Cloudflare faces €14.2 million fine from Italian regulator over piracy enforcement

Italy's telecommunications regulator AGCOM yesterday announced a €14,247,698.56 fine against Cloudflare Inc. for failing to comply with content blocking orders issued under the country's anti-piracy legislation. The penalty represents 1% of Cloudflare's global revenue and marks one of the largest enforcement actions taken under Italy's 2023 anti-piracy law.

The fine stems from Cloudflare's refusal to implement DNS-level blocking of domains and IP addresses flagged through Italy's Piracy Shield platform, which launched in February 2024 to combat unauthorized streaming of live sports events. AGCOM issued the initial blocking order on February 18, 2025, giving service providers 30 minutes to disable access to over 15,000 domains and IP addresses identified by rights holders as hosting pirated content.

Background of the dispute

AGCOM first contacted Cloudflare on March 14, 2024, requesting the company designate a legal representative in Italy as required under the EU's Digital Services Act. The regulator noted that over the previous decade, a substantial percentage of websites subject to copyright enforcement actions had utilized Cloudflare's services to distribute protected content without authorization.

On May 8, 2024, AGCOM sent a second communication after observing that Cloudflare encouraged its customers to file complaints against Piracy Shield blocks. The regulator invited Cloudflare to register with the platform to receive blocking notifications directly.

When Cloudflare did not respond to either communication or participate in technical working group meetings held under the anti-piracy law, AGCOM issued deliberation 401/24/CONS on October 23, 2024. This decision formally called on VPN providers, public DNS operators, search engines, and information society service providers involved in accessing illegal content to register with Piracy Shield.

The blocking order came on February 18, 2025, directing Cloudflare to disable DNS resolution and traffic routing to specific domains and IP addresses. Italian law requires compliance within 30 minutes of notification. Cloudflare did not implement the blocks or inform AGCOM of its response within the required seven-day reporting period, violating Article 9 of the Digital Services Regulation.

Cloudflare's defense

Cloudflare filed an administrative appeal with Italy's Lazio Regional Administrative Court on March 7, 2025, challenging the blocking order. The company argued it could not comply because it had not been enrolled in Piracy Shield and therefore lacked access to the specific domains and IP addresses requiring action.

On April 7, 2025, Cloudflare requested access to documents referenced in the blocking order. A follow-up letter on May 2, 2025, sought clarification about which rights were allegedly violated, who held those rights, what complaints had been filed, what investigations AGCOM conducted, and which Cloudflare services were supposedly used for infringement.

In July 2025 defenses submitted to AGCOM, Cloudflare maintained its services "do not give rise to the transmission of content present on the sites of service users" and that the company "has no technical possibility to know, control, modify or interfere in any way with the content published on websites that use its services." The company argued that suspending its services would not affect website accessibility since content remains available on third-party web servers regardless of Cloudflare's involvement.

Cloudflare contended that implementing DNS filtering would be "unreasonable, disproportionate and incapable of concrete implementation" because applying such filters to approximately 200 billion daily DNS queries would negatively impact latency and deprive the system of efficiency. The company also suggested that filtering its 1.1.1.1 DNS resolver would adversely affect resolution for all other non-blocked sites.

The company submitted an expert opinion from Professor Juan Carlos De Martin, a computer engineering professor at Politecnico di Torino, supporting its technical arguments.

Regulatory findings

AGCOM rejected Cloudflare's arguments, determining the company qualifies as a service provider under Italy's anti-piracy law regardless of the specific nature of services offered. The regulator noted that Article 2 of Law 93/2023 designates "service providers, including network access providers, VPN service providers, publicly available DNS providers wherever resident and wherever located, search engine operators and information society service providers involved in any capacity in the accessibility of illegal websites or services" as subject to blocking orders.

Verification checks conducted by AGCOM in May 2025 before issuing the violation notice and again in October 2025 confirmed that domains and IP addresses subject to the blocking order remained accessible through Cloudflare's public DNS services. This demonstrated continuing violation of the contested order.

The regulator emphasized that all domains and IP addresses listed in the February order's Annex A were "exclusively destined for violation of copyright and related rights." These resources consisted solely of streaming or IPTV sites directly distributing protected content without authorization. None were subject to appeals through Piracy Shield's complaint mechanism.

