The standoff between AGCOM and Cloudflare is far more than a fine: it is the first stress test over who controls the network in the post-DSA era
Matthew Prince, CEO of Cloudflare, chose to accompany his declaration of war on the Italian regulator on X with an AI-generated image that went viral: a medieval knight brandishing an Open Internet flag, surrounded by figures in suits with stereotypically Mediterranean features and Roman gladiators with the Colosseum in the background. Not subtle, not elegant, but effective for a certain audience.
The crusade in question involves €14,247,698: the fine that AGCOM, Italy’s communications authority, notified Cloudflare on January 8 for refusing to block pirate websites through its 1.1.1.1 DNS resolver. Reducing the story to a fine, however steep, would be like describing Iran’s Internet blackout by focusing only on the drop in traffic.
Piracy Shield is Italy’s anti-piracy system, launched in February 2024 and designed primarily to stop the illegal streaming of Serie A football matches. It is worth noting that the law underpinning it was passed unanimously across all political parties. The mechanism is brutal in its simplicity: rights holders flag an IP address or domain, and all providers involved (ISPs first and foremost, but now also CDNs) have 30 minutes to block it. No prior third-party verification is required. No adversarial process. Failure to act carries criminal liability.
Since going live, Piracy Shield has taken down tens of thousands of domains and IP addresses. It also mistakenly blocked Google Drive during a league match on October 19, 2024, leaving millions of Italians without access to work documents for roughly twelve hours. A detail that system supporters tend to downplay and critics tend to amplify, but one that accurately captures the structural problem: the Internet is not designed to be carved up along national lines with thirty minutes’ notice.
Cloudflare is a giant: it handles approximately 20% of global web traffic. Its 1.1.1.1 DNS resolver processes over 200 billion queries per day. When Italy asks to filter traffic through that infrastructure, it is asking for changes to a system that serves users from Tokyo to Toronto. Prince argues this is technically impossible to do without degrading performance for everyone. AGCOM counters that Cloudflare has “advanced technological expertise” and could find a solution if it wanted to. Google, after initial objections, chose the path of cooperation, implementing geo-restricted blocks limited to Italy. It is a solution that appears to be working, but one Cloudflare refuses to adopt for reasons that go beyond the technical.
What Is really at stake
The real issue is the precedent. Prince said it explicitly on X, in his characteristically direct tone: if Cloudflare agrees to block content at the administrative request of an Italian authority, without judicial oversight and without any effective right of appeal, which government will come knocking next? Turkey? Egypt? Russia? China has already sidestepped this problem: it built its own walled-off intranet, separate and tightly controlled.
This is Cloudflare’s strongest argument, and the hardest to refute. Infrastructure neutrality is what holds the Internet together as a global space. The moment providers of foundational services begin making decisions about what to make accessible and what not to, based on national administrative requests, that model begins to crack.
On the other hand, there is an equally valid argument on the opposing side. Audiovisual piracy costs Italy hundreds of millions of euros per year (the exact figure is difficult to pin down). AGCOM has found that 70% of blocked pirate sites use Cloudflare’s services. Does neutrality become complicity, or is that just a convenient interpretation?
Europe is watching
In June 2025, the European Commission sent a letter to the Italian government that reads as a diplomatic warning. Piracy Shield may not be compliant with the Digital Services Act. The blocks are issued too quickly, the unblocking procedures are too slow, and the safeguards for fundamental rights are insufficient. The DSA, Brussels notes, “does not provide a legal basis for orders issued by national administrative authorities” in this manner.
This is a pivotal moment. Italy has moved faster than other European countries in building an aggressive enforcement system against piracy. But that speed comes at a cost: the instrument risks being poorly calibrated against the European regulatory framework.
Italian ISPs, meanwhile, bear the operational burden of the system without compensation. The Italian Internet Providers Association has requested a fund of €9.5 million per year to cover compliance costs. So far: nothing.
A study from the University of Twente published in September 2025 quantified the collateral damage: more than 500 legitimately operating websites wrongly blocked, and over 7,000 domains impacted in total, with effects lasting an average of 320 days. Among the casualties: personal pages, company profiles, hotels, restaurants, a car repair shop, a convent, stores, an accounting firm. In one case, the blocking of a single IP address took down 325 different domains.
The IXPs
There is one category of player watching this situation with particular concern: Internet Exchange Points, the neutral infrastructure that enables networks to interconnect and exchange traffic. They do not provide services to end users. They do not decide what to block. They facilitate the functioning of the network. And their business model rests on a foundational assumption: neutrality.
