The Original Order: A Court Goes Further Than Almost Anyone Else
In February, the Commercial Court No. 1 of Córdoba issued an injunction that went further than virtually any European court had gone before in targeting online piracy. The court ordered NordVPN and ProtonVPN to actively block IP addresses hosting illegal streams of LaLiga football matches — not just once, but on a rolling basis as new infringing addresses appeared. That “dynamic” structure meant the obligations would update continuously, creating an open-ended technical burden on both companies.
The order was issued without either VPN provider being heard. NordVPN and ProtonVPN received no advance notice, had no opportunity to contest the injunction before it took effect, and faced no immediate avenue for appeal. That procedural shortcut — granting a significant legal order against named companies without due process — drew sharp criticism from legal observers, who argued it undermined the enforceability of the ruling from the start.
The court’s legal theory relied on classifying VPN services as “technological intermediaries,” a category established in EU law to govern ISPs and content delivery networks. Slotting VPNs into that framework was a novel move. Both companies rejected the classification outright, and their objection carried a practical edge: NordVPN is incorporated outside the EU, as is ProtonVPN, which meant the court’s jurisdictional reach was itself contested ground.
NordVPN called the approach unacceptable and warned that complying with IP-based blocking orders would cause significant overblocking — knocking out legitimate traffic alongside any infringing streams. That warning pointed to a core technical problem the court appeared to ignore. VPN servers route traffic from thousands of users simultaneously; blocking an IP address associated with an illegal stream affects every user passing through that address, not just the one watching pirated football.
LaLiga pressed ahead regardless, later telling the court that NordVPN had failed to fully implement the interim order and asking for financial penalties. The court declined. That refusal was the first sign that the original order’s ambition had outrun its practical and legal foundations.
The Jurisdiction Problem Nobody Wants to Talk About
The Commercial Court No. 1 of Córdoba issued its blocking order against NordVPN and ProtonVPN in February without either company being heard — and without granting them an immediate right of appeal. Both companies incorporated outside the EU responded the same way: they challenged the court’s jurisdiction outright. NordVPN called the approach unacceptable. The jurisdictional challenge wasn’t a legal technicality they raised reluctantly. It was the central argument, and the court’s subsequent refusal to impose fines when LaLiga requested them suggests the judges understood the problem they had created for themselves.
Here is the core issue: a Spanish commercial court issued a binding order against companies that have no legal establishment inside the European Union. No EU member state court has definitively resolved whether it can compel compliance from a non-EU tech company operating globally. NordVPN and ProtonVPN sit outside the reach of the standard mechanisms EU courts use to enforce judgments. When LaLiga pushed for fines after NordVPN failed to fully implement the blocking order, the court backed down. That retreat was not a procedural footnote — it was the court acknowledging, in practice, that its enforcement tools stop at a border the order was written as if didn’t exist.
Most headlines framed this as a win for VPN providers, which technically it was. The fines didn’t happen. But the more significant story is structural: the legal architecture for compelling cross-border compliance from non-EU companies in piracy cases does not exist in any coherent form. Rights holders like LaLiga can obtain orders, but obtaining an order and enforcing one are entirely different problems. The EU’s Digital Services Act creates obligations for large platforms, but VPN providers of NordVPN’s and ProtonVPN’s scale don’t automatically fall under that framework. No EU-wide mechanism currently fills that gap. Until one does, any single member state court that tries to bind a non-EU company is working without a real enforcement ceiling — and defendants know it.
Why the Fine Was Declined — and What That Silence Reveals
When NordVPN ignored the Commercial Court No. 1 of Córdoba’s blocking order, LaLiga did exactly what the enforcement playbook calls for: it went back to the court and demanded fines. The court said no. That refusal is the most important moment in this entire episode, and most coverage has walked straight past it.
The sequence matters. The Córdoba court issued a “dynamic” injunction in February classifying VPN providers as technological intermediaries and ordering them to block IP addresses streaming illegal LaLiga matches. The order was granted without NordVPN or ProtonVPN being heard, with no immediate right of appeal. NordVPN, incorporated outside the EU, challenged the court’s jurisdiction and declined to fully comply. LaLiga pushed for punishment. The court declined to impose it.
That retreat is not procedural housekeeping. A court that writes an order, watches it get ignored, and then refuses to enforce its own sanctions mechanism has exposed the gap between what the injunction claimed to do and what it could actually do. The order was issued against entities outside easy jurisdictional reach, and when that structural problem surfaced in practice, the court blinked.
