Cloudflare

Cloudflare is a global network provider for Internet security, performance, and reliability.

Focus Areas

2024-2025

2022-2024

2017-2022

Links

Website Transparency Register Profile

ID: 580322225469-90

Lobbying Activity

Meeting with Maravillas Abadía Jover (Member of the European Parliament)

13 Nov 2025 · Network blocking in Spain

Meeting with Michael Mcnamara (Member of the European Parliament)

2 Oct 2025 · AI and Copyright

Meeting with David Cormand (Member of the European Parliament, Shadow rapporteur)

2 Sept 2025 · Meeting on AI & Copyright

Cloudflare Urges EU to Reject New Telecom Regulation and Fees

11 Jul 2025

Topic — A European Commission consultation on improving digital infrastructure for cloud and AI.

Message — Cloudflare requests that policymakers caution against regulation of IP interconnection and new regulatory intervention for other networks. They argue including cloud computing in the telecoms framework would lead to increased costs.1 2

Why — This would protect Cloudflare from additional compliance costs and mandatory network payments.3 4

Impact — European consumers and startups would face higher costs and fewer digital choices.5 6

Read full response

Cloudflare warns EU against protectionist cloud sovereignty requirements

3 Jul 2025

Topic — A consultation on expanding European cloud and AI infrastructure and processing capacity.

Message — Cloudflare requests that the EU maintains access to global networks rather than imposing restrictive sovereignty rules. They advocate for multi-cloud strategies and open standards to prevent companies from being locked into a single provider.1 2

Why — Cloudflare maintains its market access and protects its business model from exclusionary regulations.3

Impact — Dominant hyperscale cloud providers would face stricter competition and limits on service bundling.4

Read full response

Cloudflare Urges EU to Reject Disruptive Piracy Blocking

28 May 2025

Topic — Evaluation of EU policy for combating online piracy of live sports events.

Message — Cloudflare urges the Commission to resist excessive requests to expand network level blocking. They argue that the Commission should allow existing mechanisms in the Digital Services Act to work. Finally, rightsholders should be liable for economic harm caused to non-targeted third parties.1 2

Why — This would reduce their operational risks and prevent the imposition of costly compliance mandates.3

Impact — Ordinary citizens and small businesses lose access to essential online tools during overblocking incidents.4 5

Read full response

Meeting with Lara Magoni (Member of the European Parliament, Shadow rapporteur)

15 May 2025 · European Sports Model - Introductory meeting

Meeting with Zoltán Tarr (Member of the European Parliament)

13 May 2025 · Privacy in the EU

Meeting with Axel Voss (Member of the European Parliament, Rapporteur) and Google and

6 May 2025 · Copyright and generative AI

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology)

30 Apr 2025 · Cybersecurity

Meeting with Egelyn Braun (Cabinet of Commissioner Michael McGrath), Maria Zafra Saura (Cabinet of Commissioner Michael McGrath) and

18 Mar 2025 · Forthcoming Digital Fairness Act, protection of minors, data protection, simplification

Meeting with Dārta Tentere (Cabinet of Commissioner Maroš Šefčovič) and Meta Platforms Ireland Limited and its various subsidiaries and

11 Mar 2025 · Global trade developments

Meeting with Henna Virkkunen (Executive Vice-President) and

23 Jan 2025 · EU tech agenda

Meeting with Brando Benifei (Member of the European Parliament)

21 Nov 2024 · Meeting on the UE digital and AI policies

Response to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

24 Jul 2024

Cloudflare welcomes the opportunity to contribute and respond to the public consultation on the NIS2 Implementing Regulation on Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers. Please find our detailed contribution attached.

Read full response

Cloudflare urges EU to prioritize investment over new digital regulations

28 Jun 2024

Topic — The European Commission is consulting on future scenarios for digital infrastructure.

Message — Cloudflare recommends avoiding new regulations for cloud providers and focusing on strategic connectivity investment. They argue existing laws already cover the digital sector.1 2

Why — This approach prevents increased operational costs and avoids mandatory payments to telecom operators.3

Impact — Major telecom operators would lose a potential new revenue stream from mandatory fees.4

Read full response

Cloudflare warns GDPR data localization rules harm cybersecurity

8 Feb 2024

Topic — A review of the GDPR's application six years after its implementation.

