About this timeline
This is a curated, dated list of publicly-known incidents involving providers in our directory or directly-relevant adjacent providers. It exists because track record under pressure is one of the most useful signals when picking a privacy-focused host, and that information is otherwise scattered.
Inclusion criteria:
- Publicly reported in mainstream press, court records, or the operator’s own public statement.
- Material to assessing the provider’s posture (a routine DMCA notice is not material; a coordinated multi-day takedown attempt is).
- Either resolved or fully public — we don’t include rumors or unverified claims.
If you spot an inaccuracy or want to suggest an addition, see the legal page.
2026
February 2026 — EU DSA enforcement actions begin landing on offshore-marketed hosts. Several Netherlands-based hosts (not all in our directory) received their first formal DSA-format notice-and-action requests. The procedural responses observed have generally required the requester to refile in formally complete form; no high-profile pulls of legitimate content have been publicly reported.
2025
Q3 2025 — Privex onboards Monero as default at multiple datacenters. Brought the directory’s count of true “Monero-first” providers to three (Njalla, FlokiNET, Privex).
Q2 2025 — HostSailor expands to a second Netherlands datacenter. Maintaining Romania as primary, the secondary NL DC gives existing customers an EU-routing failover.
2024
Q4 2024 — EU DSA fully in force. Material change in the regulatory environment for EU-based providers. Iceland, Switzerland, Norway, Moldova relatively more attractive as a result.
2022
September 2022 — Cloudflare drops Kiwi Farms. A high-profile non-DMCA deplatforming by a major edge provider, repeatedly cited as a reference case for “do not rely on Cloudflare as your only edge layer.” Demonstrated that Cloudflare’s content-policy criteria can override its standard safe-harbor posture.
Throughout 2022 — Increased payment-processor pressure on adult-content sites. Visa and Mastercard tightened adult-merchant policies; pressure cascaded to hosts of large adult sites. Several mainstream-host pulls observed.
2017
April 2017 — Njalla launches. Peter Sunde and team introduce the owns-on-behalf domain registration model. Validated the concept that the registrar can be the registrant on the customer’s behalf, materially harder for adversaries to compel transfers.
2014
April 2014 — CJEU invalidates the EU Data Retention Directive (Digital Rights Ireland). Bahnhof’s pre-existing public refusal to log under the directive is retroactively vindicated. Romania subsequently strikes down its national data-retention law.
Throughout 2014 — Sweden’s Pirate Bay raid era continues. PRQ continues operating and remains a credible host for free-speech-positioned projects.
2010
January 2010 — Iceland’s IMMI parliamentary resolution. Sets out the agenda for Iceland-as-press-freedom-haven; many components subsequently implemented over the following years. Becomes the structural reason Iceland is the most-cited DMCA-ignored hosting jurisdiction.
2009
Throughout 2009 — Bahnhof publicly refuses to log under EU Data Retention Directive. Public legal pushback against EU rules; subsequently vindicated by the CJEU in 2014.
OrangeWebsite founded. Iceland-based explicit free-speech host begins operating.
2008
WikiLeaks moves to Bahnhof’s Pionen datacenter (Stockholm). The former nuclear-bunker datacenter becomes one of the most photographed and discussed pieces of “free-speech infrastructure” in the world.
2006
1984 Hosting founded (Iceland). The longest-running explicitly privacy-focused Icelandic host begins operating as a cooperative.
2004
PRQ founded (Sweden) by Pirate Bay co-founders Gottfrid Svartholm and Fredrik Neij. Begins what becomes one of the longest free-speech-host track records on the internet.
Earlier history
- 1998: Shinjiru (Malaysia) founded — among the earliest explicitly offshore-marketed hosts.
- 1994: Bahnhof and Infomaniak both founded — long-running European ISPs that later became reference points for privacy-friendly hosting.
What this timeline cannot show
- Routine DMCA notices (millions per year, not material per-incident).
- Non-public incidents — providers handle most issues without press coverage.
- Operator-side migrations — when an operator quietly moves between hosts after pressure, it rarely makes news.
For real-time / forward-looking changes to the directory itself, see /updates.