Rights holders like LaLiga have spent years pushing enforcement up the chain — away from end users, away from direct infringers, toward infrastructure providers. That strategy has worked against ISPs and hosting companies with domestic footprints and regulatory exposure. It runs into a wall when applied to a Panama-registered VPN provider with no meaningful legal presence in Spain. The jurisdictional objection NordVPN raised was not a technicality; it was the entire ballgame, and the court’s silence on fines confirms it landed.
The broader implication is that the intermediary-targeting model has a hard jurisdictional ceiling. Aggressive framing — calling VPNs technological intermediaries, issuing ex parte orders, demanding active blocking — can generate headlines and legal precedent on paper. It cannot generate compliance from entities that have no assets, no offices, and no licensing relationships inside the enforcing country. LaLiga pursued maximum pressure and got minimum result. The injunction stands as text. As enforcement, it is empty.
The VPN Industry’s Dilemma: Compliance Is Technically and Philosophically Impossible
The Córdoba court’s February order exposed a fundamental mismatch between what regulators want VPNs to do and what VPNs are built to do. NordVPN and ProtonVPN exist precisely to encrypt traffic and shield user activity from observation — including observation by the services themselves. Ordering them to monitor outbound connections and block specific IP addresses doesn’t ask them to add a compliance layer; it asks them to dismantle the architecture their products are built on.
This isn’t a matter of technical inconvenience. A VPN that inspects and filters user traffic based on destination IP has, by definition, stopped being a privacy tool and become a surveillance mechanism. NordVPN made this explicit when it warned the court that the blocking order would cause overblocking — meaning legitimate traffic would get caught in any filtering net wide enough to catch piracy streams. The complaint wasn’t just philosophical. It was a direct warning that enforcement-by-VPN produces collateral damage the court hadn’t accounted for.
The intermediary classification compounds the problem. ISPs operate under national licenses, maintain established relationships with regulatory authorities, and already have blocking infrastructure in place. When a Spanish court orders Telefónica to block an IP, there is a clear jurisdictional hook and a technical mechanism to execute the order. Neither condition applies to NordVPN, incorporated outside the EU, or ProtonVPN, based in Switzerland. Labeling them “technological intermediaries” borrows a legal category designed for licensed, territorially-anchored operators and applies it to companies that have no equivalent regulatory footprint in Spain.
The danger isn’t limited to this case. If courts across the EU adopt the Córdoba court’s initial reasoning — that VPN providers qualify as intermediaries subject to domestic blocking orders — every privacy-focused service operating in Europe faces the same impossible choice: gut your product to comply, or face legal exposure in jurisdictions where you have no presence and no voice. The injunction here was issued without NordVPN or ProtonVPN being heard at all, and with no immediate right of appeal. That process alone signals how little the framework accounts for the structural differences between VPNs and the infrastructure companies the intermediary label was built for.
What Comes Next: A Legal Arms Race with No Clear Winner
LaLiga will file again. The Spanish football league has built one of the most aggressive anti-piracy litigation records in Europe, and a court declining to impose fines on NordVPN is not the kind of defeat that changes organizational strategy. The Córdoba ruling was inconclusive, not prohibitive — and inconclusive rulings invite refinement, not retreat.
The next attempt will likely arrive better constructed. Rights holders now know the jurisdictional argument cuts against them when targeting companies incorporated outside the EU, and they know that issuing dynamic injunctions without giving VPN providers a chance to respond creates procedural vulnerabilities. Future filings will try to close those gaps, either through courts with clearer jurisdictional reach or through lobbying for legislative tools that remove the ambiguity entirely.
That legislative route runs through the EU’s Digital Services Act. The DSA establishes a structured framework for ordering intermediaries to act against illegal content, and it applies to services operating within the EU market regardless of where they are incorporated. Rights holders have not yet fully weaponized the DSA for live sports piracy enforcement, but the architecture is there. A future case built on DSA obligations rather than improvised national court orders would give judges the statutory foundation the Córdoba court lacked.
The deeper fight is over dynamic blocking injunctions. Courts across Europe — in the UK, Italy, and Portugal — already use dynamic injunctions to compel ISPs to block piracy infrastructure in real time as IP addresses shift. Extending that mechanism to VPN providers is a categorically different ask. VPNs are not passive conduits in the way ISPs are; they are privacy tools used by millions of people for entirely lawful purposes. Forcing them to participate in live IP blocking creates overblocking risks that courts have not yet resolved.
The Córdoba case, despite its messy outcome, moved this debate forward. For the first time, a European court labeled VPN services as technological intermediaries subject to blocking orders. That classification — however shakily applied here — is now part of the case law record. The next court to hear a similar claim will start from a different baseline.
