The FCC’s Office of Engineering and Technology has reversed its hardline stance on foreign-made routers and drones, extending the deadline for security patches and firmware updates to January 1, 2029. The shift reflects a critical tension in tech regulation: national security restrictions versus the immediate cybersecurity risks facing millions of existing devices already in American homes and businesses.
Key Takeaways
- FCC extended software update deadlines for previously authorized foreign-made routers and drones from 2027 to January 1, 2029.
- Extension now permits larger firmware changes (Class II permissive changes) beyond the original smaller updates (Class I permissive changes).
- Ban applies only to new foreign-made devices; existing authorized equipment can now receive security patches longer.
- FCC justified extension as necessary to patch vulnerabilities and prevent millions of devices from becoming cyberattack targets.
- OET plans to recommend permanent rulemaking to codify the waiver into long-term policy.
Why the FCC Reversed Its Stance on Foreign-Made Routers and Drones
The FCC’s original ban on foreign-made routers and drones reflected genuine national security concerns. The White House backed the restrictions, citing risks to US networks and critical infrastructure. Yet the agency faced an uncomfortable reality: abruptly cutting off security updates would leave millions of existing devices exposed to hackers. The FCC’s Office of Engineering and Technology determined that the public interest was better served by allowing continued updates than by enforcing a blanket cutoff. This was not a reversal of the ban itself—new foreign-made devices remain prohibited unless granted special approval from the Pentagon or Department of Homeland Security. Rather, it was a pragmatic recognition that cybersecurity and national security are not always aligned.
The extension to 2029 gives manufacturers and consumers a longer window to transition away from foreign-made equipment. Updates can now patch vulnerabilities and ensure compatibility with evolving operating systems—critical functions that would otherwise cease in 2027. The FCC specifically noted that Class II permissive changes, which involve larger software modifications, are now permitted alongside the smaller Class I updates originally allowed. This expansion acknowledges that security patches are not one-size-fits-all; some vulnerabilities require substantial firmware rewrites to address properly.
Foreign-Made Routers and Drones Face Different Timelines Under New Policy
The timeline for restrictions varies by device type. Foreign-made drones were added to the FCC’s covered list in December 2024, with initial waivers granted in January 2026. Routers followed on March 23, 2026. Both device categories now benefit from the extended 2029 deadline, but the policy applies only to equipment already authorized before the bans took effect. Any new router or drone seeking FCC approval must either be US-made or receive conditional approval from the Department of Homeland Security or Department of Defense—a process that has not yet yielded any router approvals, though similar categorical exemptions exist for drones under programs like Blue UAS.
This creates a two-tier market: legacy foreign-made devices receive extended support, while new foreign-made equipment faces a nearly insurmountable barrier to entry. Manufacturers cannot simply push updates to new models without explicit government approval. The distinction matters because it signals that the FCC is not abandoning national security concerns—it is managing the transition period while preventing the cybersecurity disaster that would result from leaving millions of installed devices unpatched.
What Happens After 2029 for Foreign-Made Routers and Drones
The FCC has not spelled out what occurs when the January 1, 2029 deadline arrives. The agency’s Office of Engineering and Technology plans to recommend codifying the waiver through formal rulemaking, which could extend the deadline further or establish a permanent framework for managing legacy foreign-made devices. In the meantime, consumers and businesses with foreign-made routers and drones should not assume indefinite update support. The 2029 date is a hard stop unless Congress or the FCC acts again. For organizations relying on foreign-made networking equipment, this is a three-year window to plan replacements or seek US-approved alternatives. The policy does not retroactively ban existing devices from use—it only restricts new authorizations and, after 2029, new security patches.
Security experts and tech advocacy groups have largely endorsed this approach, recognizing that the alternative—forcing millions of devices offline or leaving them unpatched—would create a far worse cybersecurity problem than the national security risks the original ban sought to address. A device that cannot receive updates is a liability to every network it connects to, whether foreign-made or not.
Can Foreign-Made Routers and Drones Get New Approvals Before 2029?
Yes, but only through an exceptional process. The Department of Defense and Department of Homeland Security can grant conditional approvals for specific foreign-made routers and drones if they meet national security standards. To date, no router has received such approval, though the drone category has benefited from exemptions. This means that while existing foreign-made routers can receive updates until 2029, manufacturers cannot bring new models to market unless they navigate the Pentagon approval process—a significant barrier that effectively favors US-made alternatives and approved foreign manufacturers.
The FCC’s extension does not weaken the underlying ban; it merely acknowledges that enforcement must account for real-world cybersecurity consequences. Manufacturers of foreign-made routers and drones have until January 1, 2029 to support their existing customer base. After that, they will need either a categorical exemption from DoD or DHS, or they will need to cease providing updates to US customers entirely.
Will the 2029 deadline for foreign-made routers and drones be extended again?
Likely, but not guaranteed. The FCC’s stated intention to pursue permanent rulemaking suggests the agency views this as a temporary measure pending longer-term policy. If manufacturers have not fully transitioned their user bases by 2029, political and cybersecurity pressure may force another extension. However, relying on deadline extensions is not a sustainable strategy for device owners or manufacturers. The safest assumption is that 2029 is a genuine cutoff, and planning should begin now.
What should consumers do if they own foreign-made routers or drones?
Consumers with foreign-made routers and drones should continue applying security updates as they become available through 2029. After that date, updates may no longer arrive. For critical infrastructure and businesses, transitioning to US-made or approved alternatives before 2029 is prudent. For home users, the risk is lower, but replacing aging foreign-made routers with approved models before the deadline eliminates uncertainty. Drones face similar logic—older foreign-made models can still receive firmware updates until 2029, but new purchases should prioritize approved manufacturers.
The FCC’s extension to 2029 is a temporary reprieve, not a permanent solution. It reflects the difficult balance between national security and cybersecurity that regulators must navigate. Consumers and manufacturers should treat this deadline as real and plan accordingly, while understanding that the underlying ban on new foreign-made routers and drones remains in force. The real test will come in 2029—whether the FCC extends again, codifies the waiver, or lets the deadline stand.
Edited by the All Things Geek team.
Source: Tom's Hardware
