A Regulator Wearing Two Hats
Italy's Autorità per le Garanzie nelle Comunicazioni — AGCOM — has quietly become one of Europe's most consequential platform regulators. Designated in September 2023 under Decree-Law 123 as Italy's Digital Services Coordinator (DSC) under the EU's Digital Services Act, AGCOM now sits at the centre of two quite different enforcement philosophies: the DSA's emphasis on proportionality, transparency, and due process, and Italy's domestic Piracy Shield framework, which demands ISPs and DNS operators block pirated content within 30 minutes and without judicial sign-off. The collision between these two mandates has produced a landmark legal dispute with global CDN provider Cloudflare — and drawn a pointed rebuke from Brussels.
The DSA Architecture in Italy
The DSA assigns national Digital Services Coordinators wide powers over intermediary service providers. AGCOM can impose sanctions of up to 6% of a provider's annual worldwide turnover for violations of DSA obligations, covering everything from risk assessment requirements to advertising transparency. The authority has moved methodically in this role. In September 2024 it published resolutions 282/24/CONS and 283/24/CONS — its first substantive implementing measures as DSC — establishing procedural frameworks for certifying out-of-court dispute settlement bodies and granting trusted-flagger status to approved content-reporting organisations.
Two trusted flaggers have been designated so far. On 22 January 2025, AGCOM granted the status to Argo Business Solutions S.r.l., a digital-security firm specialising in intellectual property infringement and online fraud. On 8 April 2025, it added the Telefono Azzurro Foundation, focused on child protection violations including cyberbullying and non-consensual image sharing. Both entities must report illegal content to platforms in a diligent and objective manner, and platforms are required to prioritise their notices. The European Commission also formalised its collaboration with AGCOM through an administrative arrangement signed in October 2023, giving both sides access to data, methodologies, and enforcement tools.
On paper, Italy's DSA infrastructure looks solid. In practice, a parallel enforcement track is complicating the picture.
Piracy Shield: Speed Over Safeguards
Launched in February 2024 under Law 93/2023, Italy's Piracy Shield was designed to protect live sports broadcasts from streaming piracy. Rights holders report infringing domains and IP addresses to AGCOM, which then orders ISPs, VPN providers, and public DNS resolvers to block access — within 30 minutes, and without prior judicial review. In August 2025, AGCOM extended the system to cover all live content, including film premieres and music, while also mandating de-indexing by search engines.
The case for Piracy Shield is genuine. Italy has historically been one of Europe's worst markets for audiovisual piracy, and the 30-minute window targets an economic reality: a sports match pirated in the first half earns nothing after 90 minutes. Rights holders argue that slow, court-mediated blocking has always been too late to protect time-sensitive content. Since February 2024, the system has disabled over 65,000 domain names and approximately 14,000 IP addresses used to distribute illegal content, according to AGCOM's own figures.
But the system's architecture has generated significant collateral damage. In October 2024, Google Drive was blocked for Italian users for more than 12 hours following a reporting error by sports broadcaster DAZN. A September 2025 study by the University of Twente found that Piracy Shield routinely blocks legitimate websites — including Ukrainian government education sites and European NGOs — for months at a time. The absence of a pre-blocking judicial check means errors propagate before any administrative correction is possible.
Brussels Flags a DSA Problem
The European Commission was blunt about these concerns. In a letter dated 13 June 2025, Commission services identified three specific DSA compliance failures in the Piracy Shield framework: inadequate transparency and justification for blocking decisions, a systemic pattern of wrongful blocks affecting innocent websites, and the absence of prior judicial review contrary to Article 8 of the DSA, which requires proportionate procedural safeguards whenever legal content may be restricted.
That last point is legally significant. Article 8 of the DSA is not aspirational — it prohibits content orders that impose general monitoring obligations or require providers to restrict content without adequate procedural protection. Whether Piracy Shield's 30-minute, no-review mechanism satisfies that standard is precisely the question the Commission has raised but not yet adjudicated.
The Cloudflare Case
The tension came to a head on 29 December 2025, when AGCOM issued delibera n. 333/25/CONS imposing a fine of €14,247,698.56 on Cloudflare Inc. The company had been ordered on 18 February 2025 (delibera n. 49/25/CONS) to disable DNS resolution for domains and block network routing to IP addresses flagged through Piracy Shield. Cloudflare declined, arguing that Piracy Shield lacked judicial oversight and due process, and that its DNS resolver operates as a neutral infrastructure service globally, not a piracy enabler in Italy.
AGCOM calculated the fine at 1% of Cloudflare's global revenue. The company disputes this sharply: Italian law caps fines for non-compliance at 2% of revenue within the relevant jurisdiction, which Cloudflare estimates at roughly €140,000 — nearly one hundred times less than the amount imposed. Cloudflare filed its appeal on 8 March 2026, pursuing challenges in Italian courts and lodging complaints with the European Commission.
"Piracy Shield is a blunt tool for rightsholders to control what is available on the internet without any traditional legal safeguards." — Cloudflare blog, March 2026
Proportionality Is the Issue
The Cloudflare dispute crystallises a real tension in how AGCOM is discharging its dual mandate. As DSC, it is supposed to champion the DSA's values — proportionality, transparency, procedural fairness. As enforcer of Law 93/2023, it is operating a system that Brussels itself has said may fall short of Article 8 safeguards. These are not the same job.
This is not an argument for ignoring online piracy — the economic harm to rights holders is real, and a functioning enforcement mechanism is legitimate. It is an argument for designing that mechanism so that it can be enforced without triggering DSA non-compliance proceedings against Italy, and without exposing AGCOM's broader digital regulatory credibility to challenge in European courts.
AGCOM has also been expanding into new areas rapidly: influencer content transparency rules (Resolution 197/25/CONS, March 2026) and a comprehensive AI report (June 2026) signal a regulator building an ambitious policy footprint. That ambition is harder to sustain if its flagship copyright enforcement tool is under active legal challenge from multiple directions simultaneously.
What Needs to Change
The fix is not to abandon Piracy Shield. It is to add the procedural layer the DSA requires: a lightweight judicial pre-authorisation mechanism for blocking orders — already standard in Germany and France — combined with a faster error-correction pathway for wrongful blocks and an independent transparency mechanism for reporting overblocking statistics. The 30-minute window can coexist with a judicial gate if the gate is fast and the process is standardised.
Italy has invested real institutional capital in becoming a credible DSA enforcement hub. AGCOM's administrative arrangement with the Commission, its trusted-flagger programme, and its procedural resolutions all point in the right direction. The Piracy Shield litigation is testing whether that foundation holds when national copyright interests and EU-mandated due process point in different directions.