Insights
Communications

FCC Bans New Foreign-Made Consumer Routers

Following a national security determination, the FCC added foreign-produced consumer-grade routers to its Covered List. As a result, new models may not be imported, marketed, or sold in the U.S. unless subject to a Conditional Approval.
By   Michael T. Borgia, Kasey McGee, and Paul B. Hudson
04.08.26
Print this page

The Federal Communications Commission (FCC or Commission) recently updated its Covered List to include all "consumer-grade routers produced in a foreign country," except for those devices that receive a Conditional Approval from the Department of War (DoW) or the Department of Homeland Security (DHS). The FCC's action, which is described in an accompanying public notice (the Public Notice), prohibits new models of consumer routers from receiving FCC equipment authorization, meaning that such devices cannot be imported, marketed, or sold in the United States without Conditional Approval. This update to the Covered List has major implications for U.S. internet service providers, given that nearly all consumer routers are today manufactured outside of the United States.

The FCC's action implements a March 20, 2026, national security determination made by a federal interagency body, which found that consumer-grade routers produced outside the United States "pose an unacceptable risk to the national security of the United States and to the safety and security of U.S. persons" (the National Security Determination). The National Security Determination explained that "production" of a router broadly refers to any major stage of the device's development and manufacturing process.

The FCC subsequently updated the Covered List on March 23, 2026, and the change took effect immediately. The National Security Determination and subsequent update to the Covered List apply to consumer routers made in any foreign country—not just foreign adversaries. The FCC has issued a set of FAQs to provide further guidance on the impact of adding foreign-produced routers to the Covered List.

While this update to the FCC's Covered List does not prohibit the import, marketing, or sale of routers that already have received FCC equipment authorizations, such devices will not be permitted to receive software or firmware updates after March 1, 2027, when a limited waiver issued by the FCC's Office of Engineering & Technology (OET) expires, unless those devices receive a Conditional Approval. OET said it will reassess whether to extend the limited waiver prior to its expiration. Consumers and ISPs may continue to use routers they own, although those routers may not receive critical updates if the OET waiver is not extended. While prohibiting authorized routers from receiving critical security updates seemingly would be contrary to the purposes of updating the Covered List, this deadline may increase pressure on parties to meet the Administration's onshoring goals.

Background on the FCC's Covered List

The Secure and Trusted Communications Networks Act of 2019 , 47 U.S.C. §§ 1601, et seq., requires the FCC to maintain and regularly update a published list of communications equipment and services that are deemed to pose an unacceptable risk to the national security of the United States, known as the "Covered List." Under the act, the FCC only may add or remove equipment from the Covered List based on determinations made by specific federal authorities, including a national security agency or interagency body "with appropriate national security expertise." See 47 U.S.C. § 1601(c). The FCC is not authorized to make its own determination about which equipment or services should or should not be on the Covered List.

Any equipment on the Covered List is prohibited from receiving new FCC equipment authorizations. See 47 C.F.R. § 2.903(a). Because "radio frequency devices," including consumer-grade routers, require FCC equipment authorization prior to being imported, marketed, or sold in the United States, see 47 C.F.R. § 2.803(a)-(b), inclusion on the Covered List effectively bars new router models from entering the U.S. market, unless conditionally approved.

Historically, the Covered List primarily has targeted equipment produced by specific entities such as Chinese telecommunications equipment manufacturers Huawei Technologies and ZTE Corporation, and Russian cybersecurity firm Kaspersky Lab. However, in December 2025, the FCC updated the Covered List to include most drones (referred to as uncrewed aircraft systems, or UAS) and critical UAS components. This latest addition of foreign-produced consumer routers represents another significant broadening of the Covered List categories, and aligns with priorities in President Trump's 2025 National Security Strategy and 2026 National Cyber Strategy to secure critical supply chains (we analyzed the National Cyber Strategy in a prior blog post).

The National Security Determination

The National Security Determination was made by a federal interagency body convened by the White House to address threats posed by foreign-produced routers. The members of that body "jointly and severally" determined that consumer-grade routers produced in foreign countries "pose unacceptable risks to the national security of the United States and to the safety and security of United States persons." The National Security Determination cites two risks in particular: "(1) introducing a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense; and (2) establishing a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons." The document explains that "production" of routers "generally includes any major stage of the process through which the device is made, including manufacturing, assembly, design, and development."

