Rescinding cyber security measures in USA

In an internally contentious ruling, the U.S. Federal Communications Commission (FCC) has rescinded a previous Commission action intended to hold telecommunications carriers legally responsible for implementing and certifying cybersecurity protocols.
According to an Order on Reconsideration issued in late November 2025, the Commission called a January 2025 Declaratory Ruling by the Commission “based in part on the Declaratory Ruling’s flawed legal analysis,” thereby making it “unlawful and ineffective.” At the same time, the Commission also withdrew a Notice of Proposed Rulemaking (NPRM) that accompanied the Declaratory Ruling.
To support its decision, the Commission cited numerous efforts this year to strengthen cybersecurity measures for communications networks, including the establishment of a Council on National Security to advise the Commission on cybersecurity issues, and the adoption of targeted but flexible rules for communications providers.
The Commission also cited its recent efforts to ban what it calls “bad labs” from the FCC’s equipment authorization program.
However, the Commission’s Order faced critical pushback from commission members who think that by rescinding previous efforts to strengthen the networks without offering anything in their place, the FCC leaves the country less secure at the very moment when cybersecurity threats are increasing.

The FCC’s Order on Reconsideration on cybersecurity threats can be seen here: https://docs.fcc.gov/public/attachments/FCC-25-81A1.pdf, their press release announcing the Order can be seen here: https://docs.fcc.gov/public/attachments/DOC-415455A1.pdf, and a press release detailing a Commission member’s objections to the Order can be seen here:  https://docs.fcc.gov/public/attachments/DOC-415409A1.pdf.

(This article is based on an article in the InCompliance magazine; edited by T.Sollie)