Cloudflare yesterday published a detailed explanation of why it has appealed a €14 million fine imposed by Italy's communications regulator, AGCOM, escalating what has become one of the most consequential legal battles over internet infrastructure governance in Europe. The blog post, authored by Patrick Nemeroff and Emily Terrell and dated March 16, 2026, lays out Cloudflare's case against Italy's Piracy Shield system - a regulatory mechanism the company describes as fundamentally incompatible with EU law and the open architecture of the internet.

The appeal, filed on March 8, 2026, contests both the penalty itself and the broader legality of Italy's anti-piracy framework. At its core, the dispute centers on whether private rightsholders should be able to compel global infrastructure providers to block websites within 30 minutes - without judicial review, without transparency, and without any meaningful process for affected parties to seek redress.

What is Piracy Shield?

Piracy Shield launched as an electronic portal operated under the authority of AGCOM, Italy's national communications regulator. According to Cloudflare's blog post, the system allows "an unidentified set of Italian media companies" to submit websites and IP addresses for blocking. Service providers registered with the platform must then disable access within 30 minutes of notification.

The technical requirements of Piracy Shield were established through AGCOM deliberation 321/23/CONS on December 5, 2023, and subsequently updated by deliberation 48/25/CONS on February 18, 2025. The platform was developed in collaboration with Italy's National Cybersecurity Agency. PPC Land reported in January 2026 that the fine stemmed from Cloudflare's refusal to implement DNS-level blocking of domains and IP addresses flagged through Piracy Shield.

What distinguishes Piracy Shield from conventional copyright enforcement mechanisms is the near-total absence of procedural safeguards. According to the Cloudflare blog post, there is no judicial oversight - private companies, not judges or government officials, decide what gets blocked. There is no transparency, as the public and even service providers themselves are often left uninformed about who requested a block or the reasons behind it. There is no due process, meaning no mechanism exists for a website owner to challenge a block before their site goes dark on the Italian internet. And there is no effective redress for parties impacted by erroneous blocking.

The origins of the system raise additional questions. According to Cloudflare, Piracy Shield was "donated" to the Italian government by SP Tech, an arm of the law firm that represents several of the system's major direct beneficiaries, including Lega Nazionale Professionisti Serie A - Italy's top professional soccer league. That relationship between the system's developer and its primary beneficiaries has drawn scrutiny from critics who argue it represents a fundamental conflict of interest.

A pattern of overblocking

Almost immediately after Piracy Shield became operational, problems emerged. The system requires service providers to block IP addresses - a blunt approach that creates what Cloudflare describes as "an unavoidable risk of overblocking innocent websites" because IP addresses are regularly shared by thousands of unrelated sites. The consequences have been significant.

According to the blog post, tens of thousands of legitimate websites were rendered inaccessible from Italy, including Ukrainian government sites serving schools and scientific research institutions. A wide range of European small businesses and NGOs focused on social programs for women and children were also inadvertently blocked. Perhaps most notably, the system blocked access to Google Drive for over 12 hours, preventing thousands of Italian students and professionals from reaching critical files.

A September 2025 study by the University of Twente confirmed that Piracy Shield routinely blocks legitimate websites for months at a time. Despite this evidence, AGCOM did not reverse course. Instead, the regulator chose to expand the system's scope to cover global DNS providers and VPNs - services closely associated with privacy and free expression. AGCOM also began taking what Cloudflare describes as "increasingly aggressive steps" to force global service providers, even those with no legal or operational presence in Italy, to register with the platform.

The expansion of blocking obligations to DNS providers represents a particularly significant escalation. Cloudflare operates one of the world's most widely used public DNS resolvers at 1.1.1.1, which processes approximately 6 million DNS requests per second. Requiring such a service to implement country-specific blocking raises fundamental questions about the architecture of the global internet and whether national regulators can impose content restrictions on infrastructure that serves billions of users worldwide.

Cloudflare's opposition to Piracy Shield did not begin with the fine. According to the blog post, the company met with AGCOM in 2024 to highlight structural flaws in the scheme and proposed alternative approaches to combating piracy that would not compromise the internet's core architecture. When those concerns were dismissed, Cloudflare moved to legal action.

The company challenged AGCOM's effort to force its registration with Piracy Shield in Italian administrative courts. Alongside the Computer & Communications Industry Association (CCIA), Cloudflare also filed a complaint with the European Commission. The company's position has remained consistent throughout: Piracy Shield is incompatible with EU law, most notably the Digital Services Act (DSA), which requires that any content restriction be proportionate and subject to strict procedural safeguards.

