This article is a follow‑up to our July 2025 piece, “How Cloudflare Nurtures and Feeds Internet Criminals via Its Reverse‑Proxy/DNS Empire.”

Executive summary

  • Explosive abuse growth. Cloudflare developer domains set new records in 2024: pages.dev incidents rose by 198 % (460 → 1 370) and workers.dev by 104 % (2 447 → 4 999). Total campaigns are on pace to exceed 1 600 in 2025.

  • Systemic misuse. Multiple security vendors (Fortra, Trustwave, CloudSEK) and independent researchers show brand‑impersonation and credential‑harvesting on Cloudflare infrastructure at scale.

  • Process dead‑ends. Despite thousands of submissions - including from trusted flaggers - Cloudflare’s abuse desk replies with boilerplate denials and places the burden of proof on reporters.

  • Legal collision course. NIS2, its national transpositions, and the Digital Services Act (DSA) impose strict duties on “online platforms,” CDNs, DNS and reverse‑proxy providers. Cloudflare’s current practice is non‑compliant and creates material liability for EU customers.

  • Action items. Regulators must clarify CDN liability; enterprises should block pages.dev / workers.dev by default; incident responders should lobby for trusted‑flagger status; and procurement teams must reassess Cloudflare against NIS2 supply‑chain obligations.

The abuse report that went nowhere

Below is a verbatim extract from Cloudflare’s response to one of our recent phishing takedown requests targeting a fake travel-agency domain that impersonates tiquetesbaratos.com:

Date: 31 July 2025

From: abuse@cloudflare.com

Subject: Re: [Cloudflare Abuse] tiquetesbaratoscos[.]pages[.]dev

Hello,Cloudflare received your phishing report regarding: tiquetesbaratoscos[.]pages[.]dev

We are unable to process your report for the following reason(s): We were unable to confirm phishing at the URL(s) provided.

Please be aware Cloudflare offers network service solutions including pass‑through security services, a content distribution network (CDN) and registrar services. Due to the pass‑through nature of our services, our IP addresses appear in WHOIS and DNS records for websites using Cloudflare. Cloudflare cannot remove material from the Internet that is hosted by others.

The reply is identical to dozens we have received in 2025 alone, regardless of the supporting evidence supplied (live screenshots, captures, packet traces, credential‑stealing script hashes).

A well‑oiled production platform for phishing

Indicator 2023 2024 % Δ
Phishing incidents on pages.dev 460 1 370 +198 %
Phishing incidents on workers.dev 2 447 4 999 +104 %

Source: Fortra SEA, Dec 2024

These numbers are conservative. Our own telemetry shows malicious Cloudflare‑hosted subdomains spoofing tiquetesbaratos.com in a broader extent.

Additional third‑party findings:

  • Trustwave SpiderLabs highlighted “a huge number of phishing and scam pages abusing pages.dev Cloudflare services.”

  • CloudSEK described a generic phishing kit hosted on workers.dev that can impersonate any brand on demand.

  • A Reddit thread with >600 up‑votes chronicles a researcher’s frustration after reporting 200+ malicious pages.dev sites - with <30 % ever taken down.

Why Cloudflare’s process fails trusted flaggers

  1. Form‑only reporting – Email complaints receive an automated bounce directing reporters to the web form. Bulk incidents cannot be submitted efficiently.

  2. High evidentiary bar – Reporters must prove phishing is active at the time of review, ignoring that campaigns often operate in short bursts.

  3. Opaque outcomes – Cloudflare rarely discloses whether any action was taken, citing privacy and customer confidentiality.

  4. No appeal or escalation path – There is no SLA for high‑risk abuse, nor a policy for trusted flagger status under the DSA.

Follow the money!

Cloudflare’s pricing for developers is famously generous - pages.dev is free, and Workers plans start at USD 5/month. Each new site increases Cloudflare’s data egress, TLS, and edge‑compute volumes, which translate into:

  • Higher upselling potential for premium services. 

  • Better traffic metrics for investor reports.

  • More telemetry to feed machine‑learning features marketed as anti‑phishing solutions.

Result: Moderation costs threaten margins; automation & denial are cheaper.

The legal lens: DSA, NIS2 and national cybersecurity laws

Digital Services Act (DSA)

  • In force since 17 Feb 2024. Requires “online platforms” to act on substantiated notices without undue delay.

  • Fines up to 6 % of global turnover for systemic non‑compliance. Cloudflare is not formally designated a VLOP yet, but its user base easily exceeds the 45 million monthly‑active threshold.

