On January 8, 2026, Italy's Communications Authority (AGCOM) made public a fine of over €14 million against Cloudflare Inc. — the result of the company's refusal to implement DNS-level blocking orders through Italy's Piracy Shield platform. Approved by the AGCOM Council on December 29, 2025 under Delibera n. 333/25/CONS, the penalty equals approximately 1% of Cloudflare's 2024 global revenues. It is the most consequential enforcement action in the history of Italian platform regulation, and it has exposed a structural tension at the heart of AGCOM's role as Italy's Digital Services Coordinator under the EU's Digital Services Act.
What Piracy Shield Does — and Why Rights Holders Wanted It
Established under Law 93/2023, Piracy Shield went live in February 2024. The platform allows rights holders — primarily Italian sports broadcasters holding exclusive Serie A streaming licences — to submit domain names and IP addresses to a monitored portal. Registered ISPs and DNS resolvers are then required to block the flagged addresses within 30 minutes, with no prior judicial order required. Since launch, AGCOM reports over 65,000 domain names and approximately 14,000 IP addresses have been disabled through the system.
The urgency argument is not manufactured. Live sports piracy operates in real time: a blocking order issued four hours after kickoff is useless. Germany, Portugal, and the UK have built comparable expedited blocking regimes. Italy's rights holders faced documented, large-scale piracy of broadcast content before Law 93/2023 passed, and giving AGCOM the tools to act fast is defensible in principle.
Where the System Breaks Down
AGCOM issued a blocking order against Cloudflare on February 18, 2025, under Resolution 49/25/CONS, requiring the company to DNS-block domains flagged through Piracy Shield. Cloudflare refused. Its argument — that Piracy Shield is structurally incompatible with the EU's Digital Services Act (Regulation 2022/2065) — is not simply self-interested legal posturing.
The DSA requires that content restrictions be proportionate and subject to procedural safeguards. Piracy Shield operates without judicial oversight, requires near-instant compliance from intermediaries assessing orders they cannot independently verify, and has generated documented collateral damage. Researchers at the University of Twente, in September 2025, documented persistent blocks on government websites, educational platforms, and Google Drive infrastructure — all affected because their shared IP addresses overlapped with flagged domains. A 30-minute compliance window designed to protect a football broadcast ended up censoring legitimate services for months.
On June 13, 2025, the European Commission wrote to AGCOM expressing concerns about the system's lack of oversight — a remarkable intervention given that AGCOM is simultaneously the Commission's designated partner in DSA enforcement.
A Fine Calculated With Global Revenue
The penalty methodology compounds the concern. Under Italy's domestic anti-piracy law, fines for non-compliance are capped at 2% of revenue in the relevant jurisdiction. Applied strictly to Cloudflare's Italian operations, that would produce a maximum penalty of roughly €140,000. AGCOM instead calculated the fine against Cloudflare's global annual revenues, yielding €14.2 million — nearly 100 times larger. Cloudflare filed an appeal on March 8, 2026, and an Italian administrative court had already ordered, on December 23, 2025, that AGCOM disclose Piracy Shield records to the company.
The authority's basis for applying global revenue figures derives, at least partially, from the DSA framework and its penalty architecture — the same regulation Cloudflare argues Piracy Shield violates. The circularity reflects a genuine ambiguity in how national coordinators may leverage EU enforcement tools to expand domestic penalty bases beyond what their own statutes permit.
What AGCOM Has Built That Works
The Cloudflare dispute should not obscure a more defensible institutional buildout. AGCOM was designated Italy's Digital Services Coordinator under Decree-Law No. 123/2023 (September 2023), implementing Article 49 of the DSA. On July 24, 2024, the authority adopted Resolutions 282/24/CONS and 283/24/CONS, establishing certification procedures for out-of-court dispute resolution bodies and for "trusted flagger" status — both mechanisms entering force on September 15, 2024. On January 22, 2025, Argo Business Solutions S.r.l. became Italy's first designated trusted flagger under the DSA's Article 22 framework, focused on intellectual property violations and online fraud.
These mechanisms are well-grounded in the DSA's architecture. They create structured, proportionate accountability without short-circuiting due process. AGCOM's cooperation arrangement with the European Commission, formalised October 30, 2023, reflects a genuine enforcement partnership. If the authority's broader platform enforcement looked more like Resolutions 282 and 283 and less like Piracy Shield's black-box blocking, there would be little to argue with.
A New Levy Adds Pressure
Italy's 2026 Budget Law adds a financial dimension to AGCOM's expanding footprint. A new annual contribution — 0.2% of qualifying digital and platform revenues — now applies to digital intermediary services, including from non-resident businesses with Italian connections. Layered alongside VAT and Italy's Digital Services Tax on overlapping revenue bases, the levy adds compliance complexity for platforms already navigating Piracy Shield obligations and DSA reporting requirements.
The Proportionality Test
AGCOM is not wrong to want enforcement teeth. The DSA only functions if national coordinators are willing to act, and a regulator that cannot meaningfully sanction non-compliance is a coordinator in name only. Rights holders do have legitimate interests in blocking real-time piracy, and platforms are not above the law.
But the right question for any enforcement mechanism is not merely whether it works — it is whether it works without breaking something else. A content-blocking regime that cannot distinguish a pirate stream from a government education site, and that reaches for global revenue metrics to produce fines that domestic law would not support, is not proportionate regulation. The EU Commission's June 2025 letter and Italy's own courts' demands for transparency are signals that AGCOM's most aggressive instrument has overshot its mandate.
Platform accountability and DSA compliance are not in conflict. Piracy Shield, as currently designed, is making them so.