Behind age gates and VPN bans: Europe’s quiet squeeze on internet freedom
Across Europe, the debate over “internet safety” is quietly morphing into something far more consequential: a structural erosion of online freedom that goes well beyond content moderation.
Recent policy pushes - from strict age-verification requirements in the UK’s Online Safety Act to sweeping youth platform bans in France and Spain - are being sold as protections, but they risk entrenching surveillance and control while incentivising restrictions on tools most associated with privacy and speech rights.
The latest flashpoint is VPNs.
In the Spanish city of Córdoba, a court ruling tied to LaLiga’s efforts to curb illegal football streaming has extended pressure beyond content platforms to VPN providers themselves. NordVPN and ProtonVPN have been ordered to block IP addresses linked to piracy - a move that, critics argue, risks redefining what VPNs are and what they are responsible for.
Another judge, from Barcelona, has also ruled in favour of LaLiga and ordered internet service providers (ISPs) to block IP addresses that illegally stream Spanish football matches, leading to “massive collateral damage to thousands of legitimate websites, apps, and vital services - all at the whim of a private Corporation,” wrote on X (formerly Twitter) David Peterson, Proton VPN General Manager.
What might look like a targeted anti-piracy measure is quickly becoming a test case for something broader: whether privacy tools can be compelled to enforce content controls.
A misfit legal model
For VPN providers, the core issue is not just the ruling itself, but the legal logic behind it.
“VPNs provide online security and encrypted connectivity, we do not host content nor direct users to specific sites,” Laura Tyrylyte, Head of Global Public Relations & Privacy Advocate at NordVPN told Cybernews. “Treating VPN providers as content moderators is a misclassification of the purpose of the VPN service,” she added.
The conversation on this topic is live. Join in the discussion.
That distinction matters. VPNs function as encrypted tunnels, allowing users to securely access the internet. They are not platforms, publishers, or hosting providers. Yet the Spanish ruling effectively treats them as intermediaries responsible for filtering access, a role that sits uneasily with how the technology actually works.
“We provide an encrypted tunnel; we are not in a position to curate, monitor, or control the content our users access, and we have no role in the distribution or hosting of pirated material,” noted Tyrylyte.
The company is now challenging the decision through legal channels, arguing that the obligations imposed are “fundamentally misaligned with a VPNs role and leads to widespread collateral damage without eliminating piracy,” sentenced Tyrylyte.
What happens when VPNs are blocked
At a technical level, blocking VPN infrastructure is both simpler and more disruptive than it might appear.
“When an IP of a VPN is blocked, what happens in practice is that internet providers create a rule to prevent any attempt by users to ‘talk’ to that address,” explains cybersecurity expert and computer forensic investigator Guilherme Bacellar.
“We can understand it as if that destination ceases to exist on the network. When you try to connect, the connection is interrupted before it is even established - or it is dropped halfway through. For anyone using it, the result is always the same: the VPN stops working because the connection to the server has been cut off.”
The effect is immediate: connections fail before they are even established. For users, the VPN simply stops working. But while the mechanism is straightforward, its consequences are far more complicated – and worrisome.
Collateral damage by design
One of the central problems with IP-level blocking is that it rarely affects only its intended targets. Many modern online services (including pirate streams, but also entirely legitimate platforms) rely on shared infrastructure such as content delivery networks (CDNs) or cloud providers. Blocking a single IP can therefore cascade across multiple unrelated services.
Tyrylyte points to concrete examples already seen in Spain: “Entirely unrelated, lawful services sharing the same infrastructure get knocked offline too… affecting lawful services, such as blocking of a payment provider or blocking of a national health operator.”
The problem extends beyond shared hosting. VPN infrastructure itself is dynamic, with IP addresses frequently reassigned.
“When an IP is blocked, everyone who depends on it can lose access, even if they are doing nothing wrong,” Bacellar says. “In practice, this generates instability, system failures, and even financial losses for businesses that rely on shared internet infrastructure.”
Has your password leaked?
And because VPN providers rotate IP addresses, those same blocked IPs can later be reassigned to entirely different services, compounding the disruption. “If that IP is later used by a bank or another service, the impact is immediate,” Bacellar adds.
The result is a blunt enforcement tool that struggles to distinguish between illicit and legitimate activity.
An ineffective fix for piracy
Even on its own terms, IP blocking appears to offer limited long-term effectiveness. “The procedures of site blocking are ultimately ineffective in combating piracy,” Tyrylyte argues, adding that “while they may address superficial cases, they fail to tackle root causes.”
The reason lies in the adaptability of online systems. Pirate services can shift infrastructure quickly, moving to new domains or IP addresses faster than legal processes can keep up.
“Blocking IPs of VPNs can be understood as trying to scoop seawater with your hands to fill a bucket,” Bacellar says. “It’s not a definitive barrier.”
Users, too, can adapt. Switching servers or locations within a VPN often takes seconds, rendering many blocking measures ineffective for anyone with basic technical awareness. This creates a familiar pattern: enforcement measures that are easily bypassed by determined users, while imposing friction and risk on legitimate ones, harming legitimate business as well as less tech-savvy users.
