Also another Italian here. For context, the "Piracy Shield" mentioned in the order is basically a legislative hacksaw authorized by the regulator (AGCOM) primarily to protect Serie A football rights. Soccer rules Italy more than the Vatican..
It’s a mess technically: it mandates ISPs and DNS providers to block IPs/domains within 30 minutes of a report, with zero judicial oversight. It’s infamous locally for false positives—it has previously taken down Google Drive nodes and random legitimate CDNs just because they shared an IP with a pirate stream.
The NUCLEAR threat regarding the 2026 Winter Olympics (Milano-Cortina) is the real leverage here. He’s bypassing the regulator and putting a gun to the government’s head regarding national prestige and infrastructure security.
My personal take idea likely outcome: Cloudflare wins.
EU Law: The order almost certainly violates the Digital Services Act (DSA) regarding general monitoring obligations and country-of-origin principles.
Realpolitik: The Italian government can't risk the Olympics infrastructure getting DDoS'd into oblivion because AGCOM picked a fight they can't win. They will likely settle for a standard, court-ordered geo-block down the road, but the idea of Cloudflare integrating with a broken 30-minute takedown API is dead on arrival.
> The NUCLEAR threat regarding the 2026 Winter Olympics (Milano-Cortina) is the real leverage here. He’s bypassing the regulator and putting a gun to the government’s head regarding national prestige and infrastructure security.
Kind of wild that a private company has that kind of power, both in terms of being one of the few that can offer this service and they can make threats at this level.
I have to say I'm curious over whether that's actually leverage or a massively miscalculated threat that is just going to push the Italian population and politicians firmly against cloudflare.
I'm pretty sure if you tried that here (Canada) it would do the latter.
Would a regulating body in Canada do this, though? And if so, hopefully Cloudflare would say fuck you just the same as they did Italy. It's nice to see someone actually taking a principled stand for once.
If our politicians were stupid enough to pass a law telling them to - I sure hope so - we live in a place with the rule of law not the rule of whatever Joe at the CRTC thinks should happen. Regulators exist to enforce the will of parliament...
Would our politicians pass a law this unfortunate... I hope not... but I don't really have that much faith in them. The current government probably wouldn't, but governments change.
Referencing the Trump administration - the people going around threatening, deporting, arresting, taking money from, etc people as a consequence for speech they don't like - as the standard for free speech makes this far from a principled stand by cloudflare. They took their moral high ground and sunk it. This isn't about speech for them, just money.
You're free to believe all that. "Rule of Law" loses all meaning when corruption takes root. We don't like that "for my friends, everything, for everyone else, the law" shit.
Things can be morally wrong and still legal, and the law itself can intentionally enforce immorality. It's your civic duty to determine when upholding the law degrades you and every else more than following it does.
Also I feel like threatening to take your toys and go home when they don't play fair is a totally valid response.
"for my friends, everything, for everyone else, the law" is a weird description, when that's not the problem with this law at all. There's no question of selective enforcement going on here. The problem is lack of due process, not that.
It's a great description of one of the main tactics the administration he is asking for help uses though. Which again goes to Cloudflare entirely abandoning the moral high ground here.
Threatening to leave is "totally valid" in that it's their right to leave, but it's also not something that a sovereign country that cares about staying sovereign should give any respect to. The only response to a foreign corporation saying that that maintains your independence is "you can't quit, you're fired." Otherwise you just become beholden to the corporation providing you "charity".
> It's your civic duty to determine when upholding the law degrades you and every else more than following it does.
That’s a lot more complicated. What happens if a foreign power takes over Canada and changes the law? What is the state law goes against the laws stated by your religion?
If a foreign power takes over your country and changes the laws in ways that conflict with the previous constitution, there’s a break in sovereignty continuity so your options are: 1. Pledge to the new authority and move on
2. Keep your word on your previous pledge and resist
The services aren't pro bono if they're only offered in exchange for getting a law modified.
And if you offer people free stuff and then turn around and demand something in return, they're going to get upset and like you less than if you had never offered the free stuff in the first place.
There was no exchange implied... before this sentence. Cloudflare might well be justified in feeling that the other side altered the deal, so to speak.
I have to doubt that it would push the populace against the company when the company is actually both providing good (free protection, DDOS mitigation, CyberSec) and supporting appropriate judicial process to make decisions.
Political threats of withdrawing from an event in an explicit attempt to pressure the country is the opposite of supporting appropriate judicial process.
No one is entitled to free shit, but anyone who says "I'll stop giving you free shit unless you do X" is not giving you free shit, they're engaging in barter. And bartering to try to change a law, just like paying to change a law, is obvious and illegal corruption.
Pretty sure, speaking as a Canadian, that the Canadian government would not be able to implement that kind of legislation. And that if they did, I would 100% back Cloudflare.
This is one of the consequences of outsourcing this (and other capabilities) to the private sector.
