top of page

USA: FCC Covered List Component Ban and E-Commerce FCC IDs

  • 19 hours ago
  • 8 min read

The Federal Communications Commission has put the single most consequential change to its equipment authorization programme in years on the table and, unusually, most of it would take effect the moment the Commission votes.


On 1 July 2026, FCC Chairman Brendan Carr released a draft Third Report and Order and Third Further Notice of Proposed Rulemaking in ET Docket No. 21-232 (document reference FCC-CIRC2607-05), Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program. The item was circulated to Commissioners on 30 June and is scheduled for a vote at the FCC's Open Meeting on 22 July 2026.


The headline measure closes what the FCC calls the "component part loophole." Until now, a device produced by a Covered List entity could be refused authorization, while an otherwise identical device built by a third party but containing a Covered List entity's chip faced no restriction at all. The draft Order would end that.


What the FCC Covered List component ban would actually prohibit


The Order would prohibit authorization of logic-bearing hardware components produced by an entity identified on the Covered List, and of any device incorporating such a component where that device would have been prohibited had the Covered List entity produced the whole device itself.

Crucially, the FCC has abandoned a vague standard in favour of a codified, testable one. Responding to industry objections (CTIA argued the term "logic-bearing hardware" was too imprecise to identify prohibited equipment), the draft adds a new definition at 47 CFR § 2.902:


This is deliberately modelled on the long-standing "digital device" definition at § 15.3(k), with one substantive difference: it does not exclude intentional radiators.

In practice, the prohibition captures semiconductors, IoT and cellular modules, wireless chipsets, baseband processors, optical transceivers, trusted platform modules, cryptographic elements and printed circuit boards. It does not capture:


  • "Dumb" components — screws, nails, paint, glue, plastic housings.

  • Components above 9 kHz that carry no logic — the FCC's own examples are fluorescent lamp ballasts with high-frequency oscillators and ultrasonic transducers.

  • Software and firmware. The Commission expressly declined to extend the prohibition to software or firmware components, citing an insufficient record and enforcement difficulty — while keeping the record open on the point.


An important limit: producer-based entries only


This is the nuance most likely to be misreported. The component ban applies only to producer/provider-based Covered List entries Huawei, ZTE, Hikvision, Dahua, Hytera and the entities named in § 1709 of the FY2025 NDAA.

It does not apply to the newer production location-based entries. The Public Safety and Homeland Security Bureau added all UAS and UAS critical components produced in a foreign country to the Covered List in December 2025 (DA 25-1086), and all routers produced in a foreign country in March 2026 (DA 26-278). Components produced by companies caught by those location-based determinations are not swept in by the component ban unless the company is separately named on the Covered List for another reason.


USA: NEW FCC RULES ON COVERED LIST COMPONENTS (EFFECTIVE IMMEDIATELY)," focuses on the ban of logic-bearing hardware from entities on the Covered List. It includes a graphic of a microchip with icons for >9kHz, Digital Techniques, and RF for Data Processing. Below it, a flowchart shows that existing grants are safe, but pending applications are caught. A warning notes that this applies to the producer-based list, not location-based. A certification impact table compares the 'before' and 'after' status for devices, components, and software from Covered List entities. The right column, "E-COMMERCE BROUGHT UNDER FCC MARKETING RULES," illustrates a laptop with a website, a product box, and a magnifying glass pointing to a product tag with an "FCC ID" label. This highlights that verified FCC IDs must be displayed at the point of sale. Services like consignment, fulfilment, and packaging are mentioned, and a flowchart details the e-commerce platform checking the ID. A box notes that no FCC ID printing on packaging is required. A timeline at the bottom spans from July 1, 2026, when the draft was released, to July 22, 2026, when the FCC vote occurred, with the annotation "Component ban effective ON ADOPTION.

E-commerce platforms brought inside the marketing rules


The second pillar of the Order targets online marketplaces, building on Operation Clean Carts, the FCC's enforcement partnership with major platforms, which the Commission says has removed over four million devices from listings.