Such measures, states Tyrylyte , “affects innocent third parties and undermines confidence in VPNs as reliable tools, including for remote workers connecting to corporate networks, journalists communicating securely with sources, travelers accessing services from abroad, businesses relying on encrypted communications, and ordinary users who depend on VPNs for legitimate security and privacy.”
Bacellar agrees, adding that “the legitimate services that will be most affected include access to corporate VPNs for small and medium-sized enterprises (large companies and corporations use VPN services provided by specific companies that do not serve the general public), access to specific websites such as cloud storage/backup services, online gaming servers, online communication services, and even access to banks and financial apps.”
Who really gets targeted
Another concern raised by VPN providers is that enforcement efforts disproportionately affect certain parts of the ecosystem. “Blocking cases primarily target reputable, paid VPN providers, leaving free VPN services - which often have questionable privacy practices - largely untouched,” Tyrylyte notes.
This dynamic introduces a paradox. Users seeking to bypass restrictions may end up migrating toward less secure alternatives, exposing themselves to greater risks, from data logging and tracking to malware. It also highlights a broader issue: enforcement strategies that focus on visible, compliant actors rather than the underlying sources of illegal content.
A precedent that goes beyond piracy
Perhaps the most significant implication of the Spanish ruling lies not in its immediate effects, but in the precedent it sets. “Compelling neutral privacy infrastructure to enforce private content policies sets a worrying precedent,” Tyrylyte says.
If courts can require VPN providers to block access to certain content at the request of private actors (such as sports leagues) the same logic could be extended elsewhere. “From media and publishing to political speech,” Tyrylyte warns, “internet access gets reshaped, opening the door to a globalized censorship model driven by private gain.”
This convergence of state authority and private enforcement is already visible in the current case, where legal action initiated by a commercial rights holder has resulted in infrastructure-level obligations. The risk is that what begins as targeted enforcement could evolve into a broader system of control embedded directly into the architecture of the internet.
Age verification and the next frontier
Parallel to the debate over VPN blocking is another policy push with similarly far-reaching implications: age verification.
In the UK, discussions have begun around extending age-verification requirements not only to platforms, but potentially to VPN services themselves, raising questions about whether anonymity tools could be forced to identify their users.
For VPN companies, according to Dina Lurje, Chief Legal Officer and Head of Regulatory Policy at NordVPN, “our strict no-logs policy means that the information we retain about any individual is limited to the absolute minimum required to provide the service.”
“When we receive a request, the first step is to verify whether it is legitimate - whether it has gone through a proper legal process and is enforceable. If it is, we assess whether we have anything to provide. In most cases, we don’t. At most, we might confirm that an account exists under a certain email address - but even that email is often not tied to a verifiable identity. So in practice, our response is usually that we have no meaningful data to disclose,” she added.
For cybersecurity experts, however, a new set of risks arises and go beyond VPN’s.
“Practically all companies providing age verification services store photos and user data in their systems,” Bacellar explains. “This in itself constitutes abuse, since age verification should be something simple and independent of user data.”
The concern is not only about data collection, but about how that data is handled. “Many of these companies were created recently and have security cultures far below what is desirable,” he says. The result could be an expansion of sensitive data repositories - including facial images of minors - without robust safeguards. “We will see more frequent data breaches, now involving facial images of children and adolescents,” Bacellar warns.
At the same time, the effectiveness of such systems remains questionable. “In at least 80% of cases, sites are using providers with almost no security guarantees… children are already bypassing systems using photos of adults found online,” he notes.
A clash of models
For VPN providers, the debate over age verification reflects a deeper tension between different regulatory approaches. “We support initiatives that aim to protect children online, provided they do not undermine fundamental privacy rights,” Tyrylyte says.
But the company argues that responsibility should lie primarily with platforms, not infrastructure. “Social media platforms possess more than enough data to determine a user's real age and general location, regardless of whether a VPN is active.”
In this view, targeting VPNs risks misplacing the problem - and introducing new vulnerabilities without addressing the underlying issue.
The architecture question
Taken together, these developments point to a shift in how digital regulation is being applied. Rather than focusing solely on content or platforms, policymakers are increasingly reaching into the infrastructure layer, the systems that enable connectivity itself.
That shift carries significant implications.
Infrastructure is, by design, shared, neutral, and difficult to segment cleanly. Intervening at this level can produce wide-ranging and often unpredictable effects. And to Lurje, “neutrality is tied to the principle of an open internet.”
As Bacellar puts it, “it’s the kind of measure that solves a specific problem but creates others by affecting legitimate users along the way.”
For now, the debate remains fragmented across different policy areas - piracy, child protection, platform regulation. But the underlying trajectory is becoming clearer. What is at stake is not just how specific harms are addressed, but how the internet itself is structured: whether privacy tools remain neutral conduits, or become enforcement points in an increasingly controlled network.
Unlock more exclusive Cybernews content on YouTube.
