FCC allows foreign drone updates

Routers and drones already in the U.S. just got a longer software lifeline. On May 8, the FCC’s Office of Engineering and Technology said certain foreign-produced routers, drones, and drone components that were already authorized here can keep receiving security and functionality updates until at least January 1, 2029. The agency also widened the waiver so it covers some Class II software and firmware changes, not just the simpler Class I kind. That matters because a ban on updates sounds tough, but in practice it can leave old gear more exposed. (docs.fcc.gov) ### What actually changed? The short version is that the FCC did not reopen the door for new approvals of the same foreign-made gear. It extended and expanded a waiver for devices that were already authorized before they landed on the Covered List. For routers, the earlier waiver from March 23 let them keep getting software and firmware updates until at least March 1, 2027. The new May 8 notice pushes that out to at least January 1, 2029, and applies the same longer runway to covered drones and critical drone parts too. (docs.fcc.gov) ### What is the Covered List again? The Covered List is the FCC’s list of communications equipment and services deemed to pose an unacceptable national-security risk. In late 2025, the FCC added certain foreign-produced drones and drone components. Then on March 23, 2026, it added consumer-grade routers produced in foreign countries, while carving out products that receive conditional approval from the Department of War or DHS. The practical effect is mostly forward-looking — new covered models face approval barriers, while older deployed gear becomes the messy problem regulators still have to manage. (fcc.gov) ### Why would the FCC allow updates on gear it distrusts? Because unpatched gear is often worse. The FCC’s earlier router waiver already said these updates include patches for vulnerabilities and changes needed to keep devices working with different operating systems. The new notice says the waiver now also reaches software and firmware changes that mitigate harm to consumers through analogous Class II permissive changes. Basically, if millions of devices are already out there, freezing them in time can turn them into easier targets. (docs.fcc.gov) ### What’s this Class I versus Class II thing? It’s FCC equipment-authorization jargon, but the idea is simple. Class I permissive changes are the lighter-touch modifications that generally do not require a new filing. Class II changes are more substantial. The catch is that modern security fixes do not always fit neatly into the lighter bucket, especially when firmware changes affect radio behavior or other certified characteristics. By expanding the waiver to analogous Class II updates, the FCC is admitting that real-world patching is messier than a clean legal category. (docs.fcc.gov) ### Does this mean the FCC backed off its security stance? Not really. The FCC is still moving ahead with restrictions on new covered equipment. The March 23 action added foreign-made consumer routers to the Covered List, and the December 22, 2025 action did the same for certain foreign-produced drones and critical components. On May 6, the agency also announced more conditional approvals and exemptions for specific routers and UAS that cleared separate review. So the direction of travel is still tighter control — just with a more practical rule for already-deployed hardware. (fcc.gov) ### Who does this help right now? Internet providers, businesses, public-safety users, drone operators, and ordinary consumers who already rely on this equipment. The router FAQ updated May 8 makes clear that consumers using covered routers are not being told to rip them out immediately, and it specifically asks whether covered routers can get basic software and firmware edits. The same logic shows up in the UAS FAQ. This is about keeping existing fleets and home networks from becoming dead, vulnerable endpoints overnight. (fcc.gov) ### What’s the bottom line? The FCC is drawing a sharper line between buying new risky gear and maintaining gear that is already deployed. That is a more realistic security posture. It still pressures the market away from foreign-produced covered routers and drones, but it avoids creating a giant population of unsupported devices before replacement plans are ready. (docs.fcc.gov)