Message — Cloudflare wants the EU to clarify that IP addresses are not always personal data. They also propose exempting cybersecurity data from international transfer restrictions to ensure safety.1 2

Why — This would allow the company to operate its global network without building expensive Europe-only infrastructure.3

Impact — EU citizens and businesses would suffer from weaker security and exclusion from global online marketplaces.4

Read full response

Cloudflare urges flexible templates for EU transparency reporting

24 Jan 2024

Topic — This consultation concerns mandatory templates for content moderation transparency reports under the DSA.

Message — Cloudflare requests flexibility within templates to accommodate varying practices and capabilities. It argues that copying Transparency Database categories for all intermediaries is overly broad. The company also seeks to remove burdensome requirements for monthly reporting data.1 2 3

Why — This would reduce operational burdens and avoid costly engineering changes to tracking systems.4 5

Impact — Regulators and researchers lose access to the granular, monthly data needed for monitoring.6 7

Read full response

Meeting with Paul Tang (Member of the European Parliament, Shadow rapporteur) and Microsoft Corporation and

5 Dec 2023 · Staff Level: Lunch on the Future of Encryption

Meeting with Werner Stengg (Cabinet of Vice-President Věra Jourová)

10 Oct 2023 · Connectivity, cyber-security, DSA, DMA

Response to Fighting against online piracy of live content

10 Feb 2023

Please find attached Cloudflare's submission to the Call for Evidence on Combating Online Piracy of Live Content.

Read full response

Meeting with Alin Mituța (Member of the European Parliament, Shadow rapporteur)

6 Oct 2022 · Data Act

Meeting with Christel Schaldemose (Member of the European Parliament, Rapporteur)

24 May 2022 · DSA, Protection of vulnerable groups online

Meeting with Filomena Chirico (Cabinet of Commissioner Thierry Breton)

29 Mar 2021 · DSA

Response to Child sexual abuse online: detection, removal and reporting

30 Dec 2020

Cloudflare provides web security, performance and reliability services to a significant portion of the Internet, with a mission to help build a better Internet. Cloudflare generally does not host content, but protects websites from malicious cyberattacks and helps the Internet operate more efficiently. Responding to incidents of child sexual abuse material (CSAM) online has been a priority at Cloudflare from the beginning. To support the processes to identify and remove that content, we cooperate with entities like the National Center for Missing and Exploited Children (NCMEC) in the United States. Even though Cloudflare is not in a position to remove content from the Internet for users of our core services, we have worked continually over the years to contribute to these efforts. Policy Options Based on our experience with this issue, we encourage the European Commission to consider the technical and practical challenges that smaller companies face implementing effective tools to detect, report and remove CSAM. Many small companies seeking to compete with large and established companies lack access to sophisticated tools to scan proactively for CSAM and do not have access to the necessary information or the technical expertise to build them. The innards of the existing tools remain intentionally a bit of a mystery as companies try to stay ahead of those who produce or access CSAM and seek to circumvent those tools. For similar reasons, access to the hash information needed to run the tools is appropriately limited. You have to get big to be able to have access to these tools. The economic cost of developing a technical solution, as well as the resources needed to maintain it, should thus not be underestimated. If the Commission would decide to pursue policy options 2 or 3, where there would be binding obligations for “relevant” service providers, the potential financial and technical burden on smaller companies should be taken into account. CSAM Scanning Tool In Cloudflare’s view, we need to focus on ways to make such tools available more broadly. That is why we announced in late 2019 (https://blog.cloudflare.com/the-csam-scanning-tool/) that we were developing a tool that we would provide to our customers free of charge and would allow them to flag potential incidents of CSAM on their websites, so the website owner can take appropriate action. The many challenges we encountered building the tool suggest that a broadly-applicable mandate may be premature. Cloudflare’s tool uses fuzzy matches, which attempt to get at the essence of a photograph, to match existing CSAM hash lists with potential CSAM online. Building and deploying the tool has been challenging for both technical and policy reasons. First, the computation of hashes and image matching are complicated operations (https://blog.cloudflare.com/computing-euclidean-distance-on-144-dimensions) that require running very CPU-intensive operations, which would impose significant additional costs on smaller operators. Second, the engineering required to build a site-specific tool are things that smaller or less technical companies are likely to find cost-prohibitive. And even using external tools or services can be challenging for small operators, as understandable legal restrictions on the ability to access CSAM, combined with the failure to properly resource child safety organizations, makes it difficult to determine the accuracy of a matching tool or weed out false positives. Finally, any proposal to mandate the detection and to remove ‘new’ materials must consider technical realities. We do not believe that it will be feasible to ask service providers to also track new CSAM (images that aren’t already in the existing hash lists). We are not aware of technical solutions available to (cost-)effectively combat the identification of these materials, and human review is likely both to be ineffective and to significantly expand the number of people with access to CSAM.