AGCOM noted that implementing the unlocking procedure introduced by the August 2024 Omnibus decree occurs either when platform capacity limits are reached or upon rights holder request, even before the six-month blocking period expires if resources are no longer used for illegal activity. Since Piracy Shield became operational on February 1, 2024, the regulator had already reactivated resources blocked for over six months or those no longer used for illegal purposes. The list transmitted to Cloudflare therefore contained exclusively recently reported resources still used for illegal activity.

Two Italian courts have ruled against Cloudflare in separate copyright cases independent of the AGCOM proceeding. Rome's specialized business court found that Cloudflare's activity "appears to be configurable as participation in the realization of illicit acts committed by third parties" under Article 2055 of the Civil Code because "providing reverse proxy activity for the domain name, the defendant masks the related hosting provider, so that the participation in the illicit appears to take place in the form of a contribution facilitating the transmission of protected programs."

The court found Cloudflare "acts as an intermediary that helps optimize the delivery of these contents to users, hides the originating domain and protects it in the case of blocking by ferrying users to the not yet blocked domain name and on the other hand worries about how this data arrives to visitors in a fast and secure way, making transmission more efficient and speeding up data downloading."

Penalty calculation

AGCOM calculated the fine at 1% of Cloudflare's global revenue for 2024, the last fiscal year closed before the June 10, 2025, violation notice. Cloudflare reported $1,669.6 million in worldwide revenue for 2024, a 29% year-over-year increase.

The regulator considered several aggravating factors when determining the penalty amount. The violation was deemed highly serious because Cloudflare "assumes a determining role for the dissemination of content in violation of copyright, generating significant economic damage in economic and social terms."

Research by FAPAV/Ipsos on audiovisual piracy in Italy for 2024 estimated 12 million lost viewings and €350 million in economic damage for live sports content, increases from 2023. Total estimated lost revenue across all sectors of the Italian economy from film, series, and live sports piracy reached €2.2 billion. The potential damage estimated to the Italian economy in GDP terms was €904 million. Cloudflare appears as a service provider in approximately 70% of measures taken by AGCOM regarding online copyright protection.

While this represents the first application of anti-piracy law sanctions against Cloudflare, the regulator noted this as a mitigating factor justifying imposition of a penalty below the 2% maximum.

AGCOM emphasized that Cloudflare "offers its services in numerous European and non-European countries and, therefore, they go beyond national borders alone." The company operates a global network covering over 330 cities in more than 100 countries, reaching 95% of the internet-connected population. This global structure proves instrumental to providing services that enable users to access content worldwide.

The regulator determined the penalty should be based on worldwide revenue rather than Italian operations alone because "the violation is committed by Cloudflare Inc. and taking into account above all that its global structure is instrumental to the provision of services that allow users to enjoy content."

This approach aligns with other regulatory frameworks such as the Digital Services Act and GDPR, which base penalties on global revenue regardless of violators' corporate structures, even when violations relate to specific geographic areas.

When Italian revenue data later became available, Cloudflare disclosed €[redacted] for 2023 and €[redacted] for 2024, showing similar growth trends domestically.

AGCOM found Cloudflare demonstrated no effort to eliminate or mitigate violation consequences after receiving the blocking order. The company's May 2, 2025, clarification request was deemed pretextual since both the deliberation and referenced determinations contained all requested information, and Cloudflare had been a direct recipient of those acts.

The regulator noted the violation's particularly extended and presumably continuous duration, given the February 18, 2025, blocking order was notified to Cloudflare on March 7, 2025, and the anti-piracy law requires compliance within 30 minutes of notification.

Industry and technical context

Cloudflare's services enable internet users to reach websites even when those sites are subject to blocking orders, particularly through VPN and publicly available DNS services. A VPN creates an encrypted virtual tunnel between a device and the web, masking the origin IP address and allowing users to bypass geographic blocks by assigning a new IP address from a foreign server.

Public DNS services translate domain names into IP addresses. When offered by entities that do not comply with blocking orders, such services allow users to circumvent blocks and reach obscured domains, reducing the effectiveness of regulator-imposed measures.

Since Piracy Shield's February 2024 launch through January 2026, the platform has disabled over 65,000 fully qualified domain names and approximately 14,000 IP addresses designated for accessing illegal content. The system operates with a 30-minute response time requirement for all designated service providers.

Italy's anti-piracy law, Law 93/2023, was enacted on July 14, 2023, with subsequent amendments through Decree-Law 123/2023 (converted with modifications by Law 159/2023 on November 15, 2023) and Decree-Law 113/2024 (the August 2024 Omnibus decree, converted with modifications by Law 143/2024 on October 7, 2024).

