Navigating the Secure Networks Act: What Restricted Equipment Means for Your Organization

Von Ameer Owda 24. März 2026 soc

Navigating the Secure Networks Act: What Restricted Equipment Means for Your Organization

Most organizations assume that if a technology is widely used, it is acceptable to deploy which is not exactly wrong until the opposite is said. But, List of Equipment and Services Covered By Section 2 of The Secure Networks Act just said the opposite.

Telecommunications security underwent a massive shift in March 2026, when the Federal Communications Commission (FCC) expanded its Covered List to include all consumer-grade routers produced in foreign countries. The Secure Networks Act (specifically the Secure and Trusted Communications Networks Act of 2019) is the foundational legislation that directs the FCC to publish this Covered List.

Section 2 of this Act was introduced to mandate the Public Safety and Homeland Security Bureau to identify and publish a list of communications equipment and services that are deemed to “pose an unacceptable risk to the national security of the United States or the security and safety of United States persons”. It aims to solve telecom security problems by preventing vulnerable or compromised technology from infiltrating U.S. networks.

Organizations should care about this list because it directly dictates what technology is legally permitted to be authorized for import and sale in the U.S.. While initially focused on telecommunications providers and enterprise video surveillance, the inclusion of consumer-grade routers and drones demonstrates that this regulation now affects a much broader sector, including consumers, general enterprises, and small businesses that rely on basic internet connectivity.

What “Covered Equipment and Services” Means?

The distinction between equipment and services is categorized by physical hardware versus operational offerings.

  • “Equipment” includes physical devices like telecommunications hardware, video surveillance cameras, uncrewed aircraft systems (UAS/drones), and consumer-grade routers.
  • “Services” encompass managed offerings such as international telecommunications routing, video surveillance services, and information security solutions.

The primary criteria used to classify something as “covered” is whether an Executive Branch agency determines it poses an unacceptable national security or cybersecurity risk.

Historically, classification was based on specific vendors (like Huawei or ZTE). However, recent updates show a shift toward function-based and origin-based risk classification, such as banning all “routers produced in a foreign country” regardless of the specific vendor.

Kaspersky products were first included into the Covered List in March 2022 and then July 2024

Kaspersky products were first included into the Covered List in March 2022 and then July 2024

Software is absolutely included; for example, cybersecurity and anti-virus software produced by Kaspersky Lab was added to the list.

What are the Categories of Covered Equipment and Services?

Categories of Covered Equipment and Services

Categories of Covered Equipment and Services

The types of telecom infrastructure included on the list cover broad categories of telecommunications equipment, video surveillance equipment used for physical security of critical infrastructure, Uncrewed Aircraft Systems (UAS), and routers.

However, routers are now included as well, if produced in a foreign country.

Covered services currently encompass telecommunications services, international telecommunications services, video surveillance services, and information security/cybersecurity services.

Service providers can indeed be restricted independently of hardware; for example, international telecommunications services provided by China Mobile International USA, China Telecom, Pacific Networks Corp, and China Unicom are banned outright. Furthermore, software services like Kaspersky Lab’s cybersecurity solutions are restricted.

Vendors and Entities on the Covered List

Specific vendors explicitly named on the list include:

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company
  • AO Kaspersky Lab (and its subsidiaries/affiliates)
  • China Mobile International USA Inc.
  • China Telecom (Americas) Corp.
  • Pacific Networks Corp / ComNet
  • China Unicom (Americas) Operations Limited

The rationale for their inclusion is that they pose an unacceptable risk to U.S. national security. There is a clear pattern of country of origin and intelligence risk: all specifically named telecommunications and surveillance hardware vendors are Chinese, and the restricted cybersecurity software vendor (Kaspersky) has Russian origins. The list also applies to all subsidiaries and affiliates of these entities.

What is the Operational Impact on Organizations?

The Covered List creates direct constraints on how organizations select, procure, and operate technology. It requires organizations to treat technology decisions as compliance and security matters. This affects both new investments and existing infrastructure.

For the newly restricted consumer-grade routers, there is no requirement to remove or replace existing equipment. The FCC explicitly stated that “this action does not affect any previously-purchased consumer-grade routers” and that users “can continue to use any router they have already lawfully purchased or acquired”. The primary mechanism of enforcement is that these items are prohibited from receiving new FCC authorizations, blocking future imports and sales. But further developments can have the following impact on organizations:

  • Procurement processes will become more complex. Organizations must verify that vendors are not on the Covered List. This requires stronger due diligence, legal review, and contract controls. As a result, procurement cycles can slow down and vendor options become more limited.
  • Existing environments must be reviewed and, if necessary, remediated. Organizations need full visibility into their assets across IT and operational technology environments. Covered equipment or services must be identified and replaced. This will create cost and operational disruption, especially in large or legacy systems where such components may be deeply embedded.
  • Third-party risk can become a key concern. Even if an organization does not directly use restricted vendors, exposure can still occur through managed service providers, or external platforms. This requires broader supply chain assessment and continuous monitoring of service providers.
  • Network and infrastructure design may need to change. Restrictions on certain providers and hardware vendors will limit design choices. In some cases organizations may need to redesign parts of their network to maintain connectivity, resilience, and performance while remaining compliant.
  • Security operations are also affected. When restricted tools are removed, organizations must replace them and revalidate detection and response processes. This can create temporary visibility gaps and requires careful transition planning to avoid weakening security posture.
  • Compliance and audit requirements will increase. Organizations must be able to demonstrate that they are not using covered equipment or services. This involves continuous monitoring, internal audits, and documentation. Non-compliance can lead to regulatory penalties, contract loss, and reputational damage.