Many governments simply don’t have the skill and political will to invest in these kinds of capabilities, which puts them at the mercy of private actors that do. Not saying this is good or bad, just trying to describe it as I see it.
Governments just can't come to grips with how much money software engineers make.
Paying a contractor $x million? Yeah no problem, projects are projects, they cost what they cost. Does that $x million pay for 5x fewer people than it would in construction or road repair? We don't know, we don't care, this is the best bid we got for the requirements, and in line with what similar IT projects cost us before.
Paying a junior employee $100k? "We can't do that, the agency director has worked here for 40 years, and he doesn't make that much."
Variants of this story exist in practically every single country. You can make it work with lower salaries through patriotism, but software engineers in general are one of the less patriotic professions out there, so this isn't too easy to do.
> Paying a junior employee $100k? "We can't do that, the agency director has worked here for 40 years, and he doesn't make that much."
I can assure you that junior software engineers in Italy or anywhere else in the EU make nowhere near that amount of money. In fact, few of even the most senior software engineers make that amount of money anywhere in the EU (in Switzerland or the UK they might see such salaries, at the higher tiers).
Maybe not junior engineers, but it's quite common to make more than $100k in Denmark nowadays. According to the Danish Society of Engineers[0], the median salary for a CS Bachelor graduating in 2025 was 51 000 DKK / month, which is $95 000 USD / year. The average raise received by a privately employed Danish engineer was 5% last year[1], so you'd expect to reach $100k with two years experience.
And, to support miki123211's point, the Danish government has had continuing problems hiring software engineers for the past decade, leading to a number of IT scandals.
> in Switzerland they might see such salaries, at the higher tiers
Putting UK and Switzerland in the same pot is wrong, the pay scales are totally different. 100k$ is 80k CHF which is entry level salary for a SWE. The difference between Switzerland and US is at senior level (reaching 160k CHF is much more difficult than reaching 200k$).
The figures I gave were in-line with the US (as that's what most of this audience understands), but if you scale everything by a certain factor, the entire principle holds basically anywhere.
Not really. US programming salaries are much higher than most other engineering and specialist positions, which makes it harder for the government to hire good programmers.
However, programming salaries here in the EU are much more in line with other specialist salaries, which the government already hires many of. So there is no significant problem in hiring programmers at competitive rates for government work. The bigger problem, and the reason this doesn't usually happen, is just ideological opposition to state services, preferring to contract out this type of work instead of building IT infrastructure in-house.
And they get exactly what they pay for. There's zero reason for a competent professional to stick around with that kind of pay any longer than strictly necessary (aka until their own gig or freelancing takes off).
Not just governments, that same kind of greed exists in private companies too.
The only way to make good money while being an employee is to have your buddy spin up a "vendor" offering overpriced bullshit and shill it within your company. In exchange, you also spin up a "vendor" and your buddy shills it at his company.
This might explain why there are sooooooooo many vps providers/cloud providers, this might be one valid reason as to why.
I am sure that this might not be the only reason but still, its a valid reason for many. Do you know of companies/people which do this and how widespread this practise is?
To me it still feels like malicious compliance tho for what its worth.
I said this in jest as a reaction to what post-tax SWE salaries in Europe top out at, all while the same companies have no problem burning insane money on vendors. There is zero incentive to do good work as an employee as it won't be compensated anywhere near what even a shoddy vendor gets paid.
But given the rise of many SaaSes selling exactly the same thing every full-stack web framework used to provide for free - think Auth0, Okta, etc, it may very well be happening.
There is a difference of stopping a free service (for whatever reason) and threatening to stop a free service if the other party doesn't do what they want.
> Kind of wild that a private company has that kind of power
Also kind of wild that it’s a private US company pushing their current political views on another sovereign state. Cloudflare as a political tool of leverage is a level of dystopia we really should try not to unlock.
They're threatening to take their ball and go home. If they move all of their operations out of Italy, under what principle does Italy demand they block content globally? Should Wikipedia remove their page on Tiananmen Square because the Chinese government demands it (which they would, if they thought it would work)?
I think the parent is trying to say that whatever issues Italy may have internally, it's not up to Cloudflare to comment or enact solutions on their own.
a private US company pushing their current political views on another sovereign state
This has always been the case in the western world, even before America itself existed. Some use the US govt (CIA) as leverage but often will just do it themselves.
A system like this could actually work as long as every takedown request involves posting a significant bond into a holding account and where the publisher can challenge the block and claim the bond if the block is ruled illegal.
This achieves the advantages of quick blocking while deterring bad behavior, and provides cost-effective recourse for publishers that get blocked, since the bond would cover the legal fees of challenging the block (lawyers can take those cases on contingency and get paid on recovery of the bond).
This is one of the very few non-money-laundering use cases for crypto.
I would support a “5 cents per unsolicited email” email system, in a similar way. If you make it a mildly enjoyable $5/hour task to read the first sentence or two of your spam folder, the overall internet would be better.
