Italy’s communications regulator AGCOM has imposed a €14,247,698 fine on Cloudflare for refusing to block access to alleged pirate sites via its public DNS resolver 1.1.1.1. The penalty, set at roughly 1% of Cloudflare’s global annual revenue, could increase to 2% in case of repeat violations, marking one of the toughest European enforcement actions against online piracy to date.
AGCOM’s Piracy Shield: From ISP Blocking to DNS and VPN Enforcement
The decision is rooted in Italy’s Piracy Shield system, launched in 2024 to combat large-scale digital piracy, particularly illegal live sports streaming. Under this mechanism, domain names and IP addresses identified as infringing must be blocked within 30 minutes of notification, not only by traditional ISPs but also by DNS providers and VPN services.
AGCOM’s order 49/25/CONS, issued in February 2025, explicitly requires DNS operators to stop resolving domain names and routing traffic to entries listed in the Piracy Shield database. In practice, this treats public DNS resolvers as active enforcement points rather than neutral internet infrastructure, aligning them with national content-blocking regimes.
The implementation of Piracy Shield has already revealed technical and governance challenges. There have been documented cases of overblocking, where legitimate domains and online services were inadvertently caught in blocking lists. According to AGCOM’s own estimates, around 70% of the piracy-related infrastructure it targets is hosted or protected by Cloudflare services, making the company a strategically important player in Italy’s anti-piracy strategy.
Cloudflare’s Objections: Performance, Scope, and Risk of Collateral Damage
Why Cloudflare Refused DNS-Level Piracy Filtering on 1.1.1.1
Cloudflare agreed to cooperate with Italian authorities on certain services but refused to implement content blocking on its global 1.1.1.1 public DNS resolver. The company argued that such filtering is “unjustified and disproportionate” and would introduce serious technical and operational risks.
Cloudflare notes that 1.1.1.1 handles billions of DNS queries per day worldwide. Injecting dynamic, jurisdiction-specific blocklists into such a high-volume, latency-sensitive service, it claims, could degrade performance, create reliability issues, and impact users far outside the Italian jurisdiction. From a cybersecurity engineering perspective, increased complexity at the DNS layer commonly leads to higher failure rates and more difficult incident response.
The company also highlights the risk of errors and collateral damage. DNS blocking systems are only as accurate as their underlying lists and processes. If takedown procedures are opaque or insufficiently audited, there is a heightened chance of blocking legitimate businesses, critical services, or lawful content. Similar risks have been seen historically with overbroad DNS blocking in various jurisdictions targeting platforms like The Pirate Bay or entire hosting providers.
AGCOM’s Counterarguments and Legal Qualification
AGCOM rejected Cloudflare’s position, stating that the company has more than sufficient technical capability to implement targeted blocking rules. The regulator points out that Cloudflare already operates complex traffic management, filtering, and security policies — for example, for DDoS mitigation and web application firewall (WAF) rules — and therefore, in its view, technical objections are exaggerated.
In its final decision, AGCOM classified Cloudflare’s refusal as a violation of Italian anti-piracy law, emphasizing that this is the first fine of this size imposed on a global DNS provider. The ruling stresses the “critical importance” of Cloudflare’s cooperation, arguing that its infrastructure enables pirate services to bypass conventional ISP-level blocks.
Impact on Public DNS, VPN Services, and Cybersecurity Governance
A Precedent for Global DNS and VPN Providers
The AGCOM–Cloudflare clash creates a significant precedent for other public DNS operators, including Google Public DNS and OpenDNS, as well as VPN providers operating in Italy. If Italian courts uphold AGCOM’s stance, public DNS resolvers could effectively become an additional national content-filtering layer, subject to country-specific laws and orders.
From a cybersecurity standpoint, DNS blocking is a double-edged tool. It can be effective against mass piracy, phishing domains, and command-and-control servers used by botnets. At the same time, the centralization of control over DNS raises concerns about overreach, politically motivated blocking, and systemic errors that may affect the resilience and openness of the global internet.
Cloudflare’s Response and Possible Retrenchment from Italy
Cloudflare co-founder and CEO Matthew Prince has publicly announced that the company will appeal the fine and challenge AGCOM’s legal interpretation. He also indicated that Cloudflare is considering a partial withdrawal from the Italian market.
Among the options reportedly under review are: ending free cybersecurity services for the Milan–Cortina Olympic Games, discontinuing complimentary services for Italian users, migrating servers out of Italian data centers, and shelving plans for a local office. Prince’s pointed remark — “Play stupid games — win stupid prizes” — illustrates the level of tension between a global infrastructure provider and a national regulator.
If even part of these measures were implemented, organizations in the region could face reduced protection against DDoS attacks and other large-scale cyber threats, underlining how regulatory disputes can have direct operational security consequences.
For businesses and public-sector entities, this case underscores the need to treat legal and regulatory developments as core cyber risk factors. Practical steps include diversifying DNS resolvers, deploying internal controls for blocking malicious or illegal domains, and continuously monitoring national requirements affecting cloud, DNS, and VPN providers. Building a resilient cybersecurity strategy today means not only hardening technology but also understanding how emerging laws, like Italy’s Piracy Shield regime, can reshape access to critical global internet services tomorrow.