The draft Order would:


  1. Amend § 2.803(a) to confirm that "marketing" reaches online marketplaces that list regulated equipment in combination with consignment, warehousing, inventory management, order processing, labelling, packaging, billing or fulfilment services even where a third-party seller holds title. The FCC reasons from the analogous Consumer Product Safety Act construction of "distribution in commerce," and independently from the ordinary meaning of "offering for sale."

  2. Require online marketplaces to display the correct FCC ID at the online point of sale, including in online advertising, for every device authorized by certification. Platforms must verify the FCC ID before displaying it, and may be held liable for displaying an incorrect one. The FCC notes marketplaces have both front-end access to the Equipment Authorization System database and back-end API access (the GetFCCIDList API) to check IDs at scale.

  3. Reject an intent or knowledge threshold. The Commission declines to limit liability to wilful violators, noting neither its marketing rules nor § 302a(b) of the Communications Act contains a willfulness element.


Carriers such as FedEx or UPS that merely transport devices without trading in them remain outside the rules, consistent with § 302(c) of the Communications Act. A requirement to print FCC IDs on external retail packaging was considered and not adopted, though the record stays open.


Three further changes in the Order that briefs are missing


Full recertification for Covered List entity modifications. Any modification or permissive change made by a Covered List entity to covered or non-covered equipment would require full certification. Such entities could not use the Supplier's Declaration of Conformity (SDoC) route for any modification. This applies only where the applicant itself is a Covered List entity; a third-party manufacturer modifying equipment originally produced by such an entity is not caught, provided the result is not "produced by" the Covered List entity under the totality-of-the-circumstances test.


No modification into covered status. Previously authorized equipment may not be modified so as to become covered for example, by shifting production of an authorized UAS abroad, or altering componentry so a UAS no longer meets the "domestic end product" test. Routine software and firmware security updates permitted under the OET waivers running to 1 January 2029 are expressly not prohibited modifications.


A narrowed "critical infrastructure" definition. Responding to the D.C. Circuit's partial remand in Hikvision USA, Inc. v. FCC, 97 F.4th 938 (D.C. Cir. 2024), the FCC would adopt the USA PATRIOT Act § 1016(e) definition, guided by the 16 critical infrastructure sectors and the 55 National Critical Functions, and drop the "connected to" language the court found unjustifiably broad. This matters commercially: adopting a valid definition is a precondition to the FCC reviewing compliance plans from Hikvision, Dahua and Hytera for non-covered use cases.


What the Third FNPRM proposes (comment stage only)


The accompanying Further Notice is genuinely a proposal, and would open for comment 30 days after Federal Register publication (replies at 45 days). It seeks comment on:


  • Bifurcating the Covered List into producer/provider-based and production location-based columns, with a conforming reorganisation of the Part 2 rules.

  • Hardware and software bills of materials (HBOM/SBOM) and component-origin reporting at the application stage.

  • Broader component prohibitions extending to any hardware component, software or firmware from a Covered List entity, and requiring full certification for all devices in Covered List sectors (UAS, UAS critical components, routers).

  • Tightening importation (§ 2.1204), marketing (§ 2.803), pre-authorization operation (§ 2.805) and FCC logo use (§ 2.1074).

  • Enforcement: streamlined revocation (§ 2.939), term limits on equipment authorizations, registration of SDoC devices, and a U.S.-based liable party requirement for FCC-certified equipment.

  • Codifying the permissive-change waivers for security updates, and curbing white-labelling and "electrically identical" device abuse.


What this means for manufacturers


The component ban has no transition period. This is the point to internalise. The draft Order states the prohibition is effective as of adoption, with no transition period, on the reasoning that it only affects new equipment authorizations. Pending applications are caught immediately though the FCC states they may be amended to substitute components. OET would notify Telecommunication Certification Bodies (TCBs) directly. If your product is in the certification queue on 22 July with a Covered List entity's chip inside, you will be amending, not grandfathering.


Previously authorized equipment is safe. The rule is prospective. Existing grants remain valid, and that equipment may continue to be marketed, imported and used under its existing authorization.

Your bill of materials is now a certification document. The FCC explicitly rejects the argument that supply-chain provenance tracking is unworkable, pointing to NIST SP 800-161 and the ordinary use of HBOMs in supply-chain risk management. Practically, you need component-level visibility down to the silicon supplier before you file, not after a TCB queries you.


