The Federal Communications Commission has quietly admitted what airspace security professionals were already saying: cutting off firmware updates to millions of foreign-made drones already flying in U.S. skies would have created a worse cybersecurity problem than the ban it was meant to fix.
In Public Notice DA 26-454, released by the FCC's Office of Engineering and Technology (OET) on May 8, 2026, the agency extended its waiver allowing previously authorized foreign-made drones, UAS critical components, and consumer routers to keep receiving software and firmware updates until at least January 1, 2029. The original cutoffs — January 1, 2027 for drones and March 1, 2027 for routers — would have stranded millions of DJI, Autel, and TP-Link devices without security patches in under a year.
This is a meaningful course correction, but it is not a reprieve for the ban itself. And for anyone responsible for protecting airspace around airports, stadiums, prisons, or critical infrastructure, it confirms exactly what we warned about back in October 2025: the real threat was never the drones on the store shelves. It was the millions already in the sky.
The regulatory chain leading to this waiver moved quickly. In October 2025, the FCC voted to give itself retroactive authority to revoke equipment authorizations for technology deemed a national security risk. By December 2025, foreign-made unmanned aircraft systems and critical drone components were added to the FCC's Covered List. Consumer routers from foreign manufacturers were added in March 2026.
The government's stated rationale centered on espionage, unauthorized surveillance, and data exfiltration concerns — pointing in particular to threat campaigns like Volt Typhoon, the Chinese state-sponsored advanced persistent threat that U.S. cybersecurity agencies have linked to attempts at pre-positioning inside American critical infrastructure networks via compromised consumer-grade hardware.
The scale of the exposure is hard to overstate. DJI holds roughly 80% of the U.S. consumer drone market, and over 70% of the global civilian drone market, according to industry analyses. On the networking side, foreign-made routers — TP-Link chief among them — sit behind a substantial share of American home and small-business internet connections. Translated into operational terms: any blanket halt to firmware support would have stranded millions of devices already deployed across consumer, enterprise, and public-safety environments.
Placing these devices on the Covered List automatically blocked them from receiving what the FCC calls permissive changes — the post-approval modifications that include firmware updates and security patches. The original waiver only allowed Class I permissive changes (minor updates) and was set to expire in early 2027.
The unintended consequence was obvious to anyone watching: ban updates, and you create a vast, frozen-in-time fleet of unpatched devices, each one a standing invitation for the next vulnerability disclosure.
The Consumer Technology Association, which represents most major U.S. consumer electronics firms and runs CES, issued an open letter urging the FCC to clarify and extend the waiver. Their argument was straightforward: blocking security patches could trigger the exact cybersecurity failures the government was trying to prevent. According to Tom's Hardware, the FCC's OET ultimately conceded that "special circumstances warrant a deviation from the general rules and the public interest would be better served by extending the waiver."
The updated waiver, reported in detail by DroneXL, does three concrete things:
What the waiver does not do is equally important:
New foreign-made Wi-Fi routers and drones remain banned from the U.S. market unless their manufacturer secures a conditional approval exemption from the Department of Homeland Security or the Pentagon. Netgear and Amazon eero have already secured exemptions for their router lines. DJI has not — and is currently fighting the ban in court and through the FCC's petition process. TP-Link has told the commission it is investing hundreds of millions of dollars in U.S. manufacturing in an effort to qualify for an exemption.
The OET has also signaled it intends to recommend that the full Commission codify the waiver through a formal rulemaking process — which would shift it from a revocable administrative decision to a permanent regulation requiring full public rulemaking to undo.
Here is the honest read for anyone protecting critical airspace: this waiver does not reduce your operational threat profile. In some ways, it formalizes it.
When we covered the original DJI ban in October 2025, our core argument was that a sales ban does not ground the existing fleet. Millions of DJI drones — from Mini-series consumer models to professional Matrice platforms — were already in operators' hands across the country. A ban on new imports doesn't make them disappear; it just freezes the population.
The May 2026 waiver acknowledges that reality and gives those existing aircraft another three years of supported life. In practical terms, that means:
For airport security directors, stadium event coordinators, correctional facility administrators, and critical infrastructure operators, none of this changes the fundamentals: a DJI drone overflying your perimeter in 2027 or 2028 will look, behave, and broadcast exactly like a DJI drone today — only with three more years of accumulated firmware refinements.
The argument we made in October 2025 holds with even more force in May 2026: focusing on import bans alone is an incomplete airspace security strategy. The threat surface is defined by what is already flying, not what is being sold.
AirSight's approach centers on three operational realities that don't change regardless of which way the regulatory winds blow:
The FCC's May 8 waiver is a pragmatic admission that the regulatory and cybersecurity worlds are not as cleanly separable as the original Covered List ruling assumed. Cutting off security patches to safeguard infrastructure is self-defeating when the patches themselves are the infrastructure safeguard.
For airspace security professionals, the takeaway is unchanged: the legacy fleet is here, it's flying, and it now has firmware support locked in through 2029. The question is not whether DJI and Autel drones will be in your skies over the next three years — they will be. The question is whether you can see them, identify them, and act on them when they arrive.
Schedule a demo with Airsight to see how AirGuard turns regulatory ambiguity into operational clarity.
Sources: FCC Public Notice DA 26-454; sUAS News; Tom's Hardware; DroneXL; DroneDJ; SCSP Commercial Drones Analysis; CKGSB Knowledge.