s resolution notes that “even the EU has referred to as regarding” the scheme requiring full web censorship inside half-hour primarily based on determinations by media rights holders.

A number of EU member states have carried out comparable rapid-blocking mechanisms for dwell sports activities piracy. These programs usually function underneath judicial or administrative authority with shorter response instances than conventional copyright enforcement. The proliferation of such schemes throughout Europe suggests Italy’s strategy, whereas aggressive, displays broader regional developments.

For infrastructure suppliers working throughout a number of EU jurisdictions, managing compliance with various nationwide blocking necessities presents substantial operational complexity. The dearth of harmonized approaches to DNS-level blocking means suppliers should navigate totally different technical necessities, response timeframes, and legal responsibility requirements throughout member states.

Timeline

• July 14, 2023: Italy enacts Legislation 93/2023 establishing anti-piracy framework with 30-minute blocking necessities
• March 14, 2024: AGCOM contacts Cloudflare requesting designation of authorized consultant underneath Digital Providers Act
• February 1, 2024: Piracy Defend platform turns into operational
• Might 8, 2024: AGCOM sends second communication to Cloudflare relating to platform registration
• October 23, 2024: AGCOM points deliberation 401/24/CONS requiring DNS suppliers and different intermediaries to register with Piracy Defend
• November 28, 2024: Deliberation 401/24/CONS notified to Cloudflare
• February 18, 2025: AGCOM points deliberation 49/25/CONS ordering Cloudflare to dam particular domains and IP addresses
• March 7, 2025: Cloudflare information administrative attraction with Lazio Regional Administrative Court docket
• April 7, 2025: Cloudflare requests entry to paperwork referenced in blocking order
• Might 2, 2025: Cloudflare sends letter looking for clarification about blocking order
• June 10, 2025: AGCOM points violation discover to Cloudflare
• July 10, 2025: Cloudflare submits formal defenses
• December 29, 2025: AGCOM Council votes to impose €14.2 million effective
• January 8, 2026: Positive introduced publicly and notified to Cloudflare

Abstract

Who: Italy’s telecommunications regulator AGCOM fined Cloudflare Inc., a U.S.-based web infrastructure firm that gives CDN, DNS, and safety providers to hundreds of thousands of internet sites globally.

What: AGCOM imposed a €14,247,698.56 penalty (1% of Cloudflare’s 2024 world income) for refusing to adjust to orders to dam DNS decision and visitors routing to over 15,000 domains and IP addresses recognized by means of Italy’s Piracy Defend platform as internet hosting pirated sports activities streaming content material.

When: The effective was selected December 29, 2025, and publicly introduced on January 8, 2026. The violation pertains to Cloudflare’s failure to adjust to a February 18, 2025, blocking order that required motion inside half-hour.

The place: The enforcement motion originates from Italy underneath Legislation 93/2023, although the dispute has broader implications as a result of Cloudflare operates world infrastructure and Italy’s necessities would have an effect on its providers worldwide.

Why: AGCOM decided Cloudflare’s DNS providers allow Italian customers to entry pirated content material regardless of blocking orders carried out by different service suppliers, undermining copyright enforcement efforts. The regulator discovered Cloudflare qualifies as a “service supplier concerned within the accessibility of unlawful content material” underneath Italian anti-piracy legislation and should due to this fact implement blocks like different intermediaries. Cloudflare appeared as a service supplier in roughly 70% of AGCOM copyright enforcement actions over the previous decade.