The ROUTERS Act directs the Secretary of Commerce, through the Assistant Secretary for Communications and Information, to conduct a one‑year study of national security risks and cybersecurity vulnerabilities posed by consumer routers, modems, and combo modem–router devices that are designed, developed, manufactured, or supplied by entities "owned by, controlled by, or subject to the influence of" a statutorily defined "covered country." The bill requires a written report to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee within one year of enactment.
This is a narrowly scoped, information‑gathering measure rather than an authorization of new restrictions or funding. Still, the study creates a formal federal fact‑finding step that could feed into future procurement rules, import controls, or industry guidance — and it places the Commerce Department at the center of assessing supply‑chain and device security risks in widely deployed consumer networking equipment.
At a Glance
What It Does
Mandates a Commerce Department study of national security risks from consumer routers, modems, and combined modem‑router devices tied to entities connected to a "covered country," and requires a report to two congressional committees within one year of enactment. The bill ties the definition of "covered country" to provisions in 10 U.S.C. 4872.
Who It Affects
Manufacturers and suppliers of consumer networking hardware (including overseas firms flagged by the statutory "covered country" list), internet service providers and retailers that distribute consumer gateways, federal policymakers who shape procurement and import policy, and cybersecurity researchers tracking device vulnerabilities.
Why It Matters
By centralizing analysis at Commerce and producing a formal report, the bill creates an evidence base that could justify follow‑on policy (procurement bans, import controls, voluntary standards, or guidance). It also signals congressional interest in consumer‑grade networking equipment as a national security risk rather than solely an enterprise/critical‑infrastructure problem.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill is short and procedural: it orders Commerce to study whether consumer routers, modems, and combination devices create national security or cyber risks when they come from companies that are owned, controlled, or influenced by a "covered country." Instead of listing countries itself, the bill references an existing statutory definition in 10 U.S.C. 4872, which ties the work to an established list used elsewhere in federal law.
The statute gives Commerce one year after enactment to deliver a report to two congressional committees. The Commerce Secretary carries the lead responsibility but is instructed to act through — and in consultation with — the Assistant Secretary for Communications and Information, the official who oversees the National Telecommunications and Information Administration (NTIA) and related communications policy work.The bill does not prescribe the study’s methodology, data sources, or required findings; it simply mandates that Commerce conduct the investigation and report results.
That leaves a lot of practical choices to the agency: how to obtain proprietary supply‑chain information, whether to include lab testing of devices, how to coordinate with intelligence and law enforcement agencies, and how to treat classified or sensitive findings in a publicly releasable report.Because the bill is a study requirement rather than a grant of regulatory authority or new export/import control, its immediate legal effect is informational. Nevertheless, the report will form the factual foundation that Congress and executive agencies could use to justify later measures — for example, procurement exclusions, import restrictions, or technical standards — aimed at limiting the presence of higher‑risk consumer networking gear in U.S. homes and networks.
The Five Things You Need to Know
The bill requires Commerce to study consumer routers, modems, and devices that combine a modem and router when those devices are tied to entities "owned by, controlled by, or subject to the influence of" a "covered country.", Commerce must submit the study's report to the House Energy and Commerce Committee and the Senate Commerce, Science, and Transportation Committee no later than one year after enactment.
The statute does not list countries itself; it adopts the "covered country" definition in 10 U.S.C. 4872(d)(2) and (f)(2), binding the study to an existing federal list used in defense procurement law.
The lead responsibility sits with the Secretary of Commerce, acting through and consulting with the Assistant Secretary for Communications and Information (the NTIA‑linked official).
The bill authorizes only a study and report; it does not create new regulatory powers, funding, or immediate restrictions on devices or suppliers.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title — 'ROUTERS Act'
This simple provision supplies the Act's name: Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS Act). Naming matters in practice because it signals congressional intent and frames subsequent report language and outreach, but this section imposes no substantive obligations.