Attestation risk rises sharply. Certification applicants already attest that equipment is not covered. That attestation now extends implicitly to component provenance, and false attestations trigger the streamlined revocation procedures adopted in the First Report and Order.


If you sell through marketplaces, your listings become a compliance surface. Platforms will require a verified FCC ID for every certified device before listing. Expect FCC ID fields to become mandatory in seller onboarding, and expect delistings where you cannot supply one. SDoC-authorized products have no FCC ID the FNPRM proposes to fix this by requiring SDoC registration, which would be a material new burden on the SDoC channel.

Covered List entities lose the SDoC route entirely for modifications. If you are a named entity, or a subsidiary or affiliate, every change goes through full certification.


Certification impact summary


Area

Current position

Position if Order adopted 22 July 2026

Devices with Covered List entity chips

Authorizable — no component-level restriction beyond modular transmitters

Prohibited from certification and SDoC where the equivalent whole device would be prohibited

Definition of the restricted component

None codified

New § 2.902 "logic-bearing hardware component" — >9 kHz + digital techniques, or RF-based data processing

Software / firmware from Covered List entities

Not restricted at component level

Still not restricted (declined; record open, FNPRM seeks comment)

Location-based Covered List entries (foreign UAS, routers)

Whole-device restriction

Component ban does not extend to their components

Modifications by Covered List entities

Some restrictions; SDoC barred for covered equipment

Full recertification for any change, covered or not; no SDoC at all

Online marketplace liability

Ambiguous

Explicitly within "marketing"; no intent requirement

FCC ID display

Physical label / e-label / packaging

Also mandatory at the online point of sale, verified by the platform

"Critical infrastructure" (Hikvision/Dahua/Hytera use-based entries)

Vacated by D.C. Circuit

PATRIOT Act § 1016(e) definition; 16 sectors + 55 NCFs

Effective date of component ban

Immediate on adoption; no transition period

Retail packaging FCC ID

Not required

Not adopted (record open)


Timeline and required actions


Date

Event

Action required

22 Dec 2025

Foreign-produced UAS and UAS critical components added to Covered List (DA 25-1086)

Background — confirm exposure

23 Mar 2026

Foreign-produced consumer routers added to Covered List (DA 26-278)

Background — confirm exposure

30 Jun 2026

Draft Order circulated to Commissioners

1 Jul 2026

Draft Third R&O and Third FNPRM released (FCC-CIRC2607-05)

Audit HBOM against the Covered List now

Before 22 Jul 2026

Ex parte window (permit-but-disclose; Sunshine Agenda prohibition applies ~1 week prior)

File in ET Docket 21-232 via ECFS if you have material concerns

22 Jul 2026, 10:30 ET

FCC Open Meeting vote

Component ban effective on adoption — no grace period

Immediately post-adoption

OET advises TCBs

Amend any pending applications to substitute components

Federal Register + 30 days

FNPRM comments due

File on HBOM/SBOM, SDoC registration, term limits, U.S. liable party

Federal Register + 45 days

Reply comments due

File replies

1 Jan 2027

Buy American "domestic end product" UAS carve-out expires

Re-assess UAS authorizations

1 Jan 2029

OET waivers for software/firmware permissive changes to covered UAS and routers expire

Plan long-term update strategy


Immediate action checklist:


  1. Build or refresh a hardware bill of materials for every product in certification or planned for certification in the next 12 months.

  2. Screen every logic-bearing component supplier against the FCC Covered List, including subsidiaries and affiliates.

  3. Identify pending certification applications at risk and prepare component substitutions and amendments in advance of 22 July.

  4. Confirm whether any of your products or components sit behind a DoW/DHS Conditional Approval these are time-limited and model-specific.

  5. Instruct e-commerce channel partners to prepare FCC ID fields at the point of sale, and audit existing listings.

  6. Consider filing in ET Docket 21-232 particularly on SDoC registration, term-limited authorizations and the U.S.-based liable party proposal, all of which would materially change the compliance economics of the SDoC route.

bottom of page