Cloudflare liable for copyright infringement by providing CDN services but not for DNS resolver services

After the German Supreme Court set a high bar for obtaining a website blocking order against Internet service providers in DNS-Sperre (IPKat here), the Higher Regional Court of Cologne dealt with the question whether the provider of DNS resolver and CDN services can be liable for copyright infringement if it provides its services to the operators of websites with illegal content.

DNS means ‘domain name system’. Every domain has a unique Internet Protocol (‘IP’) address, consisting of four numbers. Since it is not very practical to remember such numbers, domain names such as were introduced. The job of a DNS resolver service is to connect the domain name with the IP address. A more detailed description can be found here.

CDN means ‘content delivery network’. It is a network of servers that are distributed globally. It caches a website’s content on servers close to the end users, which increases the performance of the website. A more detailed description can be found here.


The plaintiff owned the recording rights to the songs of German musician Sarah Connor. The website provided a download link to one of her music albums without hosting the album itself. Cloudflare provided DNS resolver and CDN services to the operator of

The plaintiff sued Cloudflare for copyright infringement. The District Court held Cloudflare liable on account of its DNS resolver and CDN services. Cloudflare appealed.


The Higher Regional Court’s decisions

The Higher Regional Court of Cologne partially upheld the appeal (case 6 U 149/22). It found that Cloudflare was liable for copyright infringement due to providing the CDN services but not for the DNS resolver services.

Copyright infringement on

It was obvious to the judges that the download links provided on infringed the plaintiff’s right under the German equivalent of Art. 3(2)(b) InfoSoc Directive. According to GS Media (case C-160/15, IPKat here and here) merely providing links to copyright infringing content constitutes ‘communication to the public’ if this is done for financial gain in knowledge of the illegal nature of the publication of the protected work. was considered to be an obviously infringing website. It contained, according to its own statements, over one million download links to the latest charts, albums and audiobooks. Additionally, the website’s host provider BlueAngelHost stated on its website:

Our servers are located in Offshore location (Bulgaria) which enable us to offer DMCA Ignored Hosting services, total privacy, data security, and wider range of accepted content.

“Why You Need it?“: 

Purchasing USA-based hosting for a site that is not legal to be run in America is not a sensible thing to do. Offshore hosting can be helpful for less scrupulous business who wish to bypass local laws or regulations, particularly for issues like copyright law, which is also known as no DMCA hosting.
After confirming the unlawfulness of the link on, the Court dealt with Cloudflare’s liability as a service provider. The judges held that the CJEU’s case law on the liability of host providers (YouTube and Cyando, cases C-682/18 and C-683/18, IPKat here) applied to other providers that play an ‘indispensable role’ within the meaning of the CJEU’s case law.

No liability for DNS resolver services

As regards the DNS resolver services, the Court found that they did not play an ‘indispensable role’ for the making available of Sarah Conner’s music album.

Cloudflare’s DNS resolver was neither necessary to find the IP address of nor did it make the access easier. Cloudflare’s DNS resolver is one of several freely available DNS resolvers. The Court also considered that such services are merely passive, automatic and neutral for the connection of domain names and IP addresses. Therefore, the Court found that a DNS service provider is comparable to an access provider. The latter’s liability required not only a clear notice of an obvious infringement but also that the plaintiff used best efforts to take action against the operator of the website or other service providers which are closer to the infringement (e.g. the host provider). Since the plaintiff did not show that it was impossible or unpromising to take action against the website operator or host provider, the conditions for liability were not met.

For the same reasons, the Court denied a website blocking order on the basis of the German transposition of Art. 8(3) of Directive 2001/29/EC.

Further, Cloudflare could rely on the domestic provision corresponding to Art. 12 E-Commerce Directive, exempting service providers for the transmission of information from liability. As of 17 February 2024, the DSA will partially amend the E-Commerce Directive. The rules on liability exemptions and monitoring obligations in Artt. 12 to 15 E-Commerce Directive will be replaced by Artt. 4, 5, 6 and 8 DSA (Art. 89 DSA). Therefore, the Higher Regional Court considered Recitals 28 and 29 DSA, which explicitly mention DNS resolvers and their exemption from liability (in particular under Art. 4 DSA, which is essentially identical to Art. 12 E-Commerce Directive). On that basis, the judges found that DNS service providers are covered by Art. 12 E-Commerce Directive.

Liability for CDN services

The Court held that Cloudflare’s CDN services played an ‘indispensable role’ for making the copyright infringing content on available to the public. The website could only be accessed by using the CDN.

An ‘indispensable role’ is a necessary but not a sufficient condition for liability. Further criteria also spoke in favour of Cloudflare’s significant contribution to the infringement:

  • There is an inherent possibility to abuse Cloudflare’s services for illegal activities.
  • Cloudflare temporarily saved parts of the website not only for the time that is necessary to transmit the data.
  • Cloudflare also protected the website by controlling access to it.
  • The IP address of the website was not visible. A Whois search only showed the IP address of Cloudflare.
  • Cloudflare provided an abuse form but did not make the IP addresses of its customers available even after reporting a website with illegal content.

Cloudflare could not rely on the liability exemption of Art. 12 E-Commerce Directive because their CDN services were not limited to the mere transmission of communication. The Court also found that the exemption in Art. 13 E-Commerce Directive regarding caching did not apply. According to Cloudflare’s terms and conditions, it may store the customer’s website for more than a year, which the judges did not consider temporary anymore. Further, the CDN services’ purpose was not only to make the information’s onward transmission more efficient but also to make it more secure. This purpose is not covered by Art. 13 E-Commerce Directive. Finally, Cloudflare’s terms and conditions allowed it to alter certain information of their customer’s website in order to enhance the security of the website or the functionality of their could services. Modification of the information prevents the exemption from applying (Art. 13(1)(a) E-Commerce Directive).


It seems questionable to argue that the DNS resolver services did not make the access to the website easier. The IP addresses of infringing websites are usually concealed, which makes finding (and therefore accessing) them quite difficult. And why should it matter that Cloudflare is not the only provider of DNS resolver services? Should someone be absolved from liability just because someone else could support the illegal activities?

Picture is by Klinko and used under the licensing terms of

Cloudflare liable for copyright infringement by providing CDN services but not for DNS resolver services Cloudflare liable for copyright infringement by providing CDN services but not for DNS resolver services Reviewed by Marcel Pemsel on Monday, February 12, 2024 Rating: 5

1 comment:

  1. Something seems to have gone wrong in Germany. First, the reasoning of the GS Media case is outdated and should be supplemented with case law from the Renckhoff and VG Bild-Kunst cases, among others. Second, the application of the provisions of the eCommerce Directive should also be considered problematic. The CDN is the primary tool that uses caching and allows the Internet to function. Without it, nothing would flourish as we would have to wait several minutes for popular sites to load. This is even emphasized in DSA paragraphs 28-29. Moreover, the caching exception talks about "temporary" storage of information, not short-term. Lege non distinguente, its application cannot be made dependent on whether the storage is for a long or short period of time, as long as this does not lead to circumvention of the function of the provision and would cover, for example, hosting. Even if the court were to decide that one year is too long (the usual period for static content), there is still the hosting exception mentioned above. Undoubtedly, in this case, it is not the CDN provider that is the infringer, but the eventual site administrator. Identifying that administrator will not be a problem for law enforcement/court based on a request to the domain registrar. So I don't understand where anyone got the idea that information from the Whois database is the holy grail to prove that a CDN provider is actively involved. To be honest, this is yet another decision where the German courts show that they don't understand how the Internet works.


All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here:

Powered by Blogger.