NIS2 Directive (EU 2022/2555) & national transpositions

  • Transposition deadline: 17 Oct 2024; by mid‑2025 fewer than one‑third of Member States had notified full transposition. On 7 May 2025 the European Commission issued reasoned opinions to 19 laggards—including DE, FR, NL, SE and DK—for failing to implement NIS2. 

  • Scope expansion: NIS2 now explicitly covers “DNS service providers, TLD name registries, cloud computing service providers, data centre service providers” -all roles that Cloudflare performs when fronting traffic.

  • Essential vs. Important entities: Large CDNs will be classified as Essential (§3(1)(l)), subject to ex‑ante supervision and stricter penalties - up to €10 million or 2 % of global turnover.

  • Supply‑chain security (Article 21). EU organisations must assess and mitigate risks arising from ICT service providers. Continuing to rely on a provider with known abuse and weak takedown routines can be deemed non‑conformant risk management.

  • Incident reporting (Art. 23). Providers must notify significant incidents without undue delay. A platform where phishing lives undetected for weeks risks breaching this duty.

  • Supervisory enforcement. National CSIRTs and regulators (BSI‑DE, ANSSI‑FR, NCSC‑NL, MSB‑SE) gain the power to audit, fine or order suspension of non‑compliant services - including orders to EU customers to discontinue their use.

Country‑specific amplifiers

  • Germany (IT‑SiG 2.0) adds up to €20 M fines and empowers BSI to designate “critical components.”

  • France (LPM) & RGPD‑SSI require hosting infrastructure for critical sectors to be SecNumCloud qualified - Cloudflare is not.

  • Italy’s D.Lgs. 65/2024 mandates that public‑sector bodies use suppliers registered in the national Cloud Register.

  • Sweden (Draft Cyber Security Act) implements NIS2; proposed entry into force 15 Jan 2026. Supervisory authorities (to be appointed by regulation) will gain audit and penalty fee powers, while MSB remains single point of contact and national coordinator.

Bottom line: Under NIS2 and its national avatars, selecting a CDN/ DNS/ reverse‑proxy provider is no longer a pure technical choice - it is a regulated supply‑chain decision with board‑level liability.

How responsible providers respond

Provider Accepted evidence formats Typical takedown latency Abuse channel
Namecheap Screenshots, URL list, e‑mail <12 h for verified phishing abuse@namecheap.com
PDR Short background, URL, Screenshots <48 h abuse@publicdomainregistry.com + web form
OVH Cloud CSV bulk, PCAPs 24-48h web form + ticket
Hostinger URL list, e-mail <12h abuse@hostinger.com + web form
nameSILO URL-list, e-mail <6-12h abuse@namesilo.com + web form


How non-responsible providers respond

Provider Accepted evidence formats Typical takedown latency Abuse channel
Cloudflare Must reproduce live phishing via web form Days – weeks - months (if at all) web form only, other communication will be bounced with automated templates.


Recommendations

For regulators

  • Clarify that CDNs & reverse proxies are hosting providers for DSA and NIS2 purposes when they terminate TLS and proxy content.

  • Leverage NIS2 enforcement. Use inspections, fines, and shutdown orders for persistent non‑compliance.

  • Mandate a trusted‑flagger fast lane with 24‑hour SLAs and publish audit logs of abuse handling.

For enterprises & SOCs

  • Re‑evaluate CDN providers during 2025 vendor risk reviews; require written evidence of NIS2 compliance and breach‑handling metrics.

  • Block or sandbox links ending in pages.dev and workers.dev until verified safe.

  • Sinkhole newly created Cloudflare subdomains that spoof your brand via DNS filtering.

  • Update incident‑response runbooks to include NIS2 supply‑chain obligations: document due diligence, preserve abuse evidence, and, if necessary, switch CDN rapidly.

For Cloudflare

  • Publish real‑time abuse metrics per service tier.

  • Accept bulk CSV/JSON submissions and provide API keys to verified reporters.

  • Adopt a "disable‑first, appeal‑later" policy for highly ephemeral phishing campaigns.

  • Publicly document NIS2 compliance measures - or lose EU enterprise business.

Conclusion

Cloudflare’s vision of “building a better Internet” rings hollow while its infrastructure operates as a turnkey phishing platform. Under NIS2, every ignored report is no longer just a user‑experience issue - it is a potential regulatory offence that can cascade fines down the supply chain. Enterprises that continue to delegate critical traffic to Cloudflare infrastructure without demanding transparent, audited abuse processes, now face a double jeopardy: compromised credentials and compliance penalties.

The time to act is now - before the first NIS2 enforcement actions make headlines.