FCC prohibits sale and authorization of foreign-made routers in further Covered List expansion: Key implications

The Federal Communications Commission (FCC) recently issued a Public Notice adding foreign-made consumer-grade routers to its Covered List, thereby prohibiting the authorization and importation of new device models.

While the notice does not impact the sale, import, or usage of routers previously approved through the FCC’s equipment authorization process, the decision has significant implications for equipment manufacturers, telecommunications providers, retailers, and enterprises that depend on consumer-grade networking hardware.

The determination, made on March 23, 2026, also includes a process to exempt routers from Covered List restrictions upon a grant of Conditional Approval from the United States Department of War (DoW) or the US Department of Homeland Security (DHS).

The FCC’s Office of Engineering and Technology (OET) also released a companion Public Notice detailing a “limited waiver” of the Commission’s rules to permit previously authorized routers to continue receiving software and firmware updates, including security patches and vulnerability fixes, at least until March 1, 2027.

In this alert, we provide an overview of the updates to the Covered List and discuss practical implications.

Background

Established by the Secure and Trusted Communications Networks Act of 2019, the FCC’s Covered List identifies communications equipment and services deemed to pose an unacceptable risk to US national security or the safety and security of US persons. By operation of the FCC’s rules, equipment placed on the Covered List is prohibited from receiving new FCC equipment authorizations. Because most electronic devices, including consumer-grade routers, require the FCC’s authorization before they may be imported, marketed, or sold in the US, placement on the Covered List effectively bars new foreign-produced router models from entering the US market.

This action follows a national security determination transmitted to the FCC on March 20, 2026 by a White House-convened Executive Branch inter-agency body. The determination found that foreign-produced routers pose two categories of unacceptable risk:

• Introducing supply chain vulnerabilities that could disrupt the US economy, critical infrastructure, and national defense
• Establishing severe cybersecurity risks that could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons

It cited the involvement of foreign-manufactured routers in the Volt, Flax, and Salt Typhoon cyberattacks targeting American communications, energy, transportation, and water infrastructure.

Conditional Approval process and waiver for software/firmware updates

The router determination includes an exemption pathway: Producers of foreign-made routers may apply for a Conditional Approval from the DoW or DHS. If approved, these routers would be exempt from the Covered List restrictions and could continue to receive FCC equipment authorization. Conditional Approvals are granted for periods of up to 18 months; they require detailed disclosures regarding corporate structure, manufacturing and supply chain information, and a time-bound plan to establish or expand US-based manufacturing. If the FCC receives a further specific determination from the DoW or the DHS that a given router or class of routers does not pose unacceptable risk, it will further update the Covered List to identify devices that have received Conditional Approvals.

The OET also announced a limited waiver to permit previously authorized routers to continue receiving software and firmware updates, including security patches and vulnerability fixes, until at least March 1, 2027. Without this waiver, the addition of foreign-produced routers to the Covered List would have technically prevented foreign-made routers that have already received authorization – including those already in homes – from receiving any software or firmware updates, including critical security patches. The OET will re-evaluate whether to extend this waiver prior to its expiration.

Scope and practical implications

In an FAQ about the new designation, the FCC clarified that the determination does not apply to routers intended to be used exclusively in industrial, enterprise, or military contexts, and the Covered List does not restrict the import or sale of routers for the exclusive use by the federal government. However, the decision carries notable implications across industries.

According to the designation, equipment manufacturers that produce routers abroad – regardless of the manufacturer’s nationality – must evaluate their supply chains immediately and consider applying for Conditional Approval or accelerating plans to relocate manufacturing to the US.

Telecommunications and internet service providers that supply routers to subscribers are encouraged to assess their inventory and vendor relationships as new foreign-produced models will no longer receive FCC authorization. Additionally, retailers and distributors may continue to sell previously authorized models but cannot introduce new unauthorized devices into the US market. The Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to use the Covered List for risk management analysis in their regulatory compliance efforts.

A pattern of expansion to categorical prohibitions

When the FCC first published the Covered List in March 2021, it focused on specific entities whose equipment was found to pose national security risks. The latest additions to the Covered List mark a significant shift: Rather than naming individual manufacturers, the FCC has added entire product categories of foreign-made devices and components. In December 2025, the FCC took a similar approach in adding Uncrewed Aircraft Systems (UAS) and UAS critical components produced in a foreign country, with an exception for:

• UAS and UAS critical components included on the Defense Contract Management Agency (DCMA)’s Blue UAS Cleared List, until January 1, 2027


• UAS critical components that qualify as “domestic end products” under the Buy American Standard, 48 CFR 25.101(a), until January 1, 2027


• Devices that have been granted a Conditional Approval by the DoW or the DHS, and all communications and video surveillance equipment and services listed in Section 1709(a)(1) of the FY25 National Defense Authorization Act (Pub. L. 118-159)

For more information

DLA Piper is closely monitoring developments in this area, including the Conditional Approval process and the software update waiver timeline. For more information regarding these new requirements, please contact the authors or your DLA Piper attorney.