July 30, 2025
As governments around the world tighten regulations on connected devices, the risk of foreign control over critical communications has become a top concern—especially for defense and utility operations.
In the U.S., new legislation, for example Section 1260H of the National Defense Authorization Act (NDAA) (DOD Releases List of Chinese Military Companies in Accordance with Section 1260H of the National Defense Authorization Act for Fiscal Year 2021 > U.S. Department of Defense > Release) , is prompting procurement teams to examine connected devices more closely—not just the brand on the box, but the components within.
Recently, the U.S. Department of Defense (DoD) determined that Quectel Wireless, a leading global supplier of cellular modules, was a “Chinese military company” under the NDAA and therefore added it to its Section 1260H entity list. While Quectel has denied ties to the Chinese military and has requested removal from the list, the DoD’s action has heightened urgency around infrastructure security risks, particularly for devices deployed in defense and critical infrastructure applications where remote control or disruption could have severe consequences.
Why does this matter? Quectel modules are widely used across the industry—including in many 4G and 5G routers from well-known brands.
In response, many organizations in sectors like defense, utilities and public safety are reassessing technology partners and prioritizing suppliers that offer supply chain transparency and control.
This blog post breaks down:
- What Section 1260H means for connected devices.
- Where hidden risks lie in cellular module and router supply chains.
- How Semtech’s vertically integrated AirLink® routers reduce uncertainty by using only in-house cellular modules.
What is DoD 1260H—and why does it matter?
Section 1260H of the Fiscal Year 2021 National Defense Authorization Act (NDAA) requires the U.S. Department of Defense (DoD) to publish an annual list of entities identified as “Chinese military companies” (CMCs) operating in the United States or its territories. The objective is to prevent these companies from supporting China’s military modernization efforts and to protect U.S. national security interests.
With the addition of Quectel Wireless to this list, the U.S. Department of Defense can no longer purchase Quectel modules. But while Section 1260H applies specifically to DoD procurement, the implications may extend further.
The scrutiny of Chinese-manufactured connectivity components extends beyond DoD procurement. In a letter to the FCC, the House Select Committee on the Chinese Communist Party has raised concerns about Chinese cellular connectivity modules —such as those manufactured by Quectel and Fibocom—being used in America's IoT devices, potentially signaling broader regulatory attention to these components. While no specific further FCC action has been announced, the congressional inquiry suggests that Chinese-manufactured modules may face additional regulatory scrutiny in the future. Such developments, should they occur, could create significant challenges for organizations that rely on devices containing these components, potentially requiring costly hardware replacements or lengthy procurement delays to source compliant alternatives.
Many federal contractors, infrastructure providers and critical industries are proactively acting to reduce risk and stay ahead of potential new regulatory developments. Selecting a trusted, U.S.-based cellular module provider—like Semtech (formerly Sierra Wireless)— can provide a strategic advantage for organizations that prioritize supply chain integrity, long-term compliance and protection against potential foreign interference.
Semtech is well-positioned in this environment. As a publicly traded U.S. company with over 30 years of experience in cellular technology, Semtech designs its own wireless modules using trusted Qualcomm or Sony Altair chipsets. However, simply avoiding direct purchases from Quectel may not be enough. The reality is that Quectel modules are embedded inside many routers from well-known manufacturers, meaning organizations could unknowingly deploy Quectel components even when buying from trusted router brands.
The hidden module risk—do you know what’s inside your router?
When evaluating connectivity hardware—especially in regulated or security-sensitive environments—it's easy to assume that the name on the router is the only name that matters. But the truth is more complex.
Wireless routers rely on a layered supply chain:
- Qualcomm and other chipset manufacturers provide the core baseband technology.
- Cellular module suppliers like Quectel, Fibocom and Semtech (Sierra Wireless) integrate these chipsets into plug-and-play communication modules.
- Device OEMs, such as Semtech (Sierra Wireless), Cradlepoint (now Ericsson Wireless Solutions), Peplink, Teltonika, and others, incorporate those modules into their routers.