In support of its conclusions, the National Security Determination cites the ubiquity and importance of consumer-grade routers for reliable, secure internet access and harm that bad actors could cause by compromising those routers. The document references several recent, high-profile hacking campaigns against critical telecommunications infrastructure perpetrated by nation-state actors, including the Salt Typhoon campaign. The FCC added in its Public Notice that "unsecure foreign-produced routers in homes and American businesses are enabling hackers to create massive networks that can be leveraged to carry out password spraying, unauthorized network access, and act as proxies for espionage."

What is a "Router" Subject to the Covered List?

The National Security Determination defines "routers" to include "consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer." Referencing Internal Report 8425A by the National Institute of Standards and Technology (NIST), the National Security Determination explains that routers "forward data packets, most commonly Internet Protocol (IP) packets, between networked systems." This broad definition applies to residential gateways provided by ISPs to consumers that combine modem and router functions, per the FCC's FAQs, and arguably covers a wide range of other devices like Wi-Fi extenders and mesh nodes. The FAQs clarify that cellphones with mobile hotspot features are not considered "routers" for purposes of the Covered List.

The update to the Covered List only applies to consumer routers and not to routers used "exclusively in industrial, enterprise, or military contexts," even through such routers were targeted in some of the cyberattacks referenced in the National Security Determination and their compromise may pose significant security threats. Routers will be deemed foreign-produced if "any major stage of the process through which the device is made, including manufacturing, assembly, design and development" occurs outside of the country.

The Limited OET Waiver for Software and Firmware Updates

Although inclusion in the Covered List does not prohibit the importation, marketing, or sale of already authorized routers produced abroad, those routers are still affected by the FCC's action. Under FCC regulations, authorized equipment must receive a new authorization when it undergoes certain modifications. See 47 C.F.R. § 2.932(a). Such modifications may occur when a device's software or firmware is updated, but foreign-produced consumer-grade routers no longer may receive device authorizations because of their inclusion on the Covered List (unless they have a Conditional Approval). Routers on the Covered List therefore would not be able to receive software and firmware updates, even to fix security issues.

To avoid an immediate impact, OET issued a limited waiver permitting previously authorized routers to receive software and firmware updates "that mitigate harm to U.S. consumers," including "all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems." Unfortunately, the limited waiver lasts only until March 1, 2027. OET states that it will consider extending the limited waiver prior to its expiration.

After expiration of the limited waiver, all previously authorized routers produced abroad would need a Conditional Approval prior to updating their devices' software or firmware. OET provided a similar waiver for software and firmware updates for drones and components on the Covered List.

Conditional Approval Requirements

Foreign-produced routers may receive an FCC equipment authorization if they receive a Conditional Approval from DoW or DHS. Attached to the FCC's Public Notice is an annex providing guidance on the Conditional Approval process. Companies seeking Conditional Approval must provide, among other things, information about their beneficial and foreign ownership, a "detailed bill of materials" describing the router's components and their sources, a justification for why the router is not currently produced in the United States, an assessment of supply chain risks, and a "U.S. manufacturing and onshoring plan." As part of the U.S. manufacturing and onshoring plan, providers must submit information including "[a] detailed, time-bound plan to establish or expand manufacturing in the United States" and "[a] description of committed and planned capital expenditures, financing, or other investments dedicated to U.S.-based manufacturing and assembly over the next 1-5 years."

Conditional Approvals will be granted only for up to 18 months. Providers may apply for extensions of the Conditional Approval, with extensions likely contingent upon the manufacturer satisfying the Trump Administration's onshoring goals or other priorities.

Looking Ahead

The FCC's action threatens to cause serious upheaval in the supply of consumer routers and to the ISPs and retailers that rely on them. Nearly all consumer routers currently are produced abroad, and manufacturers will apparently need to commit to onshoring production to obtain Conditional Approvals to sell new models in the United States. ISPs, retailers, and others will need to evaluate their supply chains to confirm that they can continue to provide routers to their customers.

+++

Michael Borgia is a partner, Kasey McGee is an associate, and Paul Hudson is a partner in the Washington, D.C. office of DWT. For questions or more insights, reach out to the authors or another member of our communications and technology + privacy & security teams and sign up for our alerts.

Related Insights