Scope of the study — devices and ownership ties
Subsection (a) defines the universe for the study: consumer routers, modems, and devices combining both functions that are designed, developed, manufactured, or supplied by persons who are owned by, controlled by, or subject to the influence of a "covered country." That phrasing pulls in multiple nodes of the supply chain — design, manufacture, and supply — and uses a broad control/influence standard rather than a narrow ownership test, which expands the set of potentially implicated firms beyond outright foreign ownership.
Reporting requirement and recipients
Subsection (b) sets a firm one‑year deadline for Commerce to deliver a written report to two congressional committees (House Energy and Commerce; Senate Commerce, Science, and Transportation). The single one‑year timeline creates a near‑term deadline for analysis but does not require public release or specific deliverables beyond the report itself, leaving the agency to decide how much detail or classified support material to include.
Definition: 'covered country' tied to 10 U.S.C. 4872
Subsection (c)(1) delegates the definition of "covered country" to cross‑reference provisions in 10 U.S.C. 4872(d)(2) and (f)(2). Using that statutory list aligns this study with an existing defense‑oriented framework (commonly used to identify countries posing supply‑chain risks), but it also imports whatever limitations and political determinations underlie that separate statute.
Definition: Secretary and internal lead
Subsection (c)(2) clarifies that "Secretary" means the Secretary of Commerce and specifies the study be conducted in consultation with the Assistant Secretary for Communications and Information. That places the report within Commerce’s communications and technology policymaking apparatus (NTIA context) rather than, say, Defense or DHS — which affects access to classified intelligence, technical testing facilities, and interagency coordination.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Congressional oversight committees — the bill supplies a one‑year, agency‑produced evidence base the committees can use to justify future legislation, hold hearings, or press for agency action on consumer‑grade networking risks.
- Federal cybersecurity and telecommunications policymakers — Commerce will centralize analysis that agencies can draw on to align procurement, export control, and standards efforts without duplicative studies.
- Domestic manufacturers not tied to covered countries — a formal study that identifies risks associated with foreign‑tied suppliers could create competitive advantages for U.S. or allied suppliers if buyers shift away from higher‑risk gear.
- Cybersecurity researchers and standards bodies — the Commerce report could surface technical vulnerabilities, data sets, or testing priorities that researchers and voluntary standards organizations can act upon.
Who Bears the Cost
- Foreign manufacturers and suppliers linked to covered countries — even without immediate bans, the study raises regulatory and reputational risks that can reduce market share, increase scrutiny, or lead to follow‑on restrictions.
- Internet service providers and retailers — these intermediaries may face supply disruptions or the need to change device sourcing and customer support if the report leads to procurement guidance or labeling requirements.
- Department of Commerce (and NTIA) staff — the agency must allocate analytical and coordination resources to complete the study within a year, potentially without dedicated new funding.
- U.S. consumers — if the report triggers restrictive policies or market shifts away from lower‑cost devices, consumers could face higher prices or reduced device choice, at least during any transition period.
Key Issues
The Core Tension
The central dilemma: protect national security by identifying and, if necessary, removing high‑risk consumer networking gear versus preserving consumer choice, market competition, and low‑cost connectivity; the bill aims to prioritize security but does so through a study that could pave the way for interventions that impose real economic and access costs.
The ROUTERS Act creates an information‑gathering mandate but leaves most consequential choices to the Commerce Department and to future policymakers. The bill does not specify methodology, the level of technical testing, whether to perform device reverse‑engineering, or how to handle classified intelligence.
That flexibility helps the agency tailor the study to available resources but also risks producing a report that is either too general to support policy or too reliant on classified material to be useful for public oversight.
The statutory cross‑reference to 10 U.S.C. 4872 imports a preexisting, defense‑oriented definition of "covered country," which may be administratively convenient but also politically loaded. The bill’s broad phrasing — covering design, development, manufacture, and supply chains and using an "influence" standard — raises definitional and evidentiary questions: how will Commerce determine "subject to the influence of" a covered country in complex multinational corporate structures?
Finally, because the act provides no funding or explicit interagency mandate, Commerce’s access to intelligence, testing labs, and overseas supply‑chain data could be uneven, undermining the study’s comprehensiveness and the usefulness of its recommendations.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.