Cloudflare is pushing back against Piracy Shield, an Italian copyright enforcement system that lets private media companies order website blocks with no judicial oversight, no transparency, and no appeals process.
When Cloudflare refused to register, Italy’s communications regulator AGCOM fined it €14 million last December. Cloudflare appealed on March 8 and is continuing its legal challenge against the system itself.
The fine was calculated on Cloudflare’s global revenue, a choice AGCOM made despite Italian law capping non-compliance penalties at 2% of earnings within the relevant jurisdiction.
Applied correctly to Cloudflare’s Italian revenue, the ceiling would have been roughly €140,000. AGCOM went global instead, producing a penalty nearly 100 times higher than the legal limit.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Piracy Shield runs through an unsupervised portal. An unidentified group of Italian media companies submits IP addresses and websites for blocking. Registered service providers then have 30 minutes to comply. No judge reviews the requests. Targets don’t get notified before their sites go dark.
There’s no mechanism to challenge a block before it takes effect and no effective path to seek redress afterward. The system was donated to the Italian government by SP Tech, a legal firm that represents several of its primary beneficiaries, including Lega Nazionale Professionisti Serie A, Italy’s top professional soccer league. Piracy Shield’s architecture reflects whose interests it was built to serve.
The collateral damage has been severe. IP address blocking is structurally incapable of precision: a single IP can host thousands of unrelated sites. Piracy Shield recklessly blocked Ukrainian government educational portals. It took down European NGOs running social programs for women and children. It even cut Google Drive access for over 12 hours, locking Italian students and workers out of their files.
A September 2025 study from the University of Twente found the system routinely blocks legitimate sites for months at a time.
AGCOM’s response to that evidence was to expand Piracy Shield’s reach to cover global DNS providers and VPNs, services directly tied to privacy and free expression.
Cloudflare raised these structural problems with AGCOM directly in 2024, proposing copyright enforcement approaches that wouldn’t require breaking the Internet’s core architecture. AGCOM ignored them.
Cloudflare then challenged the system in Italian administrative courts and, alongside the Computer & Communications Industry Association, filed a formal complaint with the European Commission. The Commission responded on June 13, 2025, with a letter criticizing Piracy Shield’s lack of oversight. On December 23, 2025, an Italian court ordered AGCOM to produce the records supporting its blocking orders.
Six days later, AGCOM issued the €14 million fine.
AGCOM still hasn’t complied with the disclosure order. Four days before the deadline, it informed Cloudflare that some records would be available for supervised in-person inspection at an AGCOM facility in Naples. A regulator demanding oversight of its own records disclosure, in its own building, while fighting to limit what it produces, is not operating in good faith.
Cloudflare is now appealing the fine and pushing for full access to those records. Its legal position is that Piracy Shield violates the EU’s Digital Services Act, which requires content restrictions to be proportionate and subject to procedural safeguards. Piracy Shield is neither.
A regulatory model that lets private rightsholders issue blocking orders through a black box, with 30-minute compliance windows and no accountability, is one that other regulators can replicate.
Cloudflare’s refusal to register is a refusal to become infrastructure for a private censorship system operating without transparency or oversight.
