Breaking down state legislative efforts in telecom security

Several states are pursuing their own measures to secure communications networks from malicious actors. One angle to address this threat is the proposal and adoption of laws designed to curb the use of Chinese-made equipment and services in state infrastructure, as well as equipment and services made by other foreign adversaries — including communications infrastructure.

State legislation on this topic commonly includes language on: prohibiting contracts and agreements with entities based in foreign adversary countries; imposing greater oversight on sales, transfers and investments by or with non-U.S.-domiciled entities; and adopting state-specific prohibited equipment or services lists, as well as state-specific obligations to remove and replace problematic equipment in networks.

Examples of existing and proposed state regimes

Colorado (enacted)

In 2024, Colorado passed S.B. 24-151, which mandates that all critical telecommunications infrastructure in the state exclude equipment manufactured by federally banned entities or any telecommunications equipment prohibited by the federal government. The law also requires that any existing infrastructure using prohibited equipment be removed and replaced.²

Arizona (pending)

In January, legislators proposed H.B. 2134, which would prohibit the use of software produced by Chinese companies in any critical infrastructure within the state.³

Nebraska (pending)

Lawmakers also proposed L.B. 1096 in January, which would ban software and network-connected technologies linked to foreign adversaries in critical infrastructure, require their removal and replacement, and restrict agreements that allow foreign principals to access or control critical systems. The bill also directs the attorney general to maintain a list of prohibited technologies.⁴

Wisconsin (pending)

Lawmakers proposed S.B. 651 in 2024, which would direct that telecommunications providers maintaining critical infrastructure containing equipment from a foreign principal or any federally prohibited equipment must remove that equipment from the state's critical systems.⁵

Enforcement is another tool that states are using to address cyber risk in communications networks and equipment.

For example, in 2024 and 2025, multiple states — Connecticut, Delaware, Illinois, Indiana, Maine, Massachusetts, New York, Oregon, Pennsylvania and Vermont — as well as the District of Columbia, entered into memoranda of understanding and enforcement partnerships with the Federal Communications Commission to enable joint oversight and compliance.⁶

So far this year, Texas stands out as the most aggressive state pursuing infrastructure risks related to foreign adversaries. Under Attorney General Ken Paxton, Texas filed multiple lawsuits in February against communications equipment manufacturers — including TP-Link Systems Inc., Anzu Robotics LLC and Lorex Technology Inc. — alleging misleading representations, adversarial foreign ownership ties and vulnerabilities in digital infrastructure that may expose consumers to foreign state influence.⁷

The state's S.B. 17 legislation further expands oversight, imposing strict requirements on entities with potential foreign adversary connections and mandating compliance measures for telecom infrastructure in Texas.

Collectively, these examples demonstrate that state-level scrutiny is no longer isolated or symbolic — it is active, legally consequential and often coordinated with federal enforcement, creating heightened compliance risk for any entity operating across multiple jurisdictions.

Many recent state proposals mirror or build on federal efforts to address national security risks from foreign adversaries in critical infrastructure and technology supply chains. But variations among federal and state regimes risk regulatory fragmentation and, for businesses operating across multiple states, complicate compliance strategies.

These types of variations within federal and state regimes can be seen in the following areas.

Prohibited equipment lists

While the FCC maintains the covered list of communications equipment and services that are deemed to pose an unacceptable risk to the national security of the U.S., states are contemplating creating their own lists of prohibited equipment and vendors. State lists may impose sanctions on entities and products that are not otherwise subject to federal restrictions.

Rip and replace obligations

The FCC administers the Secure and Trusted Communications Networks Reimbursement Program, commonly known as "rip and replace," which supports the removal and replacement of certain Chinese-manufactured telecommunications equipment from U.S. networks.⁸

Many state proposals differ substantially from the federal program in terms of participation being mandatory versus voluntary, the equipment targeted, reporting obligations and reimbursement mechanisms.

Scope of affected entities

Federal requirements primarily apply to broadband providers, but some state proposals extend obligations to any entity with access to telecom infrastructure, including utilities, contractors, suppliers and other personnel involved in maintaining networks.

Investment reviews

The federal government reviews transactions involving foreign entities and oversees of inbound investments through the Committee on Foreign Investment in the United States.

This authority has expanded in recent years through the Foreign Investment Risk Review Modernization Act, which broadened CFIUS jurisdiction to include noncontrolling investments and real estate transactions near sensitive facilities, and established mandatory filing requirements for certain transactions involving critical technologies, infrastructure or data.

State-specific