Cloudflare vs Italy: A Wake-Up Call for Europe's Tech Dependency

On one side, an Italian regulator demanding pirate sites be blocked within 30 minutes, no judge required. On the other, an American CEO crying free speech while supporting an administration that banned the word "woman" from government websites.

This debate is far from trivial, and spoiler: there are no good guys in this story.

DNS Blocking and Disagreements

You may have missed this, but Italy just slapped a record fine of 1% of Cloudflare's global revenue for failing to block pirate sites.

Cloudflare refused to comply.

To understand what's at stake, we need to talk about DNS. A DNS is essentially the internet's address book, a massive index that links domain names to IP addresses. Think of it like a phone directory connecting your name to your physical address.

DNS blocking is often criticized because it raises several issues.

First, there's performance. A DNS needs to be as efficient as possible, or it risks slowing down the entire internet. It's one of the lowest network layers, and you can't afford to add too much application logic. For instance, checking whether an address is on a blocklist, especially when you want to do it based on the visitor's country of origin.

And that's the thing: the visitor's origin matters. If Italy decides to ban a site, that decision shouldn't automatically apply in Australia or Japan. So in theory, to do this properly, the DNS response would need to vary based on the visitor's country.

Cloudflare handles 200 billion daily requests. If you start adding all sorts of rules at the DNS level, you could potentially slow down global traffic. At least, that's Cloudflare's argument.

Except this performance excuse is undermined by a simple fact: Cloudflare already does this. Their "family" DNS (1.1.1.3) filters adult content and malware. So technically, they have the know-how.

Beyond performance concerns, DNS blocking can be criticized for its lack of precision. If a user on a shared platform like YouTube got banned, the entire domain would be blocked. You can't just ban a single channel.

And finally, if we start implementing these kinds of rules at the DNS level, it's the first step toward network fragmentation. It starts looking like China's Great Firewall.

This Isn't Just an Italian Problem

DNS blocking isn't unique to Italy.

In France, Canal+ has made the same demands to Google, Cloudflare, and Cisco to fight sports streaming piracy. The same conflict exists in Belgium.

Conversely, Germany ruled DNS blocking disproportionate and rejected such requests. Though that was only the Cologne court, and nothing says it couldn't change in the future.

Alternatives to DNS Blocking

So what are the alternatives if you actually want to block content? Are there options beyond going through DNS servers?

Domain registrars: You can ask a registrar to suspend a domain. A registrar is the entity that assigns domain names, and they're localized. French .fr domains are assigned by a French legal entity, German .de by a German one. A judge can easily impose a decision on a French registrar. But it's harder to enforce on other registrars. And remember: .com, .org, etc. are managed in the US. In practice, you'll rarely, if ever, find pirate sites on a .fr or .it domain. That would make them far too easy to target.

ISPs: In France, there's censorship at the Internet Service Provider level, since each ISP has its own DNS resolvers. It's less impactful than going after Cloudflare because an ISP is inherently national. There's less extraterritoriality involved. But it's also easier to circumvent, though you need to be a power user to change your DNS.

Search engine delisting: Every search engine can remove URLs for a given territory. A judge can request that a site be delisted. It's effective, though it doesn't prevent someone from typing the URL directly.

IP blocking: It's radical and can be done at the ISP level or at the country level through international exchange points. But it's generally a bad idea—it lacks any precision. That's how Italy managed to block Google Drive a few months ago.

Cutting off revenue: The ultimate solution is going directly through Visa or Mastercard. This was done in the Wikileaks, Megaupload, and even Pornhub cases in 2020. But in practice, it's mostly an American prerogative since Visa and Mastercard are US companies, and it remains very exceptional.

Reporting to the host: This works well for sites with a localized host. I mentioned YouTube earlier—you can report content that violates the platform's terms of service. You can also contact a hosting provider like OVH. But again, you may be limited by the jurisdiction the host falls under.

The takeaway is that no perfect solution exists, and it's often a mix of approaches used depending on what compromises can be made.

Network Neutrality?

When it comes to DNS, the real debate goes beyond mere technicalities.

Do we accept "breaking" pieces of "neutral" infrastructure for marginal gains against piracy, or do we consider it a red line?

Germany has largely said no. Italy and France say yes.

