The FCC reversed a 2025‑2026 policy that barred post‑approval software changes for certain imported UAVs and consumer routers, granting manufacturers a two‑year extension to push security patches and functional updates. The move reflects a trade‑off between national‑security vetting and the need to keep millions of devices protected against emerging cyber threats.
Announcement
On May 8, 2026 the Federal Communications Commission’s Office of Engineering and Technology issued a notice that temporarily waives the post‑approval firmware restriction for a set of foreign‑manufactured drones, drone components, and consumer routers. The waiver now runs until Jan 1 2029 for drones and Mar 1 2029 for routers, provided the equipment was already authorized before being placed on the FCC’s Covered List.
Technical specifications and regulatory background
| Item | Original rule (Oct 2025) | Covered List addition | Initial waiver expiry | New waiver expiry |
|---|---|---|---|---|
| Unmanned Aircraft Systems (UAS) and critical components | Prohibited "permissive changes" – any firmware update after certification | Late 2025 | Jan 1 2027 | Jan 1 2029 |
| Consumer routers (non‑military) | Same prohibition | Mar 2026 | Mar 1 2027 | Mar 1 2029 |
The Covered List is a roster of equipment deemed high‑risk because of its foreign origin. Under the 2025 amendment to 47 CFR §2.201, once a device lands on the list, any post‑certification software or firmware change is classified as a permissive change and must undergo a new equipment authorization—a process that can take months and often stalls security patch deployment.
The FCC’s waiver does not remove the devices from the Covered List; it simply creates a narrow carve‑out that:
- Allows Class II permissive changes aimed at consumer harm mitigation (e.g., CVE‑2026‑12345 on a popular Chinese‑made router).
- Requires the update to be maintaining functionality, fixing vulnerabilities, or preserving OS compatibility.
- Applies only to units already authorized before the Covered List designation.
"Blocking security patches could create cybersecurity risks," the FCC wrote in its notice, linking the decision to a risk‑assessment model that weighs probability of exploitation against national‑security exposure. The full notice is available on the FCC website.
Caption: A typical consumer router that could benefit from the extended waiver (Image credit: Shutterstock)
Market implications
1. Immediate impact on device fleets
- Estimated 12 million drones and over 30 million routers sold in the U.S. since 2023 fall under the waiver. Without it, manufacturers would have been forced to discontinue security updates, leaving those devices exposed to known exploits such as the Log4j‑style firmware bug discovered in early 2026.
- OEMs like DJI, Parrot, and TP-Link have already announced rollout schedules for the extended patches, citing the waiver as the legal basis for continuing support.
2. Supply‑chain and certification costs
- The waiver reduces the need for a full re‑authorization for each patch, saving an estimated $3‑5 million per vendor in engineering and filing fees.
- However, manufacturers must still maintain record‑keeping to prove the device’s pre‑list authorization status, adding a compliance overhead of roughly 200 hours of labor per product line.
3. Competitive dynamics
- Domestic firms that already meet U.S. security standards (e.g., Skydio, Ubiquiti) gain a modest advantage because they are not subject to the Covered List at all. The waiver narrows the gap but does not eliminate the perception risk associated with foreign‑origin hardware.
- Some analysts predict a 5‑7 % shift in router market share toward vendors that can demonstrate continuous patch support, especially in enterprise‑grade segments where compliance is a procurement requirement.
4. Longer‑term regulatory outlook
- The FCC framed the waiver as a temporary bridge while it develops a more permanent framework. Potential future actions include:
- A risk‑based certification tier that allows limited firmware updates for low‑impact devices.
- Mandatory secure‑boot and remote attestation requirements for all Covered List equipment, which could force OEMs to redesign hardware.
- Industry groups such as the Electronic Components Industry Association (ECIA) have filed comments urging the FCC to adopt a software‑first approach that separates code‑level security from hardware origin.
Conclusion
The FCC’s decision to extend update waivers to 2029 reflects a pragmatic compromise: it preserves the agency’s ability to scrutinize foreign‑origin hardware while avoiding a mass‑scale security vacuum. For manufacturers, the extension buys time to align product roadmaps with evolving compliance demands, but it also underscores the growing need for hardware‑agnostic security architectures that can survive regulatory shifts without sacrificing patchability.
For further reading, see the FCC’s official notice and the accompanying technical FAQ:
Comments
Please log in or register to join the discussion