digital resilience

Resilience is not just the ability to “recover after an incident”, it is the ability to keep operating when dependencies become hostile, unavailable, or legally contested. The AGCOM–Cloudflare clash is a real-world stress test of Europe’s digital posture, and it shows why DORA-style resilience must start from infrastructure control, not from paperwork.

When regulation hits the control plane

The recent decision by AGCOM (Autorità per le Garanzie nelle Comunicazioni, Italy’s telecommunications regulator) to fine Cloudflare €206,000 in relation to Italy’s anti-piracy enforcement and the so-called Piracy Shield mechanism is more than a dispute about copyright enforcement.

Piracy Shield is a platform launched in early 2024 that allows rights holders, primarily sports broadcasters like DAZN and Sky, to request the blocking of IP addresses and domains allegedly used for illegal streaming, with a mandated response time of just 30 minutes for ISPs and DNS providers. The system has been controversial from the start: its aggressive blocking mechanism has caused significant collateral damage, taking down legitimate services including Google Drive URLs, innocent websites sharing IP addresses with infringing content, and even Cloudflare’s own infrastructure serving thousands of unrelated customers.

Cloudflare, as a global CDN and DNS provider, found itself in a difficult position: complying with the Italian blocking orders would mean disrupting service for legitimate customers worldwide who happen to share infrastructure with alleged pirates. The company argued that the orders were technically overbroad and legally questionable under EU law, and refused to implement certain blocks. AGCOM responded with the fine, asserting that infrastructure providers operating in Italy must comply with national enforcement mechanisms regardless of their global architecture.

This confrontation is a reminder that modern states increasingly regulate not only content publishers, but also the infrastructure layers that make content reachable, including DNS and reverse proxies, and the blast radius can become political, economic, and operational at once.

In public reporting, Cloudflare signaled that, as a consequence of the fine and the broader dispute, it may reconsider the pro bono cybersecurity services it provides for the Milano Cortina Winter Olympics. This is not a minor PR move: it exposes the leverage embedded in centralized infrastructure, where a single provider can be materially relevant to the security posture of a high-profile national event.

In other words, this episode highlights a structural fact: availability is not only a technical metric, it is a governance outcome.

Digital sovereignty as a resilience prerequisite

This is where the sovereignty angle stops being a thought experiment and becomes an engineering requirement, especially when the “switches” are operated elsewhere. My earlier analysis, The Cloud Kill Switch: how Europe’s digital dependence became a Single Point of Failure, framed the uncomfortable point clearly: the most sensitive component is often the control plane, where identity, billing, key management, and policy enforcement live.

If Europe, and Italy in particular, builds critical services on platforms whose control plane can be influenced by foreign legal systems, resilience becomes conditional. The dependency might be invisible during normal times, but it becomes a hard constraint the moment a dispute emerges, whether it is a sanctions regime, a policy change, or a regulatory clash that makes continued service unattractive.

In that sense, the AGCOM–Cloudflare case behaves like a real incident report: it demonstrates that geopolitical and regulatory dynamics can function like outages.

DORA and the limits of “plans-only” resilience

The EU’s Digital Operational Resilience Act (DORA) exists precisely because operational continuity cannot be left to best-effort practices, especially in the financial sector, where systemic ICT failures can cascade quickly. DORA sets expectations across ICT risk management, incident reporting, resilience testing, third-party risk management, and oversight of critical ICT third-party providers, pushing organizations to treat digital resilience as a regulated capability rather than an aspirational goal.

However, DORA can be misread, or mis-implemented, as a compliance exercise focused on producing incident response playbooks, disaster recovery runbooks, and supplier registers. Those artifacts matter, but they are not sufficient when the threat model includes dependency denial, legal conflict, or supplier withdrawal, because a perfect plan still leaves an organization trapped if it cannot move workloads or operate essential functions in a degraded but sovereign mode.

This is why digital operational resilience should be interpreted as “the ability to operate through shocks”, not merely “the ability to document how to respond”.

Building resilience from infrastructure and control

A resilient digital architecture starts from the premise that some dependencies are too strategic to be single points of failure. That does not automatically imply abandoning hyperscalers or global CDNs, but it does imply designing so that critical operations can survive their partial or total loss, including the loss caused by contractual breakdowns or jurisdictional conflict.

From this perspective, incident response and disaster recovery become the final layer, not the foundation. The foundation is infrastructure control: where workloads run, who can enforce policy, who can revoke access, and how quickly services can be reconstituted under different governance, which is exactly the kind of concentration and third-party exposure DORA is trying to force regulated entities to confront.

This is also where on-premises infrastructure and “local” cloud providers regain strategic value. By “local” I mean cloud infrastructures operated by European or national companies, not subject to extraterritorial legal frameworks like the US CLOUD Act, or to the whims of a particularly erratic US president. An on-prem core, paired with carefully chosen cloud extensions, can create resilience through optionality, the ability to degrade gracefully rather than fail catastrophically, while a locally governed provider changes the risk profile because disputes are adjudicated inside the same institutional framework that bears the consequences of disruption.