This multi-tiered structure means that even if the router vendor is a U.S. or European brand, the components inside —and potentially software control over those components—may originate elsewhere—sometimes from suppliers now restricted under Section 1260H.
As a leading global supplier of cellular modules, Quectel has supplied modules to most router manufacturers across the industry. Data from the US cellular IoT device index indicates that many router manufacturers use or have used Quectel modules in their 4G or 5G routers.
For buyers aiming to protect their mission-critical communications, this creates more than a visibility problem—it creates a risk. Unless manufacturers explicitly disclose their module suppliers, organizations may unknowingly deploy hardware that includes restricted suppliers or that could be subject to foreign influence or control.
How Semtech delivers trusted mission-critical connectivity
In an environment where component-level scrutiny is increasing, Semtech offers a distinctive advantage: vertical integration of the cellular module.
Unlike many router manufacturers that rely on third-party cellular modules, Semtech uses its own modules across the entire AirLink router portfolio. This exclusive use of internally designed western modules sets AirLink routers apart for mission-critical connectivity.
What this means for you
Semtech is currently the only router manufacturer in the mission-critical connectivity space that:
- Designs its own cellular modules in-house.
- Uses only its own modules across its entire router product line.
This provides enhanced supply chain visibility from the router to the embedded module and enhanced protection against foreign control risks.
The benefits of this approach:
- No Quectel exposure – Organizations can deploy AirLink routers without concern about restricted Quectel modules.
- End-to-end security – By controlling the module layer, Semtech gains broader oversight of device security and firmware integrity.
- Peace of mind – Customers know what’s inside their AirLink router, reducing risk in regulated or security-sensitive environments.
Beyond 1260H—A global shift toward trusted technology suppliers
Regulatory pressure isn’t limited to U.S. defense procurement—governments around the world are tightening standards on telecom, IoT and automotive supply chains to ensure device security and trustworthy sourcing. Some examples include:
- EU NIS 2 Directive (2022): Expands cybersecurity obligations to telecom providers and network operators, reinforcing supply‐chain accountability and incident reporting – NIS2 Directive: securing network and information systems | Shaping Europe’s digital future.
- EU Cyber Resilience Act (2024): Sets mandatory cybersecurity requirements for all connected devices, mandating designers to ensure products remain secure throughout their lifecycle – Cyber Resilience Act | Shaping Europe’s digital future.
- UN/ECE WP.29 Regulations R155 & R156: Require automotive manufacturers to implement cybersecurity management systems and secure OTA update processes — a precedent for digital product integrity standards across industries – New cybersecurity regulations for vehicles 2022.
- UK Telecommunications (Security) Act (2021): Empowers regulators to mitigate risks from “high-risk vendors” in networks, focusing on hardware integrity and supply chain transparency – Telecommunications (Security) Act 2021.
These initiatives reflect a broader trend: whether you're in utilities, automotive, public transit or national defense, the move toward trusted, secure supply chains is now essential.
Organizations are proactively adopting transparent, vertically integrated solutions—like Semtech's—to stay ahead of evolving regulatory and cybersecurity expectations.
Final takeaway:
In today’s environment, where even a hidden subcomponent can jeopardize critical infrastructure security or contract eligibility, visibility into your connected device’s supply chain matters more than ever.
Semtech designs our AirLink routers with our own cellular modules—offering a rare level of vertical integration in the router market. That means no ambiguity and no need to second-guess what’s inside.
For mission-critical applications, this translates to a trusted U.S.-based supplier backed by decades of wireless leadership and a transparent design philosophy that puts security, reliability and accountability first.
Explore our AirLink router portfolio or contact our team to learn more about supply chain transparency for your next deployment.
Related Blogs:
Sign up for blog updates
Get innovation delivered to your inbox. Sign up for our blog and stay on top of the very latest from Semtech (formerly Sierra Wireless).