Our CEO Maurizio Goretti frames the issue with the pragmatism of someone who has spent thirty years making infrastructure work and engaging with the international ecosystem: “This situation shines a light on a problem well known to those who work on networks: the Internet does not function like television frequencies. You cannot regulate it in national slices without creating unpredictable cascading effects. Piracy is a real problem, and rights holders have legitimate grievances. But the solution cannot be a tool that generates collateral damage on this scale and puts in an impossible position the operators who bear no responsibility for the content transiting their networks.”
There is a point that is often overlooked in this debate. Namex has existed for thirty years because we are neutral. We bring together small ISPs and large telcos, global CDNs, and public institutions. The trust our members place in us stems from the fact that we do not take sides. But when regulation creates asymmetries: binding obligations for some actors and none for others, operational costs without compensation, response timelines incompatible with technical complexity. The system becomes unbalanced. And those who end up bearing the greatest consequences are often the smallest. Rules are needed, but European rules. Well-intentioned national workarounds risk fragmenting an ecosystem that functions precisely because it is interconnected. Italy alone cannot impose standards on a global infrastructure. But it can contribute to defining them collectively with other European countries, involving those who make that network work every day.
The knot no one wants to untie
Beneath all of this lies a question no national authority can resolve on its own: how do you govern a global infrastructure? The Internet does not work like analogue television, where each country could control its own frequencies. It is a network of networks, built on cooperation among actors that operate across different scales and jurisdictions. When Italy orders Cloudflare to block an IP address, it is attempting to apply a territorial logic to a system that does not recognize that logic. This is not a question of good faith or bad faith: it is an architectural problem.
The risk this episode highlights is fragmentation. Every country building its own blocking system, with its own rules and its own timelines, adds a layer of complexity that makes the Internet less efficient, less secure, and less open. This is the direction in which we are drifting, piecemeal, across Europe. On February 18, the Paris Tribunal also ordered Cloudflare to block 16 domains streaming Premier League content illegally, following a complaint by Canal+. Targeted judicial orders against infrastructure intermediaries. It is not Piracy Shield, but the practical effect converges.
What happens now
While AI-generated images of knights and accusations of censorship flew across X, Italian courts did what they usually do: applied the law. With different timelines and procedures from Piracy Shield.
On December 3, 2025, the Milan Tribunal accepted an emergency injunction filed by Medusa Film and Indiana Production to protect “Buen Camino” by Checco Zalone, whose promotional poster had already appeared on Streaming Community before the film’s theatrical release. The judge ordered Cloudflare to block 31 pirate sites, not through Piracy Shield, but via a court order, as in France and Spain for La Liga.
A few weeks later, the Specialized Business Litigation Section of the same court fully upheld Serie A’s complaint. A ruling that Il Sole 24 Ore described as “historic.” Cloudflare is no longer a mere neutral intermediary: it is an “active and knowing” service provider. The most significant technical innovation in the ruling is the dynamic mechanism: Cloudflare must block future variants of the domains as well (aliases, extension changes, numerical prefixes) without requiring a new order each time. This is the answer to domain hopping, the practice by which pirate sites reappear the following day under a slightly different address. Two business days to comply, after which penalties kick in.
By mid-February, Cloudflare had started blocking. Italian users attempting to access the affected sites see a 451 error page, with details of the Milan Tribunal’s order. AGCOM Commissioner Capitanio was jubilant: “This clearly proves that the narrative of recent weeks is completely off-target. Cloudflare has the technical means, and it always has.”
He is right, but only halfway. Cloudflare blocks on a judge’s order, not on an automatic Piracy Shield notification. The distinction may seem subtle, but it is at the heart of the matter. A court order implies judicial oversight, an adversarial process, and the right to appeal. Piracy Shield does not. Credit where it is due to Prince: he never said he would refuse to cooperate with Italian justice. He said he would not adhere to a system he considers illegitimate, which is why he is appealing to the Lazio Administrative Court against the multi-million-euro fine that, according to Cloudflare, exceeds by one hundredfold the ceiling set by the DSA.
The most reasonable solution would be one that none of the parties seems willing to consider: sitting down at a technical roundtable and finding a compromise. Geographically limited blocks, more rigorous verification procedures, faster unblocking timelines, compensation for the operators bearing the costs. It is not an outlandish idea: it is exactly what the European Commission suggested in its June letter.
The compromise requires both sides to give something up. Cloudflare would have to agree to cooperate with a system it considers illegitimate. Italy would have to admit that Piracy Shield, in its current form, has structural problems. Neither of these things appears imminent. In the meantime, Italian users continue to use the Internet without knowing that beneath the surface, a battle is underway that could redefine how the network functions in their country, and perhaps not just in their country.
— By Christian Cinetto, Head of Communication and Content at Namex
