The Federal Communications Commission just bought millions of American homes and businesses two more years of software patches for their routers. On May 8 the agency’s Office of Engineering and Technology pushed the cutoff for security and functionality updates on previously authorized foreign-made routers and drones from early 2027 to January 1, 2029. The move marks a pragmatic retreat from an earlier hard line. Yet it leaves the broader prohibition on new foreign routers firmly in place.
That prohibition landed in March. The FCC added all consumer-grade routers produced outside the United States to its Covered List, the same roster that already bars equipment from Huawei and ZTE. A fact sheet from the commission cited a national security determination by a White House-convened interagency group. Foreign-produced routers, it said, create supply chain vulnerabilities and have been directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks that targeted U.S. communications, energy, transportation, and water infrastructure.
Existing routers already approved for sale before the March action can still be imported, marketed, and used. The ban targets only new models. Without an exemption granted by the Departments of Defense or Homeland Security, those new models cannot receive FCC equipment authorization. And without authorization they cannot legally enter the U.S. market. The policy effectively tells manufacturers they must prove their gear poses no unacceptable risk or find production capacity inside the United States or in trusted allied nations.
But routers already sitting in warehouses or consumers’ living rooms presented a different problem. Cut off their updates after March 2027 and devices would age rapidly into security liabilities. Hackers could exploit unpatched vulnerabilities at scale. The FCC recognized the danger. So it issued waivers allowing software and firmware updates that mitigate harm to U.S. consumers. The initial waivers set deadlines in 2027. Industry and government comments made clear those deadlines were too tight.
The Ars Technica report on the extension quotes the Office of Engineering and Technology directly. “Under this waiver, all Uncrewed Aircraft Systems (UAS), UAS critical components, and routers produced in a foreign country that were authorized for use in the United States prior to these devices being added to the Covered List may at least until January 1, 2029, consistent with FCC rules, continue to receive software and firmware updates that mitigate harm to US consumers.” The language is precise. Updates must address vulnerabilities or maintain functionality. New features fall outside the waiver.
The extension also broadens the waiver’s scope. It now covers Class II permissive changes in addition to the simpler Class I modifications allowed before. Class II updates can slightly alter reported performance characteristics and require additional testing and filing with the commission. The FCC decided that blocking even these modest changes would create more cybersecurity risk than it would remove. Blocking security patches, after all, creates its own set of problems.
Recent coverage echoes the point. Tom’s Hardware noted that the agency reversed course because stopping updates could itself generate fresh cybersecurity headaches. PCMag reported the same extension applies to both routers and drones, giving owners breathing room while the market adjusts. And Mashable framed the decision as throwing consumers a two-year lifeline.
The commission’s engineering office went further. It will recommend that the full FCC consider codifying the waiver through a formal rulemaking process. That step could make the permission permanent for existing covered equipment and any similar gear added later. Yet the recommendation comes with a caveat. Regulators may attach conditions. The exact shape of those conditions remains unclear. Public comment periods would accompany any rulemaking. The original router ban itself bypassed such comment, a fact that drew quiet criticism from some trade groups.
Manufacturers face a split reality. Owners of current TP-Link, Netgear, or Amazon Eero routers can keep updating them through 2029. Companies selling those devices can continue to support them. But anyone hoping to launch a new foreign-made model must navigate the exemption process. Netgear and the Amazon-owned Eero have already secured approvals. Others wait. TP-Link, which relocated its headquarters to the U.S. in 2024 but retains manufacturing ties to China, met with FCC officials in April. The company told regulators its routers match or exceed industry security benchmarks. Chinese-origin vendors, analysts say, will likely face steeper scrutiny than those producing in Taiwan, Vietnam, or South Korea.
DJI, the Chinese drone giant, has taken a more confrontational path. It sued the FCC over the related drone restrictions. The legal challenge underscores how national security reviews now reach deep into consumer electronics. Drones and routers share the Covered List. They share the same waiver logic. And they share the same underlying fear: that foreign supply chains could be weaponized by adversarial governments.
Critics argue the policy accelerates a fragmented global tech market. Supporters counter that the cost of inaction is higher. Salt Typhoon and its sister campaigns demonstrated how compromised routers can serve as beachheads into broader networks. Once inside a home or small business router, attackers can pivot to critical infrastructure. The March national security determination listed those risks in blunt terms. The May waiver does not erase them. It simply acknowledges that stranding millions of devices without patches would compound the threat.
Industry groups had urged the FCC to scrap the original software cutoff entirely. Some called the 2027 deadline unworkable for both vendors and consumers. The two-year extension meets them partway. It buys time for the rulemaking process. It buys time for manufacturers to shift production or redesign supply chains. And it buys time for consumers to replace aging hardware with models that satisfy the new security bar.
But time is not unlimited. The 2029 date looms. By then the commission hopes clearer rules will govern what updates remain permissible and what new equipment can enter the market. Whether domestic production can scale to meet demand is another question. Very few consumer routers sold in the United States today carry an American flag on their circuit boards. Starlink’s hardware stands as a rare exception.
The FCC’s latest action therefore reflects a tension that defines much of current technology policy. Regulators want to reduce dependence on potentially hostile supply chains. They also recognize that abrupt cutoffs can leave ordinary users exposed. So they thread the needle. Existing devices keep their patches. New devices face a higher wall. And everyone gets a few more years to adapt.
That adaptation will not be cheap or simple. Network operators, enterprise IT departments, and home users alike must weigh upgrade costs against the risk of running outdated gear past 2029. Router makers must decide where to build next-generation products. And the FCC must decide how strictly it will enforce the exemption process. The agency has signaled that conditional approvals will hinge on determinations from defense and homeland security officials. Those determinations will likely turn on detailed supply chain audits and cooperation agreements that few foreign vendors have offered before.
One thing is already clear. The era of inexpensive, globally sourced networking gear entering the U.S. market with minimal oversight has ended. National security now sits at the center of equipment authorization decisions. The May waiver shows regulators are willing to be flexible when lives and data are at stake. But the March ban shows they are equally willing to draw hard lines around what comes next. The next three years will test whether American industry and its allies can fill the gap.


WebProNews is an iEntry Publication