At Cloudflare, our mission is to assist construct a greater Web. Often, which means rolling out new companies to our tens of millions of customers or defending the online in opposition to the world’s largest cyber assaults. However generally, constructing a greater Web requires us to face up in opposition to legal guidelines or laws that threaten its basic structure.
Final week, Cloudflare continued its authorized battle in opposition to “Piracy Defend,” a misguided Italian regulatory scheme designed to guard giant rightsholder pursuits on the expense of the broader Web. After Cloudflare resisted registering for Piracy Defend and challenged it in courtroom, the Italian communications regulator, AGCOM, fined Cloudflare a staggering €14 million (~$17 million). We appealed that advantageous on March 8, and we proceed to problem the legality of Piracy Defend itself.
Whereas the advantageous is important, the rules at stake are even bigger. This case is not nearly a single penalty; it’s about whether or not a handful of personal entities can prioritize their very own financial pursuits over these of Web customers by forcing world infrastructure suppliers to dam giant swaths of the Web with out oversight, transparency, or due course of.
To grasp why we’re preventing this, it’s essential to take a step again and perceive Piracy Defend. Marketed by AGCOM as an progressive device to combat copyright infringement, the system is healthier understood as a blunt device for rightsholders to regulate what is offered on the Web with none conventional authorized safeguards.
Piracy Defend is an unsupervised digital portal by means of which an unidentified set of Italian media corporations can submit web sites and IP addresses that on-line service suppliers registered with Piracy Defend are then required to dam inside half-hour. Piracy Defend operates as a “black box” as a result of there’s:
No judicial oversight: Non-public corporations, not judges or authorities officers, determine what will get blocked.
No transparency: The general public, and even the service suppliers themselves, are sometimes left at midnight about who requested a block or why.
No due course of: There isn’t a mechanism for an internet site proprietor to problem a block earlier than their web site turns into unavailable on the Italian internet.
No redress: Together with a whole lack of transparency or due course of, Piracy Defend provides no efficient approach for impacted events to hunt redress from inaccurate blocking.
It’s not solely shocking that Piracy Defend so clearly prioritizes the financial pursuits of media corporations over the rights of Italian Web customers. The system was “donated” to the Italian authorities by SP Tech, an arm of the legislation agency that represents a number of of Piracy Defend’s main direct beneficiaries, together with Lega Nazionale Professionisti Serie A (Italy’s main soccer league).
The excessive value of Piracy Defend
Virtually instantly after Piracy Defend was rolled out, there have been important issues. Along with the unworkable 30-minute deadline and the shortage of safeguards described above, the scheme requires service suppliers to interact in IP deal with blocking. This creates an unavoidable threat of overblocking harmless web sites on account of the truth that IP addresses are frequently and essentially shared by 1000’s of internet sites. Not surprisingly, inside a couple of months of its launch, Piracy Defend brought on main outages for individuals and companies who had completed nothing incorrect.
Notable failures embody:
Authorities and academic blackouts: Tens of 1000’s of professional websites had been rendered inaccessible from Italy, together with Ukrainian authorities web sites for faculties and scientific analysis.
Small enterprise & NGO disruption: A variety of European small companies and NGOs centered on social packages for girls and kids had been inadvertently blocked.
Lack of important companies: The system blocked entry to Google Drive for over 12 hours, stopping 1000’s of Italian college students and professionals from accessing vital information.
Persistent collateral blocking: A September 2025 examine by the College of Twente confirmed that the system routinely blocks professional web sites for months at a time.
Even when confronted with clear proof that Piracy Defend has brought on important and repeated overblocking, AGCOM didn’t change course. Fairly, it selected to broaden Piracy Defend to use to world DNS suppliers and VPNs, companies that are carefully related to privateness and free expression. AGCOM additionally began taking more and more aggressive steps to pressure world service suppliers, even ones with no authorized or operational presence in Italy, to register with Piracy Defend.
Cloudflare’s principled problem
Cloudflare has been clear in regards to the dangers posed by Piracy Defend from the start. In 2024, we met with AGCOM to spotlight the scheme’s structural flaws and penalties and proposed more practical methods to collaborate that would not break the Web’s core structure.
When these issues had been ignored, we moved on to authorized motion. We challenged AGCOM’s effort to pressure Cloudflare to hitch Piracy Defend within the Italian administrative courts and, together with the Pc & Communications Business Affiliation (CCIA), we filed a grievance with the European Fee. Extra informally, we have now continued to succeed in out to authorities officers each in Italy and on the EU degree to clarify our place and make our issues identified. Our place has been constant and stays that Piracy Defend is incompatible with EU legislation, most notably the Digital Companies Act (DSA), which requires that any content material restriction be proportionate and topic to strict procedural safeguards.
The European Fee, following our grievance, expressed comparable issues, issuing a letter on June 13, 2025, criticizing the shortage of oversight inherent within the Piracy Defend framework. And on December 23, 2025, the Italian administrative courtroom issued an encouraging ruling requiring AGCOM to share with Cloudflare all of the information that purportedly help Piracy Defend blocking orders. Whereas we have now not but acquired these information, we count on them to shed important gentle on Piracy Defend’s operations.
An extreme advantageous and nonetheless no transparency
Fairly than awaiting the end result of our authorized challenges, and fewer than one week after being ordered to reveal Piracy Defend information to Cloudflare, AGCOM moved on December 29, 2025, to difficulty its advantageous. The advantageous’s timing was not the one eyebrow-raising factor about it. The mathematics behind the penalty is as flawed because the system it’s looking for to implement.
Underneath Italian legislation, fines for non-compliance are capped at 2% of an organization’s income inside the related jurisdiction. Primarily based on Cloudflare’s Italian earnings, that cap ought to have restricted any advantageous to roughly €140,000. As an alternative, AGCOM calculated the advantageous based mostly on our world income, leading to a penalty practically 100 instances greater than the authorized restrict.
This disproportionate strategy sends a chilling message to the worldwide tech group: for those who query a flawed regulatory system or defend the rights of your customers and the worldwide Web, you threat going through punitive and extreme monetary retaliation.
On the identical time, AGCOM nonetheless has not shared with Cloudflare the Piracy Defend information that it was ordered to reveal. As an alternative, simply 4 days earlier than the deadline for disclosure, AGCOM knowledgeable us that it could make a number of the information out there for inspection at an AGCOM facility in Naples, topic to supervision by AGCOM officers. These limitations are usually not simply unreasonably burdensome and opposite to the letter and spirit of the disclosure order; they elevate actual questions on why AGCOM is so intent on resisting transparency.
Subsequent steps: the trail ahead
We’re not backing down. Cloudflare is interesting the €14 million advantageous, pushing for full entry to AGCOM’s Piracy Defend information, and can proceed to problem the underlying legality of the Piracy Defend blocking orders within the Italian administrative courts.
We acknowledge that rightsholders have a professional curiosity in defending their content material. The truth is, we work with rightsholders each day to handle infringement in methods which might be exact and efficient. However these pursuits can’t override the fundamental necessities of authorized due course of or the technical integrity of the worldwide Web and our community.
We’ll proceed to pursue this problem within the Italian courts and thru the European Fee. World connectivity is just too vital to be ruled by “black boxes” with 30-minute deadlines that end in widespread overblocking with no technique of redress. Cloudflare stays dedicated to constructing a greater Web: one the place the foundations are clear, the regulators are accountable, and the infrastructure that connects the world stays free, open, and safe.
