The fight against illegal football streaming in Spain is no longer just about audiovisual rights. It has also become a case study in how not to implement online blocking measures when, along the way, websites and services unrelated to piracy are affected.
The European Commission has just completed a two-year review of its Recommendation (EU) 2023/1018 on combating piracy of sporting events and other live content. And that review explicitly highlights the Spanish case: the blocks initiated by LaLiga and Telefónica have resulted in overblocking complaints and spurred a debate about existing safeguards.
Meanwhile, LaLiga has issued its own interpretation of the report, claiming that Brussels “endorses” the dynamic blocking strategy applied in Spain. For the digital ecosystem—and especially for those whose websites went down without warning—the perception is quite different.
What Brussels was asking for in 2023: blocking yes, but without harming third parties
The 2023 Recommendation was very clear in its approach: member states and intermediaries could resort to DNS and even IP blocks, including dynamic blocks, as long as two basic conditions were met:
- Measures must be strictly selective.
- They must not unnecessarily restrict users’ legal access to information.
In other words, the Commission opened the door to acting swiftly against clones and mirror domains used to bypass blocks—but emphasized that the remedy should not cause more harm than the problem itself. The text specifically mentioned the importance of respecting fundamental rights such as freedom of information and access to legitimate content.
From the outset, many network and digital rights experts warned of an obvious risk: blocking by IP in 2025 is not just blocking “a website”, but potentially shutting down services for hundreds or thousands of projects sharing the same infrastructure via CDNs and public clouds.
The sports lobby wants more: pan-European blocking and KYC for VPNs and CDNs
A few days before the evaluation of the Recommendation was published, the sports and audiovisual lobby played its hand: an open letter directed at high-ranking European Commission officials demanding a step further.
Key demands included:
- A European-wide IP blocking system, legally binding.
- Intermediaries (carriers, service providers, etc.) to cut access to infringers within minutes of notification.
- VPN providers and CDN networks to maintain a KYC (Know Your Customer) registry with the real identity of their users.
Signatories included LaLiga president Javier Tebas. The core message was clear: they find the current Recommendation insufficient; they want strict, automatic rules with less room for nuance.
For a tech outlet, these demands raise several alarms: mandatory KYC for VPNs and CDNs clashes directly with privacy and security culture online; a pan-European IP blocking system managed hastily is almost certain to cause widespread overblocking.
What the Commission’s evaluation actually says
In its two-year review, the European Commission acknowledges that, overall, legitimate content content blocking has been “very limited” across most Member States. But it immediately qualifies: the risk of overblocking is much greater when measures rely on IP addresses rather than more precise identifiers.
And at this point, it identifies specific problems:
- The deployment of the Piracy Shield tool in Italy.
- The order to block in the LaLiga/Telefónica case in Spain.
In both cases, Brussels admits that users and stakeholders have filed complaints about excessive blocking, prompting debates on whether current safeguards are enough. The document also recalls the jurisprudence of the European Court of Justice: blocking measures must be strictly targeted and must not affect legally accessing users.
This is not a trivial detail: Spain appears in an official Commission report as an example of a country where blocking has caused issues—just as lobby groups push to make these tools mandatory across the board.
Madrid turns a blind eye, LaLiga claims “endorsed”
The Brussels picture contrasts with the official Spain narrative. In a recent response in Congress to ERC questions, the government stated that it has not received “formal communications or complaints” documenting specific cases of overblocking related to LaLiga and Telefónica’s orders.
Formally, this is correct: if no formal process or complaint has been filed through official channels, the Ministry can say “nothing has been recorded.” But that does not mean damages do not exist—just that affected small players are not reaching the bureaucratic circuitry. A small business, blogger, or regional media that sees its website down during a match is unlikely to launch a complex legal challenge against LaLiga or a large telecom provider.
Meanwhile, LaLiga released a statement interpreting the Commission’s review as backing its strategy. They argue that the few reported incidents relative to total blocks prove safeguards are sufficient and that their dynamic blocking model is effective.
Beyond official communications, the tone has sometimes been openly dismissive. Voices within the organization have minimized overblocking cases, calling those affected “four nerds” or sites with insignificant traffic. The underlying message is clear: if your project doesn’t generate major traffic, your right to stay online matters little compared to protecting paid football.
The technical side: blocking by IP in 2025 is like shooting a shotgun
From a technical perspective, overblocking is not an “unfortunate accident” but an almost inevitable consequence of the chosen method. Blocking by IP in an environment dominated by CDNs, load balancers, and multi-tenant clouds means that, in practice:
- You risk turning off all domains resolving to that IP at a given moment.
- Sites that frequently change IPs depending on load and routing can be affected unexpectedly.
- Critical services (APIs, admin panels, internal apps) sharing infrastructure with the infringing site may be cut off.
When dynamic blocks—updated during matches—are involved, the scope for review, testing, and debugging shrinks significantly. Lists are generated and applied quickly, often under pressure. Under these conditions, guarantees of “strict selectivity” are more aspiration than technical reality.
For network operators, the alternative—blocking via URL or finer traffic patterns—is more costly and complex but much more respectful of legitimate services. Choosing to block by IP is not neutral; it’s opting for a cheaper, cruder solution, passing the cost of errors onto third parties who neither buy nor sell in the piracy war.
Impact on the digital ecosystem: small projects under constant suspicion
The “only a few cases” argument hides another issue: power asymmetry.
- LaLiga and Telefónica have resources to obtain court orders, legal teams, and public communications.
- Affected small businesses, digital startups, local shops, regional media, or personal projects often find their websites unresponsive for certain users and have no clear how to initiate a challenge.
For the tech ecosystem, this means several risks:
- Loss of trust in shared infrastructure: hosting providers and CDNs may see their platforms become collateral damage in mass blocking efforts.
- Deterrence of innovation: if small projects fear unexpected shutdowns due to third-party decisions, investments and growth are discouraged.
- Normalization of technical censorship: pressure could mount for similar measures in other sectors, using football as a precedent.
All this directly conflicts with the EU’s official stance on digital sovereignty, support for tech SMEs, and protecting fundamental rights online.
What should the tech sector demand?
In this scenario, a tech outlet cannot just recount LaLiga’s clashes and website outages as isolated incidents. There are fundamental questions that the European tech community should highlight:
- Mandatory transparency: public lists of blocked IPs and domains, the criteria used, and the duration of measures. Without visibility, auditing true impact is impossible.
- Fast exclusion mechanisms: if a legitimate website is affected, there must be a swift process to submit removal requests and get responses within hours, not weeks.
- Independent oversight: national authorities and, where appropriate, European agencies should possess real power to review orders and their implementation, not just receive reports.
- Preference for fine-tuned technical measures: favor blocking by URLs, content signatures, or cooperation with platforms over indiscriminate IP shutdowns.
The Commission’s review makes clear that overblocking is a genuine risk and has already occurred in cases like LaLiga and Telefónica. The next step is whether Europe will take this warning seriously, correct course, and consider networks as critical infrastructure… or accept that a few million IP addresses may become testing grounds for crude technical solutions, all in the name of protecting paid football on weekends.