The Federal Communications Commission is relenting a bit on its restrictive router rules, saying it will allow foreign-made routers to receive software and firmware updates until at least January 1, 2029. The FCC also expanded the waiver to cover more types of software updates.
Previously, the FCC said routers currently on the market or already sold to consumers could receive security patches and other updates only until March 1, 2027. On Friday, the agency announced a waiver extension that lets devices receive updates until January 1, 2029, and said the waiver may eventually become permanent.
The software-update cutoff date is part of a sweeping set of rules the FCC announced in March. Claiming that restrictions are needed for national security reasons, the FCC imposed a ban on new hardware and related limits on software updates for routers that were authorized for sale before the ban was implemented.
Specifically, the FCC said in March that it would stop approving consumer-grade routers made outside the US, an action that affects virtually every router maker (with the possible exception of Starlink). The Trump administration is handing out exemptions to hardware makers that it decides are safe enough, with Netgear and the Amazon-owned Eero among those receiving exemptions so far.
The hardware ban is only for new devices, so all routers previously approved for sale in the US can continue to be imported and sold without obtaining a special exemption. But previously approved routers were hit with a separate rule that would prohibit software and firmware updates—unless the FCC keeps extending the cutoff date after which no updates can be installed.
Drone and router extensions
The new 2029 cutoff date announced Friday applies to foreign-made routers and foreign-made drones, which were both added to the Covered List. Devices on the Covered List “are deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons,” the FCC says.
Devices on the Covered List need waivers to continue receiving software updates, the FCC Office of Engineering and Technology said in its waiver extension order on Friday.
“Under this waiver, all Uncrewed Aircraft Systems (UAS), UAS critical components, and routers produced in a foreign country that were authorized for use in the United States prior to these devices being added to the Covered List may at least until January 1, 2029, consistent with FCC rules, continue to receive software and firmware updates that mitigate harm to US consumers,” the FCC engineering office said.
The waiver covers “all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems.” The FCC engineering office said it “will, as soon as practicable, recommend to the full Commission considering codifying this waiver through a rulemaking.”
That means the waiver would become permanent, but the FCC could impose various conditions. This could happen through a rulemaking process in which the public is invited to comment on the impact of proposed changes. But the router ban itself was imposed without any public comment, and the idea of making the software-update waiver permanent is simply a recommendation at this point.
Allowing basic software updates
Extending the waiver to 2029 will “give the Commission an opportunity to consider a rulemaking on this subject,” and reduce “potential harm to the public interest,” the FCC engineering office said. The office said it will recommend making the waiver permanent for existing equipment on the Covered List and “any future covered equipment with similar characteristics.”
The Friday update also extended the waiver to so-called “Class II permissive changes,” while the original waiver covered only Class I changes. This expansion of the waiver seems to be mainly about ensuring that all basic software updates are allowed.
Class I changes include “modifications in the equipment which do not degrade the characteristics reported by the manufacturer,” which can be made without a filing to the commission. Class II changes may degrade the performance characteristics a manufacturer previously reported to the FCC, but the changes are expected to be minimal compared to Class III changes that face more scrutiny to ensure compliance with FCC rules.
For both Class I and Class II, the FCC said its waiver is intended to cover “software and firmware updates that mitigate harm to consumers.” There’s no change to the process for Class III.
While extending or making the software-update waiver permanent will alleviate some concerns among router makers and users, the ban on new hardware may be a continued source of trouble. Many major router makers haven’t yet obtained exemptions that would let them import new models, and getting clearance could involve some negotiation with the Trump administration.
TP-Link still seeking exemption
The ban extends to any device partially made outside the US, regardless of whether the router maker is a US-based company. But it appears that Chinese companies will have the most trouble obtaining exemptions.
Chinese drone company DJI has not received an exemption and sued the FCC over the ban. The process for gaining exemptions for routers and drones is the same, indicating that “Chinese-origin manufacturers like TP-Link may face a presumptive denial, while companies with manufacturing in allied nations like Taiwan, Vietnam, or South Korea could find an easier path,” said a report by the Global Electronics Association trade group.
One router maker still waiting for an exemption is TP-Link, which was founded in China but relocated to the US in 2024. The company has faced US scrutiny over hacking campaigns linked to the Chinese government.
TP-Link met with FCC officials in mid-April to discuss its request for an exemption. “TP-Link routers are safe and secure. Publicly available data places TP-Link on par with or ahead of other major industry players in terms of security outcomes,” the company said in a filing.
FCC guidance says that companies seeking exemptions must obtain a determination from the Department of Defense or Department of Homeland Security that their routers do not pose unacceptable national security risks. The FCC clarified last month that the router ban also includes portable hotspots, but not phones with hotspot features.
