A model agreement for a model fight
On 22 May 2026, France's audiovisual and digital regulator Arcom published a notice and two model agreements designed to streamline cooperation between sports rights holders and a widening cast of "technical intermediaries": not just internet service providers, but search engines, alternative DNS resolvers, and VPN operators. The package is anchored in Article L. 333-10 of the French Sports Code, the dynamic-injunction tool created by the 2021 anti-piracy law and now being read by Paris courts to reach almost any actor in the data path.
Arcom paired the guidance with a centralised domain list: a single, regulator-curated registry of URLs subject to court-ordered blocking or delisting, with an interface contract that lets intermediaries plug in directly. The aim, in Arcom's own words, is to make exchanges "more efficient and fluid" so that pirate IPTV streams die during the match, not weeks after the trophy is handed out.
The case for the regulator
The legitimate grievance is real. Arcom estimates the direct loss from illegal sports broadcasts at €290 million in 2024, excluding lost tax and social-security revenue. Ligue de Football Professionnel and Canal+ have spent the past two seasons watching subscribers churn to free pirate streams that materialise minutes before kickoff and disappear after the final whistle. Manual blocking workflows that take "several working days" are useless against an event that lasts ninety minutes. If you accept that broadcast rights are property and that property is enforceable, you accept that enforcement has to move at the speed of the infringement. Arcom's defence — that a centralised list and pre-agreed model contracts cut friction for both rights holders and intermediaries — is, at the procedural level, sensible administrative law.
Why the architecture is the problem
The trouble starts with the perimeter. France's blocking regime began with ISPs, an unsurprising chokepoint. It then expanded, through 2025 rulings of the Tribunal Judiciaire de Paris, to public DNS resolvers and now to commercial VPNs. On 19 December 2025 the Paris court ordered Google's public DNS to block 19 domains for Canal+, rejecting Google's argument that upstream intermediaries like Cloudflare should be exhausted first. A day earlier, the same court ordered CyberGhost, ExpressVPN, NordVPN, Proton VPN and Surfshark to block 13 LFP-nominated domains — a dynamic order Arcom can extend through the season. Arcom's May 2026 model agreements formalise what these rulings improvised: a standing pipeline from rights holder to anyone in the path.
That is a category error. VPNs and alternative DNS resolvers exist precisely because the default internet path is not always safe, neutral or private. They are tools used by journalists in hostile jurisdictions, by enterprise IT, by users on hostile Wi-Fi, and by ordinary citizens who would rather not have their DNS lookups logged by a domestic ISP. Conscripting them into a sports-league blocklist normalises the idea that any service which can technically restrict traffic must do so on demand. The Electronic Frontier Foundation has spent the year warning that this is precisely how digital-surveillance infrastructure gets built: incrementally, around a sympathetic plaintiff, with each step justified by the last.
Proportionality, missing
A proportionate regime would weight three things: the harm prevented, the collateral damage to lawful traffic, and the durability of the remedy. France's framework, as it now operates, optimises only the first. Overblocking complaints are already routine — Arcom reported 5,263 blocking requests sent to alternative DNS providers in 2025 and 598 domains pushed to VPN providers, volumes the Paris court is approving on dynamic warrants without per-domain adversarial review. NordVPN's submission that blocking "does not eliminate the content itself" and merely displaces users to less-regulated alternatives went largely unanswered on the record.
The SREN law of 21 May 2024 (Loi n° 2024-449) sits in the background of this expansion. It does not itself create the sports-blocking power — that lives in the Sports Code — but it designates Arcom as France's Digital Services Coordinator under the EU's Digital Services Act and consolidates its competence over online intermediaries. The May 2026 guidance is the operational expression of that consolidation: one regulator, one list, one interface, many obligations.
What a better version looks like
None of this requires abandoning rights-holder enforcement. A proportionate alternative would publish takedown SLAs, expose the centralised list to independent audit, give intermediaries a fast judicial appeal for individual domains rather than blanket dynamic injunctions, and explicitly carve out non-commercial DNS, Tor exits and privacy-tools whose collateral harm to lawful users outweighs the marginal piracy gain. The model agreements Arcom released on Friday could have done any of these. They do none.
France is now the test case for whether the EU's open-internet rhetoric survives contact with a popular domestic industry. If a centralised blocklist run by a national regulator and consumed in real time by VPNs and DNS resolvers becomes the European default, the cost will not be paid by pirates — it will be paid by everyone whose threat model assumed that the resolver they chose worked for them.