The Digital Services Act, which became fully operational for all platforms on February 17, 2024, establishes comprehensive rules for online intermediary services across the European Union. Its framework requires transparency, proportionality, and meaningful redress mechanisms - requirements that Cloudflare argues Piracy Shield fails to meet on every count.

The European Commission appeared to share some of these concerns. Following Cloudflare's complaint, the Commission issued a letter on June 13, 2025, criticizing the lack of oversight inherent in the Piracy Shield framework. Then, on December 23, 2025, an Italian administrative court issued what Cloudflare describes as "an encouraging ruling" requiring AGCOM to share with the company all the records that purportedly support Piracy Shield blocking orders.

Those records have not yet been delivered.

The fine and its calculation

Less than one week after the court ordered disclosure of Piracy Shield records, AGCOM moved on December 29, 2025, to issue its €14 million fine. The timing drew immediate attention. But it was the calculation behind the penalty that Cloudflare found most objectionable.

Under Italian law, fines for non-compliance with Piracy Shield are capped at 2% of a company's revenue within the relevant jurisdiction. Based on Cloudflare's Italian earnings, according to the blog post, that cap should have limited any fine to approximately €140,000. Instead, AGCOM calculated the penalty based on Cloudflare's global revenue, producing a figure nearly 100 times higher than what the company argues is the legal maximum.

PPC Land's January 2026 coverage detailed how AGCOM justified the global revenue calculation. The regulator argued that because Cloudflare "offers its services in numerous European and non-European countries," the violation extends beyond national borders. AGCOM also noted that Cloudflare appears as a service provider in approximately 70% of measures taken by the regulator regarding online copyright protection.

On January 8, 2026, Cloudflare CEO Matthew Prince responded publicly on X, calling the enforcement scheme "DISGUSTING." Prince stated that AGCOM had fined Cloudflare "$17 million for failing to go along with their scheme to censor the Internet." He characterized Piracy Shield as requiring Cloudflare "within a mere 30 minutes of notification to fully censor from the Internet any sites a shadowy cabal of European media elites deemed against their interests."

Transparency remains elusive

Beyond the fine, the question of transparency has become a central battleground. The Italian administrative court ordered AGCOM to share its Piracy Shield records with Cloudflare in December 2025. But according to the blog post, AGCOM has not complied with the spirit of that order. Instead, just four days before the disclosure deadline, AGCOM informed Cloudflare that it would make some records available for inspection at an AGCOM facility in Naples - subject to supervision by AGCOM officials.

According to Cloudflare, "these limitations are not just unreasonably burdensome and contrary to the letter and spirit of the disclosure order; they raise real questions about why AGCOM is so intent on resisting transparency."

The resistance to disclosure stands in contrast to the broader direction of European digital regulation. The DSA was designed precisely to increase transparency and accountability in how online content is governed. The European Commission has fined platforms including X €120 million for transparency violations under the DSA, and has pursued TikTok and Meta for failing to provide adequate researcher data access. The principle that content restriction decisions must be subject to scrutiny runs through the entire European regulatory framework.

Yet Piracy Shield operates in the opposite direction. Its "black box" architecture, as Cloudflare describes it, insulates blocking decisions from public review while empowering a set of private actors to determine what millions of Italian internet users can access.

Why this matters for the marketing and advertising community

At first glance, a dispute between a CDN provider and an Italian regulator over sports piracy might seem remote from the concerns of marketing professionals. It is not.

The infrastructure that Cloudflare provides - DNS resolution, content delivery, DDoS protection - underpins the performance and availability of millions of websites, including those operated by advertisers, publishers, and e-commerce businesses. When that infrastructure becomes subject to arbitrary blocking requirements imposed by a single national regulator, the reliability of the entire advertising ecosystem is at risk.

The Google Drive outage caused by Piracy Shield illustrates the point directly. When IP address blocking takes down a major productivity platform for 12 hours, it does not just affect Italian soccer fans seeking pirated streams. It disrupts businesses that depend on cloud services for daily operations, including advertising agencies, media buyers, and publishers managing campaigns in real time.

More broadly, the case raises questions about intermediary liability that extend well beyond Italy. European regulators have been reshaping how platforms operate through instruments including the DSA and GDPR, creating new compliance obligations for advertising technology providers. If national regulators can compel global infrastructure companies to block content without judicial oversight - and impose fines calculated on worldwide revenue for non-compliance - the precedent affects every company that relies on internet infrastructure to reach customers.

