Cybersecurity Advisors Network

On the 26 of March 2025, the Commercial Court No. 6 of Barcelona Spain dismissed a complaint by Cloudflare and RootedCON against the Spanish La Liga football (soccer, for our American friends) league, in which the complainants attempted to overturn a previous judicial ruling allowing blocking of Cloudflare IP addresses in an attempt to combat “audiovisual piracy”.

As a result, a significant number of sites hosted by Cloudflare are not reachable from within Spain. This includes users’ private data stored on Cloudflare R2. More details are available on a blog post on swhosting.com. El Economista has further details (Spanish link) on the court’s decision.

Screenshot of the error message received by a reddit user:

The link in the screenshot: https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

This should be of exceptional concern to organizations using cloud storage. Without entering into a discussion of intellectual property laws and their enforcement, or how realistic La Liga’s claims about losses from unlicensed viewing of football matches are, the league’s moves and the subsequent court decisions display a stunning ignorance of how IP addressing and cloud services work.

By allowing the block to stand, the court has created significant operational risk to companies relying on cloud hosted content and services, and completely fails to take into account other organizations’ right to exist online. All that matters is enforcement of one entity’s claimed IP rights.

The potential chilling effects on anyone operating legitimately on the Internet with absolutely zero involvement or interest in La Liga or other rights holders’ activities and content is shocking. While most cloud service providers will take action against reports of hosted content that violates specific laws, there is not a single cloud service provider that does not host any such material from at least one user.

Taking this decision to its extreme, intellectual property rights holders could knock huge swathes of the Internet offline. If its claims of lost profits from copyright violation are taken into account, then La Liga should also be held responsible for reimbursing companies caught up in this block for their lost profitability. A far more reasonable approach would be to force Cloudflare to confirm removal of specific reported content confirmed to violate IP rules.

The decision prevents further appeals via Spanish courts, but it remains to be seen whether Cloudflare will pursue recourse at a European level – let’s hope so.