BunnyCDN don't run their own network, most of their servers are hosted at DataPacket(.com), but they use some other hosting companies too.
DataPacket has a very large network though and is kind of, sort of EU-based. AFAIK most operations are in Czechia, but the company is registered in UK. And there's also the Luxembourg-based Gcore.
“OpenAI is now able to release open-weight models that meet requisite capability criteria.”
Was Microsoft the blocker before? prior agreements clearly made true open-weights awkward-to-impossible without Microsoft’s sign-off. Microsoft had (a) an exclusive license to GPT-3’s underlying tech back in 2020 (i.e., access to the model/code beyond the public API), and (b) later, broad IP rights + API exclusivity on OpenAI models. If you’re contractually giving one partner IP rights and API exclusivity, shipping weights openly would undercut those rights. Today’s language looks like a carve-out to permit some open-weight releases as long as they’re below certain capability thresholds.
A few other notable tweaks in the new deal that help explain the change:
- AGI claims get verified by an independent panel (not just OpenAI declaring it).
- Microsoft keeps model/product IP rights through 2032, but OpenAI can now jointly develop with third parties, serve some things off non-Azure clouds, and—critically—release certain open-weights.
Those are all signs of loosened exclusivity.
My read: previously, the partnership structure (not just “Microsoft saying no”) effectively precluded open-weight releases; the updated agreement explicitly allows them within safety/capability guardrails.
Expect any “open-weight” drops to be intentionally scoped—useful, but a notch below their frontier closed models.
Honestly, I wouldn't be surprised if OpenAI has done the math and determined that even releasing frontier quality models wouldn't put much of a dent in either their B2B or B2C businesses. Or, rather, that any such dent would be vastly overshadowed by the value of fending off potential competitors.
I haven't looked too much into Deepseek's actual business, but at least Mistral seemed to be positioning themselves as a professional services shop to integrate their own open-weight models, compliant with EU regulations etc, at a huge premium. Any firm that has the SOA open model could do the same and cannibalize OpenAI's B2B business---perhaps even eventually pivoting into B2C---especially if regulations, downtime or security issues make firms more cloud-skeptical with respect to AI. As long as OpenAI can establish and hold the lead for best open-weight/on-premise model, it will be hard for anyone to justify premium pricing so as to generate sufficient cash flow from training their own models.
I can even imagine OpenAI eventually deciding that B2C is so much more valuable to them than B2B that it's worth completely sinking the latter market...
This is a small step in installing an app, but a giant leap for digital freedom. I hope that non-UE citizens can achieve this goal by the end of the decade, not because it is easy, but because it is hard.
Its hard only because greedy corporation execs decided to milk its userbase dry, while giving them massive FU in the face coupled with a tasty spit. Technically, they already done it without breaking a sweat.
But amount of pass apple gets from mostly US folks even here on HN and elsewhere, despite all their intentional missteps and fuckups is staggering. Main reason for me to stay away from whole ecosystem, price wise they are just in upper middle tier, functionality wise it depends what you need/expect - from great to pretty much horrible proposition. If google would be chinese corp I would get it when crowds get into us-vs-them mindset, but this fanatism has no base in reality, its more like blind political support of candidate X despite massive character flaws, just because you already invested yourself heavily in given party direction for topic Y.
They will keep doing it exactly and only to the point when users will start voting with their wallets, hoping for some apple moral auto-correction is a pipe dream with some serious stuff in that pipe. Or leave it up to regulators with some morals, but I struggle to imagine this working anywhere else outside of EU, and I am not positive about the future change (hoping to be wrong of course). Until apple does something both nasty and visible, they will continue to be uncritically celebrated.
Well if you look at the uBlock Origin comment thread that I started on this article, someone told me you can have that on iOS in theory. Turns out they were just assuming as well.
I've installed every update and I've never had an issue. I don't use iOS much, but I don't think I've ever seen a bug. I have seen some weird behaviour, but that could just be me mostly using Android and not knowing how iOS does things.
It’s a mess technically: it mandates ISPs and DNS providers to block IPs/domains within 30 minutes of a report, with zero judicial oversight. It’s infamous locally for false positives—it has previously taken down Google Drive nodes and random legitimate CDNs just because they shared an IP with a pirate stream.
The NUCLEAR threat regarding the 2026 Winter Olympics (Milano-Cortina) is the real leverage here. He’s bypassing the regulator and putting a gun to the government’s head regarding national prestige and infrastructure security.
My personal take idea likely outcome: Cloudflare wins.
EU Law: The order almost certainly violates the Digital Services Act (DSA) regarding general monitoring obligations and country-of-origin principles. Realpolitik: The Italian government can't risk the Olympics infrastructure getting DDoS'd into oblivion because AGCOM picked a fight they can't win. They will likely settle for a standard, court-ordered geo-block down the road, but the idea of Cloudflare integrating with a broken 30-minute takedown API is dead on arrival.