An Enforcement Machine, Stress-Testing Itself
Italy's Autorità per le Garanzie nelle Comunicazioni (AGCOM) is, by most measures, Europe's most energetically adaptive communications regulator under the Digital Services Act. Two and a half years into operating as Italy's Digital Services Coordinator, it has built a comprehensive enforcement infrastructure: binding complaint procedures, the continent's first trusted-flagger designations, a privacy-by-design age verification regime, and penalty powers that extend to 6 percent of a platform's annual global turnover. Then there is Piracy Shield—AGCOM's own invention, the system where speed has consistently overridden proportionality, and where the regulator's largest enforcement action to date risks undermining the framework it is otherwise reinforcing.
What AGCOM Has Built Under the DSA
The legal foundation came quickly. Italy's Decree-Law No. 123 of September 15, 2023 designated AGCOM as Digital Services Coordinator under Article 49(2) of Regulation (EU) 2022/2065. From February 17, 2024, the full DSA framework became operative across Italy, placing AGCOM at the center of a national enforcement architecture alongside the Garante (privacy) and AGCM (competition).
AGCOM's powers are substantial. For serious DSA violations, it may impose fines up to 6% of a provider's annual worldwide turnover. For incomplete or misleading information, the ceiling is 1% of global revenue; daily penalties for ongoing non-compliance can reach 5% of average global daily turnover. Intermediary service providers fund the regulator's DSA work directly, contributing 0.135 per thousand of their turnover.
By July 2024, AGCOM had adopted Resolutions 282/24/CONS and 283/24/CONS, establishing procedures for certifying out-of-court dispute settlement bodies and for granting trusted flagger status—both entering into force September 15, 2024. January 22, 2025 brought the practical milestone: Resolution 26/25/CONS designated Argo Business Solutions S.r.l. as Italy's first trusted flagger under the DSA. Platforms must now prioritize and act "without undue delay" on Argo's IP-infringement and fraud notifications under Article 16 of the regulation.
Age Verification: Privacy-By-Design in Practice
More consequential still is Resolution 96/25/CONS of April 8, 2025, establishing mandatory age verification for adult content platforms accessible to Italian users. Forty-eight platforms were listed on October 31, 2025. Italian-established operators faced compliance deadlines of November 12, 2025; foreign operators until February 1, 2026. Fines for non-compliance reach €250,000, with site-blocking authority available for persistent violators.
The technical architecture is worth examining because it demonstrates that robust content protection and user privacy can coexist. AGCOM mandated a "double anonymity" mechanism: age verification providers cannot see which platform the user is accessing; the platform receives only an anonymized age confirmation, not identity data. Verification occurs per session through certified third parties using mobile digital wallets.
The strongest case for this approach is clear: minors accessing explicit content is a documented harm, and the DSA's Article 28 already mandates proportionate protective measures. Even advocates skeptical of age verification mandates have noted the double-anonymity design is among the least surveillance-enabling implementations available. AGCOM is showing it can build carefully calibrated technical standards when the incentive is privacy protection.
Where Speed Overrides Proportionality: Piracy Shield
Italy's Piracy Shield tells a different story. Launched in February 2024, the system operates on a logic that structurally precludes deliberation: rights holders submit domain names and IP addresses to an automated portal, and registered intermediaries must block them within 30 minutes. No judicial review precedes an order. No proportionality assessment accompanies individual blocking commands.
The resulting collateral damage has been documented at academic scale. A September 2025 study by the University of Twente confirmed systematic overblocking of legitimate websites—casualties included Ukrainian government websites, European NGOs, and a 12-hour outage of Google Drive for Italian users.
AGCOM's response to Cloudflare's documented concerns was to fine the company €14,247,698.56—decided December 29, 2025, announced January 8, 2026. The fine represents 1% of Cloudflare's $1.67 billion in global 2024 revenue, using worldwide rather than Italian-only turnover as the basis. Cloudflare's position: the legal maximum under the applicable Italian statute should have been calculated against Italian revenue alone—approximately €140,000, nearly 100 times less than the amount levied.
The core legal argument is pointed. Piracy Shield, Cloudflare contends, violates the DSA's own proportionality and procedural safeguard requirements—the same regulation AGCOM is tasked with enforcing against platforms. An Italian administrative court on December 23, 2025 ordered AGCOM to disclose the evidentiary records supporting its blocking orders—a signal that due process concerns are gaining judicial traction. Cloudflare filed its formal appeal on March 8, 2026. The outcome will effectively determine whether member states can graft pre-DSA content-blocking architectures onto a post-DSA regulatory environment without adapting their procedural standards.
The CJEU Affirms AGCOM's Authority—With a Telling Caveat
In May 2026, the Court of Justice Grand Chamber issued its ruling in Case C-797/23, Meta v AGCOM. Italy had transposed Article 15 of the DSM Copyright Directive into domestic law (Article 43-bis, Law 633/1941), requiring platforms to pay "fair compensation" for online press publication use and submit to AGCOM-administered negotiation frameworks. Meta argued the directive created only exclusive rights, not remuneration obligations.
The Court upheld Italy's model. AGCOM's authority to set compensation reference criteria and intervene in stalled negotiations is permissible provided parties remain free to negotiate terms. The significance for platform regulation extends beyond press publishers: it signals that courts broadly support AGCOM occupying a strong regulatory position on platform-content relationships. But the authority being upheld is one grounded in structured procedural safeguards and calibrated to documented bargaining imbalances. It is precisely the model Piracy Shield lacks.
What Italy's Trajectory Signals
Italy has built the DSA enforcement infrastructure faster than most member states. The trusted flagger system, ODS certification, age verification with privacy-by-design principles, and Article 53 complaint procedures are all operational. The European Commission signed an administrative arrangement with AGCOM as early as October 30, 2023, reflecting genuine institutional confidence.
The Piracy Shield problem is not a DSA failure—it is a reminder that member states entering the post-DSA era carry pre-DSA habits. A 30-minute compliance window with no prior judicial oversight was designed before the DSA's proportionality obligations were fully absorbed. Whether Italy reforms Piracy Shield's procedural architecture or allows a legitimate copyright mechanism to remain structurally incompatible with EU law will define how seriously Europe's most active national DSA enforcer takes its own mandate. AGCOM's strongest work in 2025 and 2026 shows it can build proportionate frameworks. The open question is whether it will now apply that standard to itself.