Foreign Router Ban: Business Impact

On March 23, 2026, the Federal Communications Commission added all consumer-grade routers manufactured outside the United States to its Covered List — the registry of communications equipment deemed to pose an unacceptable risk to national security. The practical effect: no new foreign-produced consumer router model can receive FCC equipment authorization, which means it cannot be legally imported, marketed, or sold in the U.S. The foreign router ban's business impact reaches further than the headline suggests — from remote work security to firmware support timelines to long-term supply chain planning.

This is a significant escalation. Previous Covered List entries targeted specific entities — Huawei, ZTE, Hikvision, and Kaspersky Labs. This time, the restriction applies to an entire product category based solely on where the hardware is made, regardless of which company makes it.

The FCC acted on a National Security Determination issued by a White House-convened interagency body. That determination cited two categories of risk: a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense, and a cybersecurity risk that foreign-produced routers could be leveraged to harm U.S. persons and infrastructure.

The determination specifically referenced the Volt Typhoon, Flax Typhoon, and Salt Typhoon cyberattack campaigns, in which state-sponsored actors exploited vulnerabilities in small office and home office (SOHO) routers to build botnets, conduct surveillance, and attack critical infrastructure including energy and water systems. A 2025 Department of Commerce supply chain audit found that approximately 85% of the consumer router supply chain is concentrated in China.

The legal authority behind the action is the Secure and Trusted Communications Networks Act of 2019, reinforced by the Secure Equipment Act of 2021, which prevents the FCC from reviewing or approving authorization for any equipment placed on the Covered List.

 

Sources:

 

The FCC adopted the definition from the National Institute of Standards and Technology's Internal Report 8425A: a consumer-grade networking device primarily intended for residential use that can be installed by the customer and forwards IP packets between networked systems. This covers home Wi-Fi routers, mesh systems, Wi-Fi extenders, and SOHO gateways.

 

The definition of "produced in a foreign country" is broad. It includes any device where manufacturing, assembly, design, or development takes place outside the United States. The nationality of the company is irrelevant — an American brand that designs a router domestically but assembles it overseas still produces a "covered" device under this rule.

 

As of this writing, virtually all consumer routers on the market are manufactured abroad. The only known exception is SpaceX's Starlink Wi-Fi router, which is manufactured at the company's facility in Texas.

 

Sources:

 

Your current router is not affected. The ban does not apply retroactively. Consumers can continue to use any router they have already purchased, and retailers can continue to sell models that received FCC authorization before March 23, 2026. No routers are being recalled.

 

You can still buy previously authorized models. Existing inventory at retailers remains legal to sell. If a router model has an FCC ID issued before the cutoff date, it can be imported and sold as before.

 

New models are the issue. Going forward, no new foreign-manufactured consumer router design can be authorized for the U.S. market unless it receives a Conditional Approval from the Department of War (DoW) or the Department of Homeland Security (DHS). As of this writing, no such approvals have been issued for routers — though a handful of drone manufacturers received similar approvals under a parallel process that began in December 2025.

 

The practical concern is product stagnation.  Wi-Fi 7 routers currently on shelves were all manufactured abroad. Wi-Fi 8 hardware (802.11bn), expected in late 2026 or early 2027, will be the first product generation subject to this framework from day one. If the Conditional Approval process moves slowly, consumers may face a gap between the end of current-generation inventory and the availability of next-generation hardware.

 

Sources:

Enterprise equipment is not directly covered. The NIST 8425A definition targets devices intended for residential use and customer-installable. Enterprise-grade firewalls and routers from vendors like Fortinet (FortiGate series), Cisco, Juniper Networks, Aruba (HPE), SonicWall, and Netgate (pfSense appliances) are generally classified as business or enterprise security appliances and fall outside this definition.

 

The gray zone matters. Products that straddle the consumer-enterprise line — such as Ubiquiti UniFi gateways or certain TP-Link Omada devices — are in ambiguous territory. The FCC has not published a definitive product-by-product classification. If your business uses devices marketed to both home users and businesses, and those devices were manufactured abroad, the safest posture is to verify FCC authorization status and monitor developments.

 

Remote workers are an indirect risk. The ban targets consumer devices, but enterprise networks extend into employee homes. A compromised home router can serve as an entry point into corporate systems via VPN or remote access. As foreign-made consumer routers age without replacement options, the security posture of these endpoint environments may degrade over time. This is a factor worth considering in any zero-trust or endpoint security planning.

 

No immediate action is required, but awareness matters. Businesses already using enterprise-grade, rack-mounted, or professionally managed networking equipment are not affected by this specific regulation. However, the FCC's action signals a broader trend toward restricting foreign-produced network infrastructure, and similar restrictions on enterprise gear cannot be ruled out in the future.

 

Sources:

 

One of the most significant details in this action is what happens to software updates for existing routers.

 

Under FCC rules, once equipment is placed on the Covered List, even routine modifications — including firmware and software updates, classified as "Class I permissive changes" — are technically prohibited. Left unaddressed, this would have frozen millions of deployed routers at their current firmware version, preventing security patches.

 

To avoid this, the FCC's Office of Engineering and Technology (OET) issued a blanket waiver on March 23, 2026, permitting previously authorized routers to continue receiving software and firmware updates that "mitigate harm to U.S. consumers." This includes security patches, vulnerability fixes, and compatibility updates. The waiver is in effect at least until March 1, 2027.