The impact is more significant for government contractors and critical infrastructure operators since these entities are subject to stricter enforcement and may lose access to contracts or partnerships if they fail to comply.

What are the Challenges and Limitations?

Challenges and limitations for organizations

Challenges and limitations for organizations

The Covered List introduces practical and structural challenges for organizations. These challenges affect visibility, execution, and long-term sustainability of compliance efforts.

  • One key challenge is asset visibility. Some organizations may not have a complete inventory of their hardware and software, especially in large or distributed environments. Covered components may be embedded within broader systems, such as surveillance platforms or network appliances, making identification difficult.
  • Vendor attribution is another limitation. The list applies not only to named entities but also to their subsidiaries and affiliates in some cases. Ownership structures can be complex and change over time. This creates uncertainty in determining whether a product or service is indirectly linked to a covered entity.
  • Replacement is often costly and disruptive. Removing covered equipment requires budget, planning, and downtime. In some cases, there may be no direct equivalent alternatives, especially for specialized telecommunications or surveillance technologies. This can delay remediation efforts.
  • Supply chain exposure remains difficult to control. Organizations may comply at a direct level but still rely on third parties that use restricted technologies. Full visibility into service provider dependencies can be limited, which creates residual risk.
  • Security trade-offs can occur during transition periods. Replacing banned cybersecurity tools or infrastructure components can create temporary gaps in monitoring and protection. Poorly managed transitions may increase short-term risk.
  • Geopolitical scope is another limitation. The Covered List reflects national security priorities of the United States. Multinational organizations may face conflicting regulatory requirements across regions, which complicates standardization of technology stacks.

Future Outlook

Based on recent updates, the Covered List is rapidly evolving from targeting specific companies to targeting entire categories of technology based on foreign origin. While it began with specific Chinese telecom firms in 2021, it expanded to drones produced in any foreign country in 2025, and now consumer-grade routers produced in any foreign country in 2026.

This trajectory suggests that organizations should absolutely expect stricter controls that expand beyond traditional telecom infrastructure into consumer technology and broad supply chains. However, the continuous expansion from 2021 to 2026 indicates the government’s willingness to aggressively block foreign technology categories that pose supply chain or cybersecurity risks.

This type of action will, of course, provide certain security benefits. From an economic, supply chain, and cybersecurity perspective, products manufactured domestically are likely to be considered more trustworthy than those produced in countries such as China or Russia, which the United States views as primary adversaries. However, this approach will also bring some negative consequences.

When we examine the products and services previously added to the list, we do not see items that impact such a broad user base. Most of them tend to serve niche use cases or have established domestic alternatives. In contrast, this appears to be the most widely used product included in the list so far.

Even if existing products remain unaffected, the production of new ones will require a certain amount of infrastructure investment. A significant portion of global manufacturing currently takes place in China. It is unclear how much of the production carried out on U.S. soil will genuinely be domestic, and which components will still be sourced from foreign countries. It is also uncertain how much foreign dependency regulators will tolerate in practice. Just as adding a minor component such as the zip of a bag can be sufficient to label a product as “Made in Italy,” it is possible that domestic manufacturers may adopt similar practices.

At this stage, it is plausible that some manufacturers may misrepresent their production processes to avoid regulatory restrictions. This creates a more serious risk, as products that appear authorized may be overlooked or insufficiently scrutinized, potentially introducing vulnerabilities that are more severe than those seen previously.

In the short term, we expect companies already involved in hardware manufacturing to relocate part of their production lines to the United States or increase the existing production rates. At the same time, new firms may emerge seeking to benefit from this environment. In the mid-long term, this ecosystem is likely to expand alongside subcontractors and supporting suppliers.

The risks we highlight may arise when these new entrants, or future subcontractors within the ecosystem, become part of the production chain. We expect the ecosystem to mature over the long term, reducing some of the concerns outlined here.

Conclusi̇on

For organizations, this is not a one-time adjustment. It requires continuous visibility into assets, clear understanding of vendor relationships, and structured procurement controls. The recent inclusion of foreign-produced routers shows that the scope can expand into areas that were previously considered standard and low risk.

As a result, compliance and security become closely linked. Decisions about infrastructure must account for regulatory exposure as much as technical requirements. Organizations that fail to adapt may face operational disruption, limited vendor choice, and increased compliance risk. Those that adjust early can reduce uncertainty and maintain more stable operations.

← Zurück zum soc Archiv (24.03.2026)