Read full response

Meeting with Thierry Breton (Commissioner) and

2 Dec 2020 · Roundtable with platforms on DSA and DMA

Response to Digital Services Act: deepening the Internal Market and clarifying responsibilities for digital services

29 Jun 2020

- Introduction Cloudflare provides web security, performance and reliability services to a significant portion of the Internet, with a mission to help build a better Internet. While Cloudflare protects websites from malicious cyberattacks and helps the Internet operate more efficiently, it does not provide websites with access to the Internet or generally host their content. The EU eCommerce Directive has been the bedrock of innovation in the Internet industry. With that said, the Digital Services Act (DSA) presents an opportunity for further clarifications and a harmonisation of rules. - Cloudflare and the role of Internet infrastructure services Cloudflare’s expertise is in moving Internet traffic around the globe quickly and securely by leveraging our Content Delivery Network (CDN) for traffic efficiency purposes and using our data centres to screen traffic for cybersecurity risks. A key component of the Cloudflare service involves caching content at the network edge to improve website performance. Furthermore, in the provisioning of its cybersecurity and reliability services, Cloudflare acts as a reverse proxy and this architecture protects websites that would otherwise be under threat of direct cyber attack. Many of Cloudflare’s technical services constitute the public core of the Internet, i.e. services which add increased efficiency, speed, resilience and security to the Internet, while reducing bandwidth costs and latency. In recent times, we have seen the important role played by core Internet infrastructure services in response to the Covid-19 pandemic. Without the availability of caching services, the increased traffic load that we have witnessed would have placed an unsustainable demand on Europe’s international connectivity links. Also, and as reflected in a recent Analysys Mason report on the Benefits of Caching (https://www.analysysmason.com/consulting-redirect/reports/benefits-of-caching-may20/), caching is now an essential component of online service delivery. Cloudflare’s core services also include Domain Name System (DNS) services. DNS service providers help direct Internet traffic, but they do not interact in any meaningful way with the content of the websites for which they provide service and they are not the origin of that content. The proper functioning of the Internet is critically dependent on DNS services, which are technical / passive by their nature. - Policy Options Cloudflare believes that the safe harbour provisions which regulate mere conduit and caching services have successfully stood the test of time. As such, there is a strong case for a framework to continue to exist which ensures that technical services (including CDNs and DNS services) can maintain a content neutral approach. We note that the European Commission is currently considering options for addressing harmful content. However, in the absence of any common definition of harmful content and given the disparities among Member States, there is significant risk that including the category of harmful content within the DSA would lead to legal uncertainty, potential over-removal of legitimate content, and threats to freedom of expression and access to information. Moreover, there are other policy vehicles to address harmful content, such as the European Democracy Action Plan. Turning to the specific policy options, Cloudflare believes that the DSA could build on the work carried out by the European Commission in its 2018 Recommendation on Illegal Content Online, and specifically as regards the provisions for hosting services on Notice and Action. This would effectively be some form of Option 2. As regards regulatory oversight and enforcement, it seems premature at this stage to be speculating on which type of body would be most appropriate. What is clear, however, is that cooperation between Member States is crucial and any cooperation mechanism can work in tandem with the well-established country-of-origin principle.

