On March 23, 2026, the Federal Communications Commission (FCC) added consumer-grade routers produced in foreign countries to its Covered List (Router Action), with limited exceptions for routers that have been granted a Conditional Approval by the U.S. Department of Defense (DoD), also referred to as the U.S. Department of War (DoW), or the U.S. Department of Homeland Security (DHS).

The addition of foreign-produced routers to the Covered List is similar to the FCC’s December 2025 drone action and follow-on items (collectively, Drone Action), which marked the first time the FCC added an entire product category—rather than a named entity—to its Covered List. This alert addresses the key issues and questions around the Router Action.

Key Takeaways:

• The FCC’s Covered List Operates as a Functional U.S. Market Entry Ban. Equipment on the Covered List is prohibited from receiving an FCC equipment authorization, which nearly all radio frequency-emitting devices—including routers—must obtain prior to importation, marketing, or sale in the U.S.
• The Ban Only Applies to New Models of Foreign-Produced Consumer-Grade Routers. As has been typical with FCC Covered List actions, the FCC is not, for the time being, rescinding any existing equipment authorizations—models already authorized may continue to be imported and sold in the U.S.
• Covered Routers with Existing Authorizations Can Still Receive Certain Critical Software and Firmware Updates, but Otherwise Cannot Be Modified or Updated. Under the FCC’s rules, modifications and updates to Covered List equipment—including what the FCC calls “Class I permissive changes,” which normally can be made without prior approval—are prohibited. However, the FCC’s Office of Engineering and Technology (OET) issued a limited waiver that will allow covered routers to receive software and firmware updates that mitigate harm to U.S. consumers until at least March 1, 2027 (OET Waiver).
• Providers of Covered Routers May Apply for an Individual Exemption (Conditional Approvals). Conditional Approvals exempt approved entities from the restrictions imposed by inclusion on the Covered List. Any router producer with any stage of the product development and production process—i.e., manufacturing, assembly, design, and development—taking place outside of the U.S., should strongly consider applying for a Conditional Approval.

What’s the Background Here?

The Router Action was issued in direct response to a March 20, 2026 National Security Determination (Determination) made by a White House-convened Executive Branch interagency body, which found that all foreign-produced routers pose unacceptable risks to the U.S. by:

(1) introducing “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense,” and

(2) creating a “severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

These conclusions rest on a documented record of state-sponsored cyber campaigns that exploited consumer-grade routing equipment to penetrate American networks. Specifically, the FCC’s action cites three People’s Republic of China (PRC)-sponsored intrusion campaigns as direct evidence that foreign manufactured small office and home office (SOHO) routers have already been weaponized against U.S. infrastructure.

Router security has been a longstanding bipartisan concern. As primary gateways to the internet, consumer routers present attack surfaces frequently exploited by cyber threat actors. The risk is compounded because SOHO routers often run outdated firmware and lack endpoint detection capabilities. However, this particular action also advances the Trump administration’s broader 2025 National Security Strategy (NSS) and key pillars of the March 2026 Cyber Strategy for America.

The NSS strategy reflects a recalibration of U.S. national security policy priorities to, among other things, secure supply chains and “re-secure” and “re-shore” industrial production, particularly for critical technologies. The Cyber Strategy builds on this foundation, establishing directives to secure critical infrastructure by moving away from “adversary vendors and products,” hardening supply chains for critical technologies, and denying adversaries access to American networks. In the Determination, the Trump administration reiterated the view articulated in the NSS that the “United States must never be dependent on any outside power for core components—from raw materials to parts to finished products— necessary to the nation’s defense or economy.”

Consistent with that policy direction, the Router Action builds on the precedent established in the in the Drone Action—specifically, it targets SOHO routers produced in any foreign country, not just those produced in foreign adversary countries or by entities deemed to pose a national security risk, as had previously been the case.

What Did the FCC Do?

In short, the FCC added all foreign-produced consumer-grade routers to its Covered List, except those which have been granted a Conditional Approval by DoW or DHS.

The immediate effect of this action is that going forward, new models of consumer-grade routers produced outside of the U.S. are no longer eligible to receive an FCC equipment authorization and therefore cannot be imported, marketed, or sold in the U.S.

Existing equipment authorizations for foreign-produced routers remain intact, and previously purchased routers are unaffected, consistent with the FCC’s approach in prior Covered List actions. Consumers and businesses using foreign-produced consumer-grade routers can continue to operate those without regulatory concern. However, equipment authorization holders should be aware that on October 28, 2025, the FCC adopted an order establishing a process by which it can restrict previously authorized Covered List equipment, which the FCC could use to further restrict certain router producers.

How Does the OET Waiver Fit In?

Under the FCC rules, once equipment is placed on the FCC’s Covered List, modifications are generally prohibited, including so-called “Class I permissive changes” such as software and firmware updates. Without intervention, this would have left previously authorized foreign-produced routers unable to receive security patches. To address this, the FCC’s OET issued a limited waiver, permitting software and firmware updates that “mitigate harm to U.S. consumers,” through at least March 1, 2027. The OET Waiver does not permit new features or functionality; updates beyond its narrow scope could trigger regulatory scrutiny and risk a device’s existing authorization.