 

The "at least" language is important. The OET has indicated it will re-evaluate whether to extend the waiver before it expires. A similar waiver was issued for foreign-produced drones in January 2026 under the parallel UAS Covered List process. However, there is no guarantee of extension, and legal analysts have noted that the waiver is narrow: it covers security and functionality updates only, not new features or capabilities.

If the waiver expires without extension, manufacturers of foreign-made routers would need some form of federal approval to continue pushing firmware updates to devices already in American homes and offices. The practical consequences of that scenario — millions of routers unable to receive security patches — would represent a significant cybersecurity risk in its own right.

 

Sources:

 

 

March 23, 2026 FCC adds all foreign-produced consumer routers to the Covered List. New models can no longer receive FCC authorization. OET firmware waiver takes effect. 

September 2026 Retailers are prohibited from importing new inventory of covered devices. 

March 1, 2027 Current firmware update waiver expires (may be extended). 

 

The FCC's decision to ban new foreign-made consumer routers is one of the broadest supply-chain restrictions the agency has ever imposed on a consumer technology category. The facts are straightforward: existing routers remain legal, previously authorized models can still be sold, and enterprise-grade equipment is not covered by this specific action. Firmware updates for devices already in use are permitted under a temporary waiver through at least March 1, 2027.

 

But the longer-term picture is uncertain. No domestic consumer router manufacturing base currently exists at scale, no Conditional Approvals have been granted for routers yet, and the firmware waiver has a defined expiration date with no guarantee of renewal. For home users, the immediate impact is minimal — but the trajectory points toward fewer choices, higher prices, and an aging installed base if domestic production and the approval process do not ramp up quickly.

 

For businesses, the direct exposure is limited to environments that rely on consumer-grade hardware; enterprise networking infrastructure is exempt under current definitions. Where it gets more nuanced is the remote workforce.

 

Most businesses today have employees who connect to corporate resources — email, file shares, line-of-business applications, VPN tunnels — from home networks. Those home networks are, overwhelmingly, built around the same consumer-grade routers that this regulation targets. The corporate firewall, the endpoint protection agent, the conditional access policy — all of these controls assume that the network between the employee's device and the company's infrastructure is at least neutral. A compromised home router undermines that assumption. It can intercept DNS queries, redirect traffic, capture credentials, or serve as a pivot point into the corporate environment. This is not a theoretical risk — it is exactly how the Volt Typhoon campaign operated, using compromised SOHO routers as covert relay nodes.

 

As the pool of available consumer routers narrows and the installed base ages, the probability of employees working behind unpatched, unsupported hardware increases. This doesn't require immediate action, but it does warrant a conversation. Businesses with hybrid or remote workforces may want to consider a few practical steps:

- Inventory the edge. Understand what networking equipment remote employees are actually using. A short survey or a check during onboarding can establish a baseline without being intrusive.

- Revisit remote access architecture. If your security model depends on the assumption that traffic between the employee's device and your perimeter is clean, this is a good time to evaluate whether that assumption still holds. Zero-trust approaches — where every connection is authenticated and encrypted regardless of network — reduce dependence on the home router's integrity.

- Keep an eye on the firmware waiver. The March 1, 2027 expiration date matters. If the waiver is not extended, millions of consumer routers will stop receiving security patches. That changes the risk calculus for any organization whose employees use those devices.

- Communicate, don't mandate. Most employees will not replace their home router because of a regulatory change. But a clear, low-pressure communication — explaining what the ban means, recommending firmware updates, and offering guidance on router security basics — can raise awareness without overstepping.

 

None of this requires panic. Enterprise infrastructure is not affected today, and the regulatory framework is still evolving. But the direction is clear, and organizations that start thinking about the remote network edge now will be better positioned than those that wait for the next headline.

 

It is also worth noting what may be on the horizon. The FCC's Covered List has expanded in steps — first specific Chinese telecom vendors, then foreign-made drones in December 2025, and now consumer routers. Each step has been broader than the last. Several law firms tracking this space have pointed out that the FCC has signaled a willingness to regulate entire product categories based on manufacturing origin, and that additional categories of equipment — including enterprise-grade hardware — could receive similar treatment. The Flax Typhoon campaign, which the FCC cited in its router determination, also exploited IoT devices like cameras and storage appliances, raising the question of whether those product categories could be next. None of this is confirmed, and there is a meaningful difference between consumer and enterprise equipment in terms of regulatory complexity — enterprise networking gear from companies like Cisco, Fortinet, and Juniper is deeply embedded in federal infrastructure, which makes a blanket geographic ban far more disruptive to implement. But the trajectory is visible, and it is one that affects everyone in the networking ecosystem. As an IT services provider, we are watching this closely not just on behalf of our clients, but because we depend on the same global supply chains. If enterprise equipment restrictions materialize, they would reshape how managed service providers source, deploy, and support the infrastructure our clients rely on. That is not a reason to rush into purchases or overhaul what is working today — but it is a reason to stay informed and factor supply chain continuity into longer-term planning.

 

The situation is evolving. We will update this post as the Conditional Approval process develops and as the March 2027 firmware waiver deadline approaches.