FCC Backs Off Foreign Router Ban — Updates Now Extended to 2029

The Federal Communications Commission just acknowledged that cutting off security updates for already-deployed foreign-made routers would create a worse cybersecurity problem than the import ban itself, and bought defenders almost two more years of patching window.

WASHINGTON, DC — The FCC's Office of Engineering and Technology announced on Friday, May 8, 2026 a waiver extending the deadline for software and firmware updates on foreign-made routers and drones from March 1, 2027 to January 1, 2029. The original cutoff, set by the FCC's March 2026 ruling, would have created a security vacuum across millions of US homes, businesses, warehouses, and field operations: foreign-made hardware already deployed legally would have lost legitimate patches at the cutoff date, leaving devices vulnerable to known cyberattacks for the remainder of their service life.

The waiver does not lift the underlying Covered List restrictions. Foreign manufacturers still cannot import or sell new router or drone models in the US except those already approved. So far only Netgear and Eero (Amazon-owned) have received conditional approval to continue importing through October 2027. What the May 8 action acknowledges is the practical tension between national security policy and operational cybersecurity hygiene, a tension CISA's CI Fortify guidance has been pushing critical-infrastructure operators to plan for separately. Allow the existing patching pipeline to run through 2029; close the import door behind it. The Consumer Technology Association lobbied for exactly this outcome, arguing that unsupported foreign hardware would be more vulnerable than supported foreign hardware.

What changed and what stayed the same

The OET waiver specifically permits manufacturers of foreign-made routers and drones whose products were previously authorized to continue distributing software and firmware updates through January 1, 2029. Without the waiver, software updates after March 1, 2027 would have required new FCC authorization that the existing Covered List restrictions explicitly block. The waiver carves a path for security patches without re-opening the broader import question.

What the waiver does not change is the underlying ban on new imports. Foreign-made router models not previously approved still cannot enter the US market. Foreign manufacturers seeking authorization must meet new approval requirements. The Covered List itself, which the FCC expanded in October 2025 to include foreign-made unmanned aircraft systems and tightened in March 2026 for routers, remains in force. Only Netgear, which secured a rare FCC exemption, and Eero have received conditional approval to continue importing and selling new router models, and only through October 2027.

The national security versus operational cybersecurity tension

The FCC's October 2025 Second Report and Order framed the Covered List action in explicit national security terms. Chairman Carr, with Commissioners Gomez and Trusty, voted to close "loopholes in the FCC's Covered List and secure America's communication's networks against devices determined to pose an unacceptable risk to national security." The cited risks were specific: that the Chinese government could use deployed devices to surveil Americans, disrupt communications networks, and otherwise threaten US national security.

The May 8 waiver is the FCC's regulatory acknowledgment that those concerns must coexist with the practical reality that millions of foreign-made routers and drones are already in service across US homes, small businesses, warehouses, and government field operations. Cutting off legitimate security patches at the original March 2027 date would have left those devices increasingly vulnerable for the remainder of their service life. As one defender quoted in industry coverage put it, the waiver "significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum." The pattern matches the broader 2026 regulatory environment, where regulators on both sides of the Atlantic are reconciling national security imperatives with the cybersecurity consequences of cutting off operational support, including the UK ICO's enforcement of monitoring and patching baselines after the South Staffordshire Water Cl0p case.

What this signals for enterprise procurement and CISO planning

For US enterprises and federal departments running foreign-made networking equipment, the May 8 waiver shifts the planning horizon. The hardware refresh budget previously calibrated against a March 2027 cutoff now has until January 1, 2029. That additional window allows orderly procurement cycles, vendor diversification, and Zero Trust segmentation deployments to keep pace with the underlying policy. The waiver also signals that the FCC is willing to revisit specific elements of its national security restrictions when the cybersecurity cost of strict enforcement clearly outweighs the national security benefit, a regulatory posture worth tracking. Adjacent CI-sector activity, including West Pharmaceutical Services' disruptive ransomware disclosure earlier this month, reinforces the case for buying time on hardware patching while operators replace deployed inventory at a sustainable cadence.

Allied jurisdictions are likely to follow. The UK, EU, Australia, and Japan all have parallel national security concerns about Chinese-made networking equipment, and the harmonization pressure across Five Eyes is real. CISOs operating internationally should anticipate similar waiver-and-cutoff sequences from those regulators within the next 12 to 24 months. The broader policy and government technology environment is moving in this direction across multiple equipment categories.

The CyberSignal Analysis

Signal 01 — Regulators are recalibrating national-security cutoffs against practical cybersecurity outcomes

The FCC's willingness to extend the patching window by nearly two years in response to industry feedback represents a meaningful posture shift. The October 2025 Covered List expansion was framed as a hard national security boundary; the May 2026 waiver acknowledges that hard boundaries with no operational accommodation produce worse cybersecurity outcomes than calibrated ones. Other regulators are likely to follow the pattern. CISOs and government affairs teams should treat the FCC waiver as the template for how to engage with future regulatory cutoffs across the equipment supply chain: document the operational cybersecurity consequences of strict enforcement, propose calibrated alternatives, and build the case for waivers before cutoff dates land.

Signal 02 — The hardware-refresh planning horizon for foreign-made equipment is now January 2029

Enterprises with foreign-made router or drone fleets should update procurement plans to reflect the new 2029 horizon, but should not slow the underlying replacement program. The 2029 cutoff is the latest patching date, not a promise that further extensions will follow. Diversify networking equipment vendor sources during the runway. Document supplier provenance in the risk register. Track which manufacturers gain conditional approval, since Netgear and Eero are unlikely to be the only ones long-term. The defensible enterprise posture is to plan for the 2029 date as the hard ceiling and execute the refresh on a budget cycle that leaves operational margin.

What to do this week

1. Inventory your foreign-made networking equipment and drones. Note manufacturers, deployment dates, and where each device sits in your network topology. The May 8 waiver applies only to previously-approved hardware, so non-approved or grey-market devices remain on the original cutoff schedule.
2. Update your hardware refresh budget against the January 1, 2029 cutoff. The additional patching window does not reduce the need to replace deployed inventory; it just gives you a longer runway to do it cleanly. Build the refresh into your 2027 and 2028 capital planning explicitly.
3. Track FCC formal rulemaking. The OET waiver is administrative; a formal rulemaking proceeding could either codify the 2029 cutoff or revisit it. Subscribe to FCC docket updates for ET Docket No. 21-232 and related proceedings.
4. For organizations operating internationally, anticipate parallel actions from UK, EU, Australian, and Japanese regulators within 12-24 months. Brief government affairs teams now. Document your global hardware procurement strategy against the harmonization scenario.
5. Brief boards on the strategic risk pattern. The May 8 waiver demonstrates that national security restrictions on equipment supply chains are recalibrated under pressure when the cybersecurity consequences are severe. That dynamic is a planning input for any equipment category subject to potential future restrictions.

Sources