USA: FCC Covered List Component Ban and E-Commerce FCC IDs
- 19 hours ago
- 8 min read
The Federal Communications Commission has put the single most consequential change to its equipment authorization programme in years on the table and, unusually, most of it would take effect the moment the Commission votes.
On 1 July 2026, FCC Chairman Brendan Carr released a draft Third Report and Order and Third Further Notice of Proposed Rulemaking in ET Docket No. 21-232 (document reference FCC-CIRC2607-05), Protecting Against National Security Threats to the Communications Supply Chain through the Equipment Authorization Program. The item was circulated to Commissioners on 30 June and is scheduled for a vote at the FCC's Open Meeting on 22 July 2026.
The headline measure closes what the FCC calls the "component part loophole." Until now, a device produced by a Covered List entity could be refused authorization, while an otherwise identical device built by a third party but containing a Covered List entity's chip faced no restriction at all. The draft Order would end that.
What the FCC Covered List component ban would actually prohibit
The Order would prohibit authorization of logic-bearing hardware components produced by an entity identified on the Covered List, and of any device incorporating such a component where that device would have been prohibited had the Covered List entity produced the whole device itself.
Crucially, the FCC has abandoned a vague standard in favour of a codified, testable one. Responding to industry objections (CTIA argued the term "logic-bearing hardware" was too imprecise to identify prohibited equipment), the draft adds a new definition at 47 CFR § 2.902:
This is deliberately modelled on the long-standing "digital device" definition at § 15.3(k), with one substantive difference: it does not exclude intentional radiators.
In practice, the prohibition captures semiconductors, IoT and cellular modules, wireless chipsets, baseband processors, optical transceivers, trusted platform modules, cryptographic elements and printed circuit boards. It does not capture:
"Dumb" components — screws, nails, paint, glue, plastic housings.
Components above 9 kHz that carry no logic — the FCC's own examples are fluorescent lamp ballasts with high-frequency oscillators and ultrasonic transducers.
Software and firmware. The Commission expressly declined to extend the prohibition to software or firmware components, citing an insufficient record and enforcement difficulty — while keeping the record open on the point.
An important limit: producer-based entries only
This is the nuance most likely to be misreported. The component ban applies only to producer/provider-based Covered List entries Huawei, ZTE, Hikvision, Dahua, Hytera and the entities named in § 1709 of the FY2025 NDAA.
It does not apply to the newer production location-based entries. The Public Safety and Homeland Security Bureau added all UAS and UAS critical components produced in a foreign country to the Covered List in December 2025 (DA 25-1086), and all routers produced in a foreign country in March 2026 (DA 26-278). Components produced by companies caught by those location-based determinations are not swept in by the component ban unless the company is separately named on the Covered List for another reason.

E-commerce platforms brought inside the marketing rules
The second pillar of the Order targets online marketplaces, building on Operation Clean Carts, the FCC's enforcement partnership with major platforms, which the Commission says has removed over four million devices from listings.
The draft Order would:
Amend § 2.803(a) to confirm that "marketing" reaches online marketplaces that list regulated equipment in combination with consignment, warehousing, inventory management, order processing, labelling, packaging, billing or fulfilment services even where a third-party seller holds title. The FCC reasons from the analogous Consumer Product Safety Act construction of "distribution in commerce," and independently from the ordinary meaning of "offering for sale."
Require online marketplaces to display the correct FCC ID at the online point of sale, including in online advertising, for every device authorized by certification. Platforms must verify the FCC ID before displaying it, and may be held liable for displaying an incorrect one. The FCC notes marketplaces have both front-end access to the Equipment Authorization System database and back-end API access (the GetFCCIDList API) to check IDs at scale.
Reject an intent or knowledge threshold. The Commission declines to limit liability to wilful violators, noting neither its marketing rules nor § 302a(b) of the Communications Act contains a willfulness element.
Carriers such as FedEx or UPS that merely transport devices without trading in them remain outside the rules, consistent with § 302(c) of the Communications Act. A requirement to print FCC IDs on external retail packaging was considered and not adopted, though the record stays open.
Three further changes in the Order that briefs are missing
Full recertification for Covered List entity modifications. Any modification or permissive change made by a Covered List entity to covered or non-covered equipment would require full certification. Such entities could not use the Supplier's Declaration of Conformity (SDoC) route for any modification. This applies only where the applicant itself is a Covered List entity; a third-party manufacturer modifying equipment originally produced by such an entity is not caught, provided the result is not "produced by" the Covered List entity under the totality-of-the-circumstances test.
No modification into covered status. Previously authorized equipment may not be modified so as to become covered for example, by shifting production of an authorized UAS abroad, or altering componentry so a UAS no longer meets the "domestic end product" test. Routine software and firmware security updates permitted under the OET waivers running to 1 January 2029 are expressly not prohibited modifications.
A narrowed "critical infrastructure" definition. Responding to the D.C. Circuit's partial remand in Hikvision USA, Inc. v. FCC, 97 F.4th 938 (D.C. Cir. 2024), the FCC would adopt the USA PATRIOT Act § 1016(e) definition, guided by the 16 critical infrastructure sectors and the 55 National Critical Functions, and drop the "connected to" language the court found unjustifiably broad. This matters commercially: adopting a valid definition is a precondition to the FCC reviewing compliance plans from Hikvision, Dahua and Hytera for non-covered use cases.
What the Third FNPRM proposes (comment stage only)
The accompanying Further Notice is genuinely a proposal, and would open for comment 30 days after Federal Register publication (replies at 45 days). It seeks comment on:
Bifurcating the Covered List into producer/provider-based and production location-based columns, with a conforming reorganisation of the Part 2 rules.