Read full response

Meeting with Werner Stengg (Cabinet of Executive Vice-President Margrethe Vestager)

11 Feb 2020 · Digital services act

Meeting with Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

11 Oct 2018 · Exchange of views on Commission initiatives in the field of cybersecurity

Meeting with Andrea Almeida Cordero (Cabinet of Commissioner Mariya Gabriel)

9 Jul 2018 · Digital4Her

Response to Measures to further improve the effectiveness of the fight against illegal content online

29 Mar 2018

Cloudflare believes that current initiatives should be allowed time to mature, and that further multi-stakeholder dialogues, particularly with smaller and medium sized companies on the industry side and including civil society representatives, continue on this important public policy issue to ensure a proportionate and reasonable approach. Deeper reflection is needed on the unintended consequences that can flow from content removal actions at haste, as well as the harm seen as a result of various different types of illegal content online. Evidence-based policy making remains, as always, critical, and we continue to affirm the importance of the eCommerce Directive and the intermediary liability regime for industry investment and innovation. Cloudflare would, therefore, support the baseline option set out by the Commission, rather than sector-specific or horizontal legislation. We attach our further comments.

Read full response

Response to Improving cross-border access to electronic evidence in criminal matters

25 Aug 2017

Cloudflare is an Internet security company working to help build a better Internet. We run a Content Distribution Network and are the largest and fastest provider of Domain Name System (DNS) services in the world. With 116 data centres in 57 countries, we serve approximately 10% of global Internet requests. We also protect more than 6 million internet properties globally from Distributed Denial of Service (DDoS) attacks. Our customers include major eCommerce websites, Government agencies and financial institutions, as well as smaller web properties. Cloudflare is pleased to respond to the European Commission’s Inception Impact Assessment, having also attended the stakeholder sessions during the first half of 2017. Please find our comments attached.

Read full response

Response to Review of ENISA Regulation and laying down a EU ICT security certification and labelling

2 Aug 2017

Cloudflare is an Internet security company working to help build a better Internet. We protect more than 6 million web properties around the world from Distributed Denial of Service (DDoS) attacks. With over 115 data centres in more than 50 countries, we serve approximately 10% of global Internet requests and in a typical day, the Cloudflare network of data centres blocks more than 400 million DDoS attacks. This gives us a unique perspective on cyber threats and ICT security. We believe that the power of innovation and cooperation can help address most security issues. While Governments have played a key role in the development of the Internet, most of the solutions to cyber threats come from the private sector and the technical community. Rather than resorting to further regulation or imposing a one-size- fits-all standards framework, policy makers should help foster the kind of innovation and competition that has enabled the phenomenal growth of the Internet. New technologies, the adoption of best practices by businesses and other organisations, awareness raising, and greater transparency are the real key to thwarting security threats. Furthermore, the NIS Directive has yet to take effect nationally and as such, we are yet to see the benefits of that rather young piece of legislation. In September, 2016, Mirai software unleashed one of the largest DDoS attacks up to that time.The following month, Cloudflare identified multiple large attacks coming from Internet of Things (IoT) devices and described the attacks as the new trend. Later the same month, Mirai was used to disable the DNS service provider Dyn, an attack that highlighted both the need to protect IoT devices better and the need to defend against traffic coming from infected IoT devices. It also showed how an attack on one part of the Internet infrastructure can affect dozens of the most popular websites and billions of users. To stop these types of attacks, attackers must be convinced they will be ineffective in achieving the desired goal of taking down the website. Based on the extensive number and type of attacks that we have observed, Cloudflare suggests a holistic approach to stopping these attacks, which needs to include four components: (1) Blocking DDoS traffic (2) Preventing reflection attacks (3) Fixing or isolating computers and devices that comprise botnets, and (4) Taking control of the servers used to command and control botnets. We attach the our full response to this Inception Impact Assessment and the questions asked therein.

Read full response