The OET Waiver reflects a fundamental tension in the Covered List framework. While the national security rationale for restricting foreign-produced routers identifies these devices as “unacceptable risks,” allowing Covered Equipment to run outdated firmware while prohibiting updates would paradoxically degrade the security of the installed base.

By allowing certain permissive changes, the FCC acknowledges that cutting off security patches to millions of deployed routers poses a greater immediate harm than permitting limited, continued interaction with foreign supply chains. Companies should read the this as a clear signal that the framework is still evolving. Indeed, the OET Waiver strongly indicates that the FCC may reconsider the permissive change rules, or that some type of categorical exemption to the Router Action could be forthcoming from the DoW or DHS.

Nevertheless, given the Trump administration’s broader national security goals, companies should still consider March 1, 2027, a planning milestone, not a distant deadline. Organizations relying on foreign-produced routers should begin inventorying affected devices and building transition plans now. If the waiver lapses, affected equipment will need to be replaced or supplemented before the patch window closes. And even if extended, the FCC actions have signaled a clear regulatory trajectory; sustained dependence on foreign supply chains may eventually be substantially curtailed if not foreclosed.

What Constitutes a “Consumer-Grade” Router?

Although the Determination identifies risks posed by foreign-produced routers to non-consumer infrastructure and applications—e.g., “American homes, schools, businesses, critical infrastructure providers, and emergency services,” the Determination also makes clear that the action is limited to networking devices primarily intended for residential use.

For the purposes of the Covered List, the term “Routers” is adapted from National Institute of Science and Technology’s (NIST) Internal Report 8425A and broadly includes “consumer-grade networking devices that are primarily intended for residential use and can be installed by the customer … [and] … forward data packets, most commonly Internet Protocol (IP) packets, between networked systems.” 

Under the NIST Internal Report, the presumption for consumer equipment, including small businesses that rely on consumer-grade equipment, is that the manufacturer cannot assume the user has cybersecurity expertise or the ability to take significant action to secure the product. Consumer-grade routers are typically acquired in one of two ways: (1) purchasing the equipment directly from a retailer, or (2) bundling and/or renting the equipment from a service provider.

What Constitutes “Produced in a Foreign Country”?

Under the Determination, production generally includes “any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.” Consequently, both routers that are designed in the U.S., but manufactured abroad and, conversely, routers that are designed abroad but manufactured in the U.S. are covered under the Router Action.

As a practical matter, any router producer with a material stage of production occurring outside the U.S. should assume it might fall within scope and evaluate whether to seek a Conditional Approval.

What Should Companies Know About the Conditional Approval?

The Conditional Approval process is similar to the one established as part of the Drone Action. The Conditional Approval Guidance requires applicants to submit detailed disclosures in three categories: (a) corporate structure (including ownership information), (b) manufacturing and supply chain details, and (c) plans for U.S. manufacturing and onshoring. The DoW and DHS may also request additional information as necessary based on the facts of a particular application.

Conditional Approvals are granted at the discretion of the DoW and DHS for periods of up to 18 months. Entities are not guaranteed to receive a Conditional Approval, which is determined based on an “individualized assessment” of the “unacceptable risks” posed by the particular router or class of routers. All decisions are final and can only be adjusted at the discretion of the DoW and DHS.

Notably, the Conditional Approval Guidance’s disclosure categories focus primarily on corporate structure and supply chain, but do not explicitly address cybersecurity requirements. Nevertheless, the regulatory action is predicated on the Executive Branch’s determination that foreign-produced routers pose a “severe cybersecurity risk” capable of disrupting critical infrastructure directly harming U.S. persons. Because the DoW and DHS use these disclosures to perform an “individualized assessment” of “unacceptable risks” to national security, that assessment inherently encompasses cyber risk even where the application requirements do not prescribe specific cyber documentation. Companies seeking a Conditional Approval should consider proactively including cybersecurity documentation in their applications to strengthen submissions and preempt additional information requests.

Looking Ahead

The Router Action reflects—and further accelerates—the trend we described here: the FCC is increasingly using equipment authorizations and other tools to advance national security and supply chain policy objectives, rather than focusing solely on traditional technical compliance.

Against that backdrop, companies across the wireless ecosystem should continue to prepare for FCC actions aimed at reshoring manufacturing and production capabilities, including by conducting proactive supply chain mapping and assessing how regulatory risk is allocated across design, development, and manufacturing functions.

The decision to place all foreign-produced consumer-grade routers on the Covered List marks a significant escalation in the government’s approach to communications supply chain security, extending restrictions beyond named adversaries to an entire product category regardless of country of origin.

Companies should treat this development not merely as a compliance obligation but as a catalyst to reassess their supply chain risk posture, network edge security practices, and preparedness for an increasingly restrictive domestic sourcing environment.

Please reach out to Demian Ahn, Joshua Gruenspecht, Sophia Galleher, Joseph (Tony) Misher, or another member of Wilson Sonsini’s Communications, Cybersecurity, or National Security and Trade practice with questions regarding any of the matters discussed above.