Hardware and software bills of materials (HBOM/SBOM) and component-origin reporting at the application stage.
Broader component prohibitions extending to any hardware component, software or firmware from a Covered List entity, and requiring full certification for all devices in Covered List sectors (UAS, UAS critical components, routers).
Tightening importation (§ 2.1204), marketing (§ 2.803), pre-authorization operation (§ 2.805) and FCC logo use (§ 2.1074).
Enforcement: streamlined revocation (§ 2.939), term limits on equipment authorizations, registration of SDoC devices, and a U.S.-based liable party requirement for FCC-certified equipment.
Codifying the permissive-change waivers for security updates, and curbing white-labelling and "electrically identical" device abuse.
What this means for manufacturers
The component ban has no transition period. This is the point to internalise. The draft Order states the prohibition is effective as of adoption, with no transition period, on the reasoning that it only affects new equipment authorizations. Pending applications are caught immediately though the FCC states they may be amended to substitute components. OET would notify Telecommunication Certification Bodies (TCBs) directly. If your product is in the certification queue on 22 July with a Covered List entity's chip inside, you will be amending, not grandfathering.
Previously authorized equipment is safe. The rule is prospective. Existing grants remain valid, and that equipment may continue to be marketed, imported and used under its existing authorization.
Your bill of materials is now a certification document. The FCC explicitly rejects the argument that supply-chain provenance tracking is unworkable, pointing to NIST SP 800-161 and the ordinary use of HBOMs in supply-chain risk management. Practically, you need component-level visibility down to the silicon supplier before you file, not after a TCB queries you.
Attestation risk rises sharply. Certification applicants already attest that equipment is not covered. That attestation now extends implicitly to component provenance, and false attestations trigger the streamlined revocation procedures adopted in the First Report and Order.
If you sell through marketplaces, your listings become a compliance surface. Platforms will require a verified FCC ID for every certified device before listing. Expect FCC ID fields to become mandatory in seller onboarding, and expect delistings where you cannot supply one. SDoC-authorized products have no FCC ID the FNPRM proposes to fix this by requiring SDoC registration, which would be a material new burden on the SDoC channel.
Covered List entities lose the SDoC route entirely for modifications. If you are a named entity, or a subsidiary or affiliate, every change goes through full certification.
Certification impact summary
Area | Current position | Position if Order adopted 22 July 2026 |
Devices with Covered List entity chips | Authorizable — no component-level restriction beyond modular transmitters | Prohibited from certification and SDoC where the equivalent whole device would be prohibited |
Definition of the restricted component | None codified | New § 2.902 "logic-bearing hardware component" — >9 kHz + digital techniques, or RF-based data processing |
Software / firmware from Covered List entities | Not restricted at component level | Still not restricted (declined; record open, FNPRM seeks comment) |
Location-based Covered List entries (foreign UAS, routers) | Whole-device restriction | Component ban does not extend to their components |
Modifications by Covered List entities | Some restrictions; SDoC barred for covered equipment | Full recertification for any change, covered or not; no SDoC at all |
Online marketplace liability | Ambiguous | Explicitly within "marketing"; no intent requirement |
FCC ID display | Physical label / e-label / packaging | Also mandatory at the online point of sale, verified by the platform |
"Critical infrastructure" (Hikvision/Dahua/Hytera use-based entries) | Vacated by D.C. Circuit | PATRIOT Act § 1016(e) definition; 16 sectors + 55 NCFs |
Effective date of component ban | — | Immediate on adoption; no transition period |
Retail packaging FCC ID | Not required | Not adopted (record open) |
Timeline and required actions
Date | Event | Action required |
22 Dec 2025 | Foreign-produced UAS and UAS critical components added to Covered List (DA 25-1086) | Background — confirm exposure |
23 Mar 2026 | Foreign-produced consumer routers added to Covered List (DA 26-278) | Background — confirm exposure |
30 Jun 2026 | Draft Order circulated to Commissioners | — |
1 Jul 2026 | Draft Third R&O and Third FNPRM released (FCC-CIRC2607-05) | Audit HBOM against the Covered List now |
Before 22 Jul 2026 | Ex parte window (permit-but-disclose; Sunshine Agenda prohibition applies ~1 week prior) | File in ET Docket 21-232 via ECFS if you have material concerns |
22 Jul 2026, 10:30 ET | FCC Open Meeting vote | Component ban effective on adoption — no grace period |
Immediately post-adoption | OET advises TCBs | Amend any pending applications to substitute components |
Federal Register + 30 days | FNPRM comments due | File on HBOM/SBOM, SDoC registration, term limits, U.S. liable party |
Federal Register + 45 days | Reply comments due | File replies |
1 Jan 2027 | Buy American "domestic end product" UAS carve-out expires | Re-assess UAS authorizations |
1 Jan 2029 | OET waivers for software/firmware permissive changes to covered UAS and routers expire | Plan long-term update strategy |
Immediate action checklist:
Build or refresh a hardware bill of materials for every product in certification or planned for certification in the next 12 months.
Screen every logic-bearing component supplier against the FCC Covered List, including subsidiaries and affiliates.
Identify pending certification applications at risk and prepare component substitutions and amendments in advance of 22 July.
Confirm whether any of your products or components sit behind a DoW/DHS Conditional Approval these are time-limited and model-specific.
Instruct e-commerce channel partners to prepare FCC ID fields at the point of sale, and audit existing listings.
Consider filing in ET Docket 21-232 particularly on SDoC registration, term-limited authorizations and the U.S.-based liable party proposal, all of which would materially change the compliance economics of the SDoC route.