The legislation grants AGCOM authority to order service providers to disable access to content disseminated unlawfully by blocking DNS resolution of domain names and blocking traffic routing to IP addresses predominantly used for illegal activities. Orders also apply to "any other future domain name, subdomain, or IP address, attributable to anyone, including variations of the name or simple declension or extension (so-called top level domain), which allows access to the same content disseminated unlawfully and to content of the same nature."

Article 2, paragraph 5 of the anti-piracy law requires network access service providers, search engine operators, and information society service providers "in the case where they are involved in any capacity in the accessibility of the website or illegal services" to execute AGCOM orders "without any delay and, in any case, within the maximum period of thirty minutes from notification, disabling the DNS resolution of domain names and the routing of network traffic to IP addresses indicated in the list or in any case adopting the technological and organizational measures necessary to make the content disseminated unlawfully unusable by end users."

Piracy Shield's technical and operational requirements were established through AGCOM deliberation 321/23/CONS on December 5, 2023, and updated by deliberation 48/25/CONS on February 18, 2025. The platform was developed in collaboration with Italy's National Cybersecurity Agency through a technical working group established under Article 6, paragraph 2 of the anti-piracy law.

Cloudflare CEO's response

On January 8, 2026, Cloudflare CEO Matthew Prince posted on X (formerly Twitter) about the fine, calling Italy's piracy enforcement scheme "DISGUSTING." Prince stated that the regulator fined Cloudflare "$17 million for failing to go along with their scheme to censor the Internet."

Prince characterized the system as requiring Cloudflare "within a mere 30 minutes of notification to fully censor from the Internet any sites a shadowy cabal of European media elites deemed against their interests. No judicial oversight. No due process. No appeal. No transparency."

He stated the scheme required Cloudflare "to not just remove customers, but also censor our 1.1.1.1 DNS resolver meaning it risked blacking out any site on the Internet. And it required us not just to censor the content in Italy but globally. In other words, Italy insists a shadowy, European media cabal should be able to dictate what is and is not allowed online."

Prince announced Cloudflare is considering four response actions: discontinuing millions of dollars in pro bono cybersecurity services for the upcoming Milano-Cortina Olympics; discontinuing free cybersecurity services for any Italy-based users; removing all servers from Italian cities; and terminating plans to build an Italian office or make any investments in the country.

He referenced U.S. Vice President JD Vance "taking a leadership role in recognizing this type of regulation is a fundamental unfair trade issue that also threatens democratic values," and agreed with Elon Musk that "free speech is critical and under attack from an out-of-touch cabal of very disturbed European policy makers."

Prince stated he would meet with U.S. administration officials in Washington and with the International Olympic Committee in Lausanne to outline risks to the Olympic Games if Cloudflare withdraws cybersecurity protection.

He concluded: "We believe Italy, like all countries, has a right to regulate the content on networks inside its borders. But they must do so following the Rule of Law and principles of Due Process. And Italy certainly has no right to regulate what is and is not allowed on the Internet in the United States, the United Kingdom, Canada, China, Brazil, India or anywhere outside its borders."

Implications for digital infrastructure providers

The fine represents a significant escalation in regulatory pressure on infrastructure companies to actively participate in content moderation beyond traditional hosting providers. While platforms and hosting services have long faced copyright enforcement obligations, extending similar requirements to DNS providers and network services raises questions about the appropriate boundaries of intermediary liability.

Cloudflare's argument that it cannot control content hosted on customer servers reflects the traditional understanding of "mere conduit" services under intermediary liability frameworks. However, both Italian courts and AGCOM have determined that Cloudflare's reverse proxy, CDN, and DNS services contribute sufficiently to content accessibility that blocking obligations apply.

The 30-minute compliance timeframe poses operational challenges for global infrastructure providers, particularly when blocking determinations come from automated platform submissions rather than judicial orders. Cloudflare's concerns about filtering 200 billion daily DNS queries highlight the technical complexity of implementing country-specific content restrictions at internet infrastructure layers.

AGCOM's rejection of technical feasibility arguments suggests regulators expect infrastructure providers to develop capabilities for rapid content blocking regardless of operational impacts. The regulator's position that global revenue should determine penalty amounts for services that operate internationally creates financial incentives for compliance that may outweigh technical objections.

