Cloudflare has filed an appeal against a €14 million fine imposed by Italy’s communications regulator, AGCOM, escalating an ongoing legal dispute over the country’s controversial “Piracy Shield” anti-piracy system.
The internet giant argues the framework enables unchecked Internet blocking and threatens core principles of transparency and due process.
The dispute stems from Cloudflare’s refusal to register with the system, followed by legal challenges in Italian courts and a complaint submitted to the European Commission alongside the Computer & Communications Industry Association (CCIA).
Piracy Shield, introduced by AGCOM as a rapid-response anti-piracy mechanism, allows approved rightsholders, primarily media organizations, to submit domains and IP addresses for blocking. Participating service providers must enforce these blocks within 30 minutes. However, Cloudflare describes the platform as a “black box,” citing the absence of judicial oversight, transparency, or avenues for appeal. Blocking decisions are reportedly made by private entities rather than courts, and affected website operators are not given the opportunity to contest restrictions before they are enforced.
Cloudflare, a U.S.-based Internet infrastructure provider serving millions of websites globally through services such as CDN, DNS resolution, and DDoS protection, plays a critical role in maintaining Internet performance and security. As such, any requirement to implement network-level blocking has far-reaching implications beyond Italy, potentially affecting shared infrastructure used by unrelated services.
According to Cloudflare, the risks associated with Piracy Shield have already materialized. Because the system relies heavily on IP address blocking, despite IPs commonly being shared across thousands of domains, numerous cases of collateral damage have been documented. These include outages affecting Ukrainian educational and government websites, disruptions to NGOs and small businesses across Europe, and a 12-hour block of Google Drive that prevented access to critical files for Italian users. A study by the University of Twente found that erroneous blocks can persist for months.
Despite these incidents, AGCOM expanded the scope of Piracy Shield to include global DNS providers and VPN services, while also increasing pressure on foreign companies with no direct operational presence in Italy to comply. Cloudflare maintains that the system violates the EU’s Digital Services Act (DSA), which mandates proportionality and procedural safeguards for content restriction measures.
Regarding the fine itself, Cloudflare claims that Italian law caps such penalties at 2% of a company’s in-country revenue, which would set the maximum fine at approximately €140,000. Instead, AGCOM calculated the penalty based on Cloudflare’s global revenue, resulting in a sanction nearly 100 times higher. The company also criticized the timing of the fine, which was issued shortly after a court ordered AGCOM to disclose records supporting Piracy Shield’s blocking actions, records that have yet to be fully provided.
Moreover, AGCOM reportedly offered limited, supervised access to some documentation at a facility in Naples rather than complying with broader disclosure expectations. Cloudflare argues this approach undermines transparency and suggests reluctance to expose how blocking decisions are made.
The company says it will continue its legal fight in Italian courts and at the EU level, while pushing for full disclosure of Piracy Shield operational data.
Leave a Reply