A commercial court in Córdoba, Spain, has declined to punish NordVPN with coercive fines after the company was accused of failing to comply with an order to block IP addresses allegedly used to distribute unauthorized broadcasts. The decision does not settle the underlying dispute - main proceedings remain ongoing - but it marks a meaningful pause in what has become one of the most legally contentious efforts by a major European entertainment rights holder to extend copyright enforcement to privacy infrastructure. At stake is a question that goes well beyond football rights: can a VPN provider be compelled to act as a blocking intermediary, and what happens when the technical demands of that role are, demonstrably, unrealistic?
The Order That Started the Argument
In February of this year, Commercial Court No. 1 of Córdoba issued an injunction classifying VPN services as "technological intermediaries" and ordering them to actively block IP addresses associated with unauthorized broadcast streams. The injunction specifically named NordVPN and ProtonVPN. Crucially, it was granted without either company being given the opportunity to contest it beforehand, and no immediate avenue of appeal was made available.
Both companies are incorporated outside the European Union - NordVPN operates from Panama, and Proton is headquartered in Switzerland. That jurisdictional distance complicated enforcement from the outset and amplified the companies' objections. They were being ordered to comply with a judicial mandate from a country whose courts have no direct regulatory authority over them, under a legal theory - that VPN providers are intermediaries analogous to internet service providers - that remains untested and contested across multiple jurisdictions.
The rights holder behind the action estimates that unauthorized distribution of its broadcast content costs Spanish clubs between €600 million and €700 million annually. That figure explains the urgency of the enforcement effort. It does not, however, resolve whether the mechanism chosen to address the problem is technically coherent or legally sustainable.
Why the Technical Objections Carried Weight
When the Córdoba court considered whether to impose fines, it accepted technical evidence submitted by NordVPN. The judge ruled that it could not be concluded the company had deliberately and without justification breached the February order. That is a narrow finding - it is not an exoneration, and it does not invalidate the original injunction. But it does suggest the court found the practical arguments credible enough to withhold punishment.
NordVPN's core technical position is straightforward: the IP addresses specified in the blocking order are not static. They change frequently - sometimes within hours. By the time a VPN provider received a list, processed it, and implemented blocks at the infrastructure level, many of the listed addresses would no longer correspond to the sources they were meant to suppress. Blocking them at that point would achieve nothing against unauthorized distribution while potentially disrupting entirely unrelated services that had since been assigned the same addresses.
The second objection is about collateral damage. IP-level blocking is a blunt instrument. A single IP address can host hundreds or thousands of distinct services, particularly in cloud and content delivery environments. Blocking that address wholesale does not surgically remove one unauthorized stream; it removes everything on that address from the view of users subject to the block. This is not a theoretical concern. During broadcast windows this year, services including Cloudflare, Vercel, GitHub, and Docker became intermittently inaccessible to users in Spain - a direct consequence of broad IP blocking applied under orders related to this same enforcement effort.
The Broader Legal and Technological Tension
The Córdoba case sits at the intersection of two forces that have been pulling against each other for years: the legitimate interest of rights holders in protecting valuable broadcast content, and the structural limitations of internet architecture when used as an enforcement mechanism.
Internet service providers have been ordered to implement blocking in many jurisdictions, including across the EU, and courts have developed frameworks for managing proportionality - requiring that blocks be targeted, regularly updated, and subject to review. Extending that logic to VPN providers is a different proposition. A VPN does not route its users through a fixed national infrastructure in the way a domestic ISP does. Its servers are distributed globally, its users connect across borders, and its core function - encrypting and rerouting traffic - means that blocking at the IP level may simply redirect users rather than prevent access.
The classification of VPN providers as "technological intermediaries" under Spanish law is itself the central legal question that has not yet been definitively resolved. If that classification holds through the main proceedings, it would create a precedent with significant implications for privacy infrastructure across Europe and beyond - not only for commercial VPN services but potentially for any technology that obscures or reroutes traffic.
For now, NordVPN has avoided fines. The company describes the outcome as a vindication of its technical arguments, while carefully acknowledging that the court was not ruling the rights holder wrong on the underlying substance. That restraint is appropriate. The procedural battle has produced one result; the substantive one is still ahead.
