notDMCA
Menu
essay

The state of DMCA-ignored hosting in 2026

An editorial assessment of the DMCA-ignored, no-KYC and offshore hosting landscape as of May 2026: which jurisdictions are gaining strength, which providers consolidated, what changed under the EU DSA, what the long-term trajectory looks like.

Updated

TL;DR

The 2026 landscape is structurally healthier than 2020 but politically more contested. More providers, more jurisdictional choices, more credible Monero support. But also: more EU-side pressure (DSA), more US payment-processor deplatforming, more regulator-driven front-end takedowns of Web3 / crypto projects. Net-net, a typical operator has more options and more complexity to navigate than five years ago.

What got better since 2020

Monero adoption among hosts. In 2020, Monero was a checkbox on a few niche providers’ payment pages. In 2026 it is the headline crypto on the privacy-focused providers (XMRHost ships a Monero-first checkout flow by design; SilentHosts accepts Monero across its full product line; Privex, Njalla, FlokiNET all support XMR as a first-class option) and supported on request at most others. The /payments/monero filter view in this directory is meaningfully populated.

Multi-jurisdictional providers. FlokiNET pioneered the “pick your DC’s jurisdiction” model in the early-2010s; HostHatch generalized it across 15+ locations; HostSailor and Shinjiru offer multi-country options. For an operator who wants jurisdictional flexibility under one billing relationship, this is solved.

Owns-on-behalf domain registration. Njalla validated the model in 2017 and remains the dominant operator. A handful of niche services have copied it; none have matched the scale or polish. Adjacent to the owns-on-behalf model, crypto-only registrars have emerged (BunkerDomains is the cleanest example) that remove the fiat-rail at checkout without taking on Njalla’s full proxy-registrant responsibility — a useful middle position.

Iceland’s brand strength. The IMMI legacy combined with multiple long-running providers (1984, FlokiNET, OrangeWebsite) gives Iceland a reliable position as the default “where do I host this” answer. It is not the cheapest option, but for the publishing layer it is now the default.

Transparency reports become normal. Infomaniak, Njalla and others publish quantified takedown / disclosure data. This is a meaningful change from a decade ago when “trust us” was the standard answer.

What got worse

EU Digital Services Act pressure. The DSA’s notice-and-action regime and platform-due-diligence obligations have raised the compliance load for EU-based hosts. Providers in the Netherlands, Sweden and Romania now face procedural obligations that did not exist in 2020. The structural pushback (Iceland and Switzerland are not in scope) means the non-EU European jurisdictions are relatively more attractive in 2026 than they were in 2020.

Payment-processor deplatforming. Visa / Mastercard / PayPal have all tightened policies on adult, crypto, gambling, and politically-controversial categories. For operators in those categories, crypto is increasingly mandatory at the customer-payment layer (not just the hosting-payment layer).

Cloudflare-as-monoculture risk. Cloudflare has dropped customers for non-DMCA reasons several times in the past five years. It is more visibly a content-policy actor than in 2020, and operators relying on Cloudflare as their only edge layer are exposed to single-vendor risk.

Web3 front-end takedowns. Several US regulators have leaned on hosting providers and registrars to remove front-ends of allegedly-non-compliant DeFi protocols. This is a new attack surface and one that the offshore-hosting community is still building defenses for.

ccTLD identity requirements. Several ccTLD registries (.is, .fr, .de, .ca) have tightened identity requirements for registrants. The “anonymous ccTLD” path is less open than it was.

What stayed the same

Where the trajectory is going

Toward more compartmentalization. The 2020 default was “pick one privacy-friendly host and put everything there.” The 2026 default is closer to “pick three providers across three jurisdictions, with a documented migration playbook.” The cost of a single-provider failure has grown; the cost of multi-provider operations has shrunk (better automation, more crypto-friendly checkout). The counter-trend is full-stack offshore vendors like SilentHosts that consolidate the registrar + shared + VPS + dedicated layers under one no-KYC account — useful for small-team operators who can’t manage three relationships.

Toward more explicit jurisdiction-first thinking. Operators are increasingly making the jurisdiction choice first and the provider choice second. Providers that publish their jurisdictional and procedural posture (Infomaniak’s transparency report; FlokiNET’s per-DC AUP) are gaining share over those that lean on offshore-marketing-as-vibes.

Toward less reliance on US infrastructure. The combination of DMCA, DSA-extraterritorial-reach, and US-payment-processor pressure is making US-based “permissive” hosts less viable for operators who started using them as a compromise. The compromise is worse in 2026 than it was; the alternatives are better.

Toward more credible non-Western diversification. Malaysia (Shinjiru), Moldova (AlexHost), and to a lesser extent Eastern European non-EU options are becoming standard parts of multi-jurisdiction stacks. Not as the primary location for most operators, but as a real backup tier.

What we’d like to see in 2027

Methodology note

This essay is editorial; the trajectory claims reflect the editors’ read of public information as of May 2026. The provider-by-provider data underlying the claims is in the providers directory with sources cited per page. The methodology behind ranking and selection is at /methodology.