The dispute also raises jurisdictional questions about the extent to which national regulators can require global services to implement local content restrictions. Prince's statement that Italy seeks to "regulate what is and is not allowed on the Internet" beyond its borders reflects broader tensions between territorial regulation and borderless internet architecture.

For marketing and advertising technology companies, the case demonstrates increasing regulatory willingness to hold infrastructure providers accountable for content distribution, even when those providers do not host content directly. Similar enforcement approaches could extend to ad tech services that facilitate monetization of pirated content.

The precedent also signals that DNS-level blocking has become an established tool in regulators' enforcement arsenals. Advertising platforms and verification services may face pressure to integrate with content blocking systems or risk similar penalties for enabling monetization of blocked properties.

European regulatory context

Italy's aggressive anti-piracy enforcement exists within a broader European regulatory environment that has expanded digital service provider obligations. The Digital Services Act, which became fully applicable in February 2024, establishes comprehensive content moderation requirements for online platforms and intermediaries.

While the DSA generally prohibits imposing general monitoring obligations, Article 9 specifically authorizes competent authorities to issue orders requiring providers to act against specific illegal content. These orders must be clear, unambiguous, and duly reasoned, with providers required to inform authorities "without undue delay" about actions taken.

The European Commission has expressed concerns about Italy's Piracy Shield implementation, though specific details of those concerns remain unclear. AGCOM's decision notes that "even the EU has called concerning" the scheme requiring full internet censorship within 30 minutes based on determinations by media rights holders.

Several EU member states have implemented similar rapid-blocking mechanisms for live sports piracy. These systems typically operate under judicial or administrative authority with shorter response times than traditional copyright enforcement. The proliferation of such schemes across Europe suggests Italy's approach, while aggressive, reflects broader regional trends.

For infrastructure providers operating across multiple EU jurisdictions, managing compliance with varying national blocking requirements presents substantial operational complexity. The lack of harmonized approaches to DNS-level blocking means providers must navigate different technical requirements, response timeframes, and liability standards across member states.

Timeline

• July 14, 2023: Italy enacts Law 93/2023 establishing anti-piracy framework with 30-minute blocking requirements
• March 14, 2024: AGCOM contacts Cloudflare requesting designation of legal representative under Digital Services Act
• February 1, 2024: Piracy Shield platform becomes operational
• May 8, 2024: AGCOM sends second communication to Cloudflare regarding platform registration
• October 23, 2024: AGCOM issues deliberation 401/24/CONS requiring DNS providers and other intermediaries to register with Piracy Shield
• November 28, 2024: Deliberation 401/24/CONS notified to Cloudflare
• February 18, 2025: AGCOM issues deliberation 49/25/CONS ordering Cloudflare to block specific domains and IP addresses
• March 7, 2025: Cloudflare files administrative appeal with Lazio Regional Administrative Court
• April 7, 2025: Cloudflare requests access to documents referenced in blocking order
• May 2, 2025: Cloudflare sends letter seeking clarification about blocking order
• June 10, 2025: AGCOM issues violation notice to Cloudflare
• July 10, 2025: Cloudflare submits formal defenses
• December 29, 2025: AGCOM Council votes to impose €14.2 million fine
• January 8, 2026: Fine announced publicly and notified to Cloudflare

Summary

Who: Italy's telecommunications regulator AGCOM fined Cloudflare Inc., a U.S.-based internet infrastructure company that provides CDN, DNS, and security services to millions of websites globally.

What: AGCOM imposed a €14,247,698.56 penalty (1% of Cloudflare's 2024 global revenue) for refusing to comply with orders to block DNS resolution and traffic routing to over 15,000 domains and IP addresses identified through Italy's Piracy Shield platform as hosting pirated sports streaming content.

When: The fine was decided on December 29, 2025, and publicly announced on January 8, 2026. The violation relates to Cloudflare's failure to comply with a February 18, 2025, blocking order that required action within 30 minutes.

Where: The enforcement action originates from Italy under Law 93/2023, though the dispute has broader implications because Cloudflare operates global infrastructure and Italy's requirements would affect its services worldwide.

Why: AGCOM determined Cloudflare's DNS services enable Italian users to access pirated content despite blocking orders implemented by other service providers, undermining copyright enforcement efforts. The regulator found Cloudflare qualifies as a "service provider involved in the accessibility of illegal content" under Italian anti-piracy law and must therefore implement blocks like other intermediaries. Cloudflare appeared as a service provider in approximately 70% of AGCOM copyright enforcement actions over the past decade.