FCC Grants DJI Drones Firmware Update Extension Until 2029

The Federal Communications Commission has quietly admitted what airspace security professionals were already saying: cutting off firmware updates to millions of foreign-made drones already flying in U.S. skies would have created a worse cybersecurity problem than the ban it was meant to fix.

In Public Notice DA 26-454, released by the FCC's Office of Engineering and Technology (OET) on May 8, 2026, the agency extended its waiver allowing previously authorized foreign-made drones, UAS critical components, and consumer routers to keep receiving software and firmware updates until at least January 1, 2029. The original cutoffs — January 1, 2027 for drones and March 1, 2027 for routers — would have stranded millions of DJI, Autel, and TP-Link devices without security patches in under a year.

This is a meaningful course correction, but it is not a reprieve for the ban itself. And for anyone responsible for protecting airspace around airports, stadiums, prisons, or critical infrastructure, it confirms exactly what we warned about back in October 2025: the real threat was never the drones on the store shelves. It was the millions already in the sky.

How We Got Here

The regulatory chain leading to this waiver moved quickly. In October 2025, the FCC voted to give itself retroactive authority to revoke equipment authorizations for technology deemed a national security risk. By December 2025, foreign-made unmanned aircraft systems and critical drone components were added to the FCC's Covered List. Consumer routers from foreign manufacturers were added in March 2026.

The government's stated rationale centered on espionage, unauthorized surveillance, and data exfiltration concerns — pointing in particular to threat campaigns like Volt Typhoon, the Chinese state-sponsored advanced persistent threat that U.S. cybersecurity agencies have linked to attempts at pre-positioning inside American critical infrastructure networks via compromised consumer-grade hardware.

The scale of the exposure is hard to overstate. DJI holds roughly 80% of the U.S. consumer drone market, and over 70% of the global civilian drone market, according to industry analyses. On the networking side, foreign-made routers — TP-Link chief among them — sit behind a substantial share of American home and small-business internet connections. Translated into operational terms: any blanket halt to firmware support would have stranded millions of devices already deployed across consumer, enterprise, and public-safety environments.

Placing these devices on the Covered List automatically blocked them from receiving what the FCC calls permissive changes — the post-approval modifications that include firmware updates and security patches. The original waiver only allowed Class I permissive changes (minor updates) and was set to expire in early 2027.

The Industry Pushback

The unintended consequence was obvious to anyone watching: ban updates, and you create a vast, frozen-in-time fleet of unpatched devices, each one a standing invitation for the next vulnerability disclosure.

The Consumer Technology Association, which represents most major U.S. consumer electronics firms and runs CES, issued an open letter urging the FCC to clarify and extend the waiver. Their argument was straightforward: blocking security patches could trigger the exact cybersecurity failures the government was trying to prevent. According to Tom's Hardware, the FCC's OET ultimately conceded that "special circumstances warrant a deviation from the general rules and the public interest would be better served by extending the waiver."

What the New Waiver Actually Does

The updated waiver, reported in detail by DroneXL, does three concrete things:

1. Extends the update window to January 1, 2029 for any device authorized before being placed on the Covered List.
2. Expands the scope from Class I permissive changes (minor updates) to also include Class II permissive changes — more substantial software and firmware modifications that ensure continued device functionality, patch critical vulnerabilities, and maintain compatibility with current operating systems.
3. Excludes Class III changes, which would involve significant alterations to the radio transmitter itself, such as output power or frequency range.

What the waiver does not do is equally important:

• It does not remove any device from the Covered List.
• It does not reverse the broader import and authorization ban on new foreign-made drones and routers.
• It does not grant DJI, Autel, or TP-Link any new market access.

New foreign-made Wi-Fi routers and drones remain banned from the U.S. market unless their manufacturer secures a conditional approval exemption from the Department of Homeland Security or the Pentagon. Netgear and Amazon eero have already secured exemptions for their router lines. DJI has not — and is currently fighting the ban in court and through the FCC's petition process. TP-Link has told the commission it is investing hundreds of millions of dollars in U.S. manufacturing in an effort to qualify for an exemption.

The OET has also signaled it intends to recommend that the full Commission codify the waiver through a formal rulemaking process — which would shift it from a revocable administrative decision to a permanent regulation requiring full public rulemaking to undo.

What This Means for Airspace Security Teams

Here is the honest read for anyone protecting critical airspace: this waiver does not reduce your operational threat profile. In some ways, it formalizes it.

When we covered the original DJI ban in October 2025, our core argument was that a sales ban does not ground the existing fleet. Millions of DJI drones — from Mini-series consumer models to professional Matrice platforms — were already in operators' hands across the country. A ban on new imports doesn't make them disappear; it just freezes the population.

The May 2026 waiver acknowledges that reality and gives those existing aircraft another three years of supported life. In practical terms, that means:

• The installed base of DJI and Autel drones that security teams encounter in real-world detections is not shrinking between now and 2029.
• Those aircraft will continue to receive firmware updates, meaning their capabilities — flight range, payload handling, geofencing behavior, Remote ID broadcast — will keep evolving.
• The regulatory uncertainty around what happens after January 1, 2029 means manufacturers, operators, and bad actors are all working within a multi-year window of legal ambiguity.

For airport security directors, stadium event coordinators, correctional facility administrators, and critical infrastructure operators, none of this changes the fundamentals: a DJI drone overflying your perimeter in 2027 or 2028 will look, behave, and broadcast exactly like a DJI drone today — only with three more years of accumulated firmware refinements.

The Detection Imperative Remains

The argument we made in October 2025 holds with even more force in May 2026: focusing on import bans alone is an incomplete airspace security strategy. The threat surface is defined by what is already flying, not what is being sold.

AirSight's approach centers on three operational realities that don't change regardless of which way the regulatory winds blow:

• Identification, not just detection. Knowing that something is in your airspace is not enough. Airsight's AirGuard platform automatically identifies specific drone models from their Remote ID data, so your team sees "DJI Mavic 3 Pro" or "Autel EVO II" in real time — and can make immediate, capability-aware threat assessments.
• Visual confirmation. Digital signal is necessary but not sufficient. With our Universal PTZ Camera Add-On, any sensor can automatically cue an Axis PTZ camera to lock onto and visually track a detected drone, producing image-backed evidence rather than just a blip on a screen.
• Actionable intelligence. Every detection produces a complete flight profile — altitude, speed, BVLOS breaches, sensor of origin, local timestamps — captured in Enhanced Data Exports built for incident review and chain-of-evidence work.

The Bottom Line

The FCC's May 8 waiver is a pragmatic admission that the regulatory and cybersecurity worlds are not as cleanly separable as the original Covered List ruling assumed. Cutting off security patches to safeguard infrastructure is self-defeating when the patches themselves are the infrastructure safeguard.

For airspace security professionals, the takeaway is unchanged: the legacy fleet is here, it's flying, and it now has firmware support locked in through 2029. The question is not whether DJI and Autel drones will be in your skies over the next three years — they will be. The question is whether you can see them, identify them, and act on them when they arrive.

Schedule a demo with Airsight to see how AirGuard turns regulatory ambiguity into operational clarity.

Sources: FCC Public Notice DA 26-454; sUAS News; Tom's Hardware; DroneXL; DroneDJ; SCSP Commercial Drones Analysis; CKGSB Knowledge.