I struggle to have a clear-cut, absolute opinion, but I feel we're putting our finger in a dangerous mechanism.

Today, piracy serves as the pretext. Tomorrow, it might be political opposition sites, as in Russia or Turkey, or whistleblower sites like Wikileaks in the past.

Who gets to define what's acceptable? In theory, the answer is simple: the law and the courts.

And that's precisely where things go wrong in France and Italy. It's not the judiciary that decides, but an administrative authority. Italy's Piracy Shield requires blocking within 30 minutes with no judicial oversight. In France, it's the same: ARCOM can request ISPs to cut access without any court ruling.

This lack of oversight and appeal, this rush—we're talking 30 minutes to decide on a nationwide block—is exactly the kind of mechanism that can enable a total blackout like we've seen recently in Iran.

But no need to go to Iran or Turkey: consider the TikTok ban in New Caledonia in 2024 during the protests. It was an administrative decision later deemed illegal by France's Council of State. But it took a year to reverse.

Matthew Prince's Response

Let's shift perspective and take time to read Matthew Prince's response, CEO and co-founder of Cloudflare, on Twitter.

The beginning is what we've already covered: a recap of the facts, with Italian (and broadly European) views opposed to Cloudflare's technical stance of not wanting to deal with this.

But the thread doesn't stop there. And this is where things go off the rails.

First, Cloudflare lists its immediate actions: no longer providing security for the upcoming Milan Olympics (debatable—it was provided for free, and when you get fined 1% of your global revenue, you're entitled to be upset), cutting free access for all Italian users (a bit disproportionate), removing all servers from Italy (you can feel the anger), and not opening an office there (this one made me laugh—"we had planned to, but now we won't"—that's not a real threat).

What's really worth noting is that we're talking about retaliation measures. This is a US company threatening a European state.

But it's the next paragraph that really gets me:

I appreciate @JDVance taking a leadership role in recognizing this type of regulation is a fundamental unfair trade issue that also threatens democratic values. And in this case @ElonMusk is right: #FreeSpeech is critical and under attack from an out-of-touch cabal of very disturbed European policy makers.

And there, the debate shifts nature entirely. We're no longer discussing technical or legal questions. When Cloudflare's CEO invokes JD Vance and Elon Musk to talk about free speech, we've entered different territory.

Free Speech, Selectively Applied

We need to dwell on the irony around free speech, because it's the go-to argument often used by the Trump administration.

Let me remind you that Musk freely uses censorship on his own platform and accepted without hesitation to censor opposition to Erdoğan in Turkey in 2025 because it served his own agenda.

I could also point out that the current administration of Vance and Musk—since he was part of it—banned over 350 words from all official communications, including "woman," "climate change," and "disability."

Free speech in the US also means firing several public figures, particularly in media, for disagreeing with the current government.

So free speech is applied rather selectively. It's hypocrisy.

And when you dig a little deeper, Cloudflare itself has engaged in censorship—in 2017 and 2019, of its own volition, with no external pressure—in the Daily Stormer and 8chan cases. So the principle isn't "we never censor"—it's "we censor when we decide to."

You can dress up just about any topic in newspeak. But above all, free speech here is a commercial negotiation argument dressed up as a democratic principle.

And this raises a question we can no longer ignore: our dependence on US infrastructure is also a dependence on their political agendas.

There Are No Good Guys

In short, in this story, we can absolutely question the legitimacy of the method—blocking by administrative authority without judicial decision.

We can express reservations about the possible and probable abuses of these tools.

And yet, we can also acknowledge that it's not healthy to have such strong dependencies on American companies that can directly threaten European states to not comply with local law, whether well-crafted or not, AND while having their own agenda on what's acceptable.

There are no good guys or bad guys here. We have things to watch regarding the widespread use of digital control by our own states in Europe. But we also must not fall into the trap of letting other countries decide for us.

Let's not fool ourselves. No, technology is not neutral as Matthew Prince claims. And we can clearly see that those who control the pipes would also like to decide what flows through them. And that would be even worse than leaving the decision to an administrative authority, despite all the criticism I have for it.

For my part, I took the initiative, imagining that Cloudflare could have the same conflicts with France. So I deleted all my sites managed on Cloudflare and now use Bunny.net for the same services.