Piracy Shield: New Technical & Operational Requirements For 2025

The official launch of Piracy Shield on Saturday February 1, 2024, played out more quietly than many had predicted.

The next five days saw the blocking of just 11 IP addresses, adding weight to the theory that the system still wasn’t quite ready. After several months the volume of IP addresses and FQDNs (fully qualified domain names) dramatically increased but not before overblocking entered the equation.

When mounting criticism found a platform in the media, legitimate concerns were publicly dismissed as fake news. Public awareness of piracy was always part of the plan but on terms designed to build bridges, not erect even more walls. Yet in October 2024, further amendments to the law (the Omnibus decree) caused uproar by targeting the very people and companies upon which Piracy Shield completely relies.

One legal amendment threatened ISP bosses with prison if they failed to proactively report piracy to the authorities. Some ISPs highlighted the injustice of trampling on the rights of an entire industry, purely for the benefit of protecting football. Others spoke only of betrayal.

Piracy Shield: New Technical & Operational Requirements

Published by AGCOM last Friday, ‘Update of the Technical and Operational Requirements of the Single Technology Platform with Automated Operation Called Piracy Shield’ is available under the more convenient reference Delibera 48/25/CONS (pdf) on AGCOM’s website. It contains proposals for changes to Piracy Shield’s operations which will most likely pass as-is, unless someone contests it at the Regional Administrative Court of Lazio within 60 days of publication.

AGCOM begins by referencing the requirement in the Omnibus decree that VPN services and publicly available DNS, “wherever resident and wherever located,” plus “search engines and, more generally, the providers of information society services involved in any capacity in the accessibility of the website or illegal services” will be required to obtain accreditation to use Piracy Shield and like ISPs, start blocking pirate services.

In the event that “managers of search engines and the providers of information society services” are not directly involved in the accessibility of a pirate site or service, they will still be required to act.

Within thirty minutes of receiving notification of a blocking order, they will be required to “adopt all technical measures useful for hindering the visibility of the illegal content,” including in any case, “the de-indexing from search engines of the domain names subject to AGCOM’s blocking orders, including the domain names subject to the reports made via Piracy Shield.

IP Addresses & Domain Name Blocking/Suspensions

Another measure introduced via the Omnibus decree reads as follows:

“The providers of IP address assignment services, the Italian Registry for the country code Top Level Domain (ccTLD) .it, the providers of domain name registration services for ccTLDs other than the Italian one and for generic Top Level Domain (gTLD) names, shall periodically re-enable the resolution of domain names and the routing of network traffic to the addresses.”

AGCOM clarifies that IP addresses blocked pursuant to this article, may only be unblocked on a date at least six months after they were initially blocked, assuming they are not used for illicit purposes. In respect of domains and IP addresses in general, previous limits no longer exist in 2025, but increases will be applied gradually.

Permanent Technical Table

“ISPs and rights holders, including trade associations and federations, as well as representatives of the ACN [National Cybersecurity Agency], the Guardia di Finanza, the Postal Police and representatives of the Ministry of Business and Made in Italy, participate on a permanent basis in the work of the Technical Table… ”

Noting two dates in January 2025 where ‘Technical Table’ meetings took place, AGCOM says that rightsholders and ISPs were previously invited to submit their observations on the implications of the new provisions in the Omnibus decree. Submissions and subsequent discussion seems to have led to some type of consensus or acceptance on the interpretation of some of the more contentious provisions.

Overblocking Avoidance

When rightsholders wish to block content made available by an IP address offering both infringing and non-infringing content, going ahead regardless would almost certainly lead to collateral damage.

Previously, an IP address/server ‘univocally’ or universally used to supply infringing content could be blocked. However, by mixing legitimate and illegitimate content on the same server, it was argued that pirates could avoid blocking by gaming the rule. By replacing ‘univocally’ with ‘predominantly’ the ‘loophole’ was closed but left rightsholders in a position to potentially block quite a lot of legitimate content to protect their own. AGCOM offers a solution of sorts.

“It has been specified that the requirement of prevalence must be interpreted in compliance with the criteria of proportionality and reasonableness, assessing their existence on a case-by-case basis. The reporters [of infringement] are required to respect the utmost diligence and the utmost rigor in submitting the blocking requests,” AGCOM notes, adding that if the prevalence of illicit content is in doubt, AGCOM should be consulted.

In view of earlier overblocking at Cloudflare, for example, AGCOM makes an additional comment suggesting that measures are already in place to prevent a repeat moving forward.

The regulator notes that “resources for which there is no certainty of the prevalent illicit nature or resources for which it was not possible to carry out all the technical analyses aimed at excluding blocks of legitimate resources” should not be reported for blocking, as is the case already.

The same applies to “resources that present a high risk of overblocking, such as, for example, content delivery networks, reverse proxies, VPN services, cloud storage services and the like.”

ISP Compensation & Pirates’ Privacy

Currently required to provide their own equipment and software, pay overtime, and cover all other costs associated with blocking, ISPs have been asking for fair compensation for their work. AGCOM explains that “the law does not attribute powers to the Authority [AGCOM] in this regard,” but it “reserves the right to activate the initiatives within its jurisdiction in order to represent this situation in the appropriate venues.”

On the privacy front, AGCOM reminds all involved in Piracy Shield that diligence and confidentiality of information and data should be observed at all times. That leads to the question of transparency and whether blocked IP addresses should be made public as previously promised, but never emerged.

“[W]ith particular reference to the confidentiality of the blocked IP addresses, it was specified that the Authority believes it cannot publish the entire list of blocked IP addresses as they fall within the category of ‘personal data’ that may allow indirect identification, as clarified both by the Court of Justice of the European Union and by the Privacy Guarantor, as well as to not undermine the action to combat piracy,” AGCOM notes.

From a technical perspective, AGCOM is on pretty solid ground. However, the same does not apply to any kind of domain name so, in the interests of transparency, releasing those could be a reasonable compromise.

From: TF, for the latest news on copyright battles, piracy and more.