The tension between national regulatory ambitions and global internet architecture is not unique to Italy. European enforcement actions have accelerated across multiple fronts, from advertising technology to content moderation. The UK's Online Safety Act triggered a 1,400% surge in VPN sign-ups, reflecting consumer unease about government-mandated content restrictions. Each jurisdiction that imposes its own blocking requirements on global services increases the complexity and fragmentation of the internet that advertising and commerce depend upon.

What happens next

Cloudflare has stated that it is appealing the €14 million fine, pushing for full access to AGCOM's Piracy Shield records, and will continue to challenge the underlying legality of the blocking orders in Italian administrative courts. The company also indicated it will continue pursuing the matter through the European Commission.

According to the blog post, Cloudflare acknowledges that "rightsholders have a legitimate interest in protecting their content" and notes that the company works with rightsholders "every day to address infringement in ways that are precise and effective." But the company draws a firm line: those interests "cannot override the basic requirements of legal due process or the technical integrity of the global Internet."

The case's resolution could take years, given the multiple legal tracks involved - administrative appeals in Italy, a complaint before the European Commission, and the ongoing challenge to Piracy Shield's compatibility with EU law. The Italian administrative court's December 2025 ruling ordering disclosure of records suggests that at least some judicial scrutiny of the system is forthcoming.

For the broader technology and advertising industries, the outcome will help define whether national regulators can compel global infrastructure providers to act as enforcement arms for private rightsholders - and at what cost to the open internet that underpins digital commerce worldwide.

Timeline

  • December 5, 2023 - AGCOM establishes Piracy Shield's technical and operational requirements through deliberation 321/23/CONS.
  • February 1, 2024 - Piracy Shield becomes operational.
  • February 17, 2024 - The EU's Digital Services Act becomes fully operational for all platforms.
  • March 14, 2024 - AGCOM first contacts Cloudflare, requesting the company designate a legal representative in Italy.
  • 2024 - Cloudflare meets with AGCOM to highlight structural flaws in Piracy Shield and proposes alternative approaches to combating piracy.
  • October 23, 2024 - AGCOM issues deliberation 401/24/CONS, formally calling on VPN providers, public DNS operators, and other service providers to register with Piracy Shield.
  • February 18, 2025 - AGCOM issues a blocking order directing Cloudflare to disable DNS resolution and traffic routing to specific domains and IP addresses, giving 30 minutes to comply. Piracy Shield requirements updated through deliberation 48/25/CONS.
  • September 2025 - University of Twente study confirms Piracy Shield routinely blocks legitimate websites for months at a time.
  • June 13, 2025 - European Commission issues a letter criticizing the lack of oversight in the Piracy Shield framework.
  • December 23, 2025 - Italian administrative court rules that AGCOM must share Piracy Shield records with Cloudflare.
  • December 29, 2025 - AGCOM issues a €14 million fine against Cloudflare for non-compliance with Piracy Shield.
  • January 8, 2026 - Cloudflare CEO Matthew Prince publicly criticizes the fine on X.
  • March 8, 2026 - Cloudflare formally appeals the €14 million fine.
  • March 16, 2026 - Cloudflare publishes a detailed blog post explaining its legal position and the reasons behind its appeal.

Summary

Who: Cloudflare Inc., Italy's communications regulator AGCOM, Italian media companies and rightsholders including Lega Nazionale Professionisti Serie A, the Computer & Communications Industry Association (CCIA), and the European Commission.

What: Cloudflare has appealed a €14 million fine imposed by AGCOM for refusing to register with and comply with Italy's Piracy Shield system - an electronic portal that allows private rightsholders to compel service providers to block websites and IP addresses within 30 minutes without judicial oversight. Cloudflare argues the system violates EU law, including the Digital Services Act, and has caused widespread overblocking of legitimate websites.

When: The fine was issued on December 29, 2025. Cloudflare filed its appeal on March 8, 2026. The blog post explaining the company's position was published on March 16, 2026. The legal challenge encompasses multiple proceedings dating back to 2024.

Where: Italy, with broader implications across the European Union. The dispute involves Italian administrative courts, the European Commission in Brussels, and Cloudflare's global infrastructure spanning over 330 cities in more than 100 countries.

Why: Cloudflare contends that Piracy Shield lacks the fundamental safeguards required by EU law - including judicial oversight, transparency, due process, and proportionality. The company argues that the system's IP-address-based blocking approach causes unavoidable collateral damage to innocent websites, as evidenced by documented outages affecting Google Drive, government websites, small businesses, and NGOs. The €14 million fine, calculated on global rather than Italian revenue, exceeds what Cloudflare says is the legal cap of approximately €140,000 by nearly 100 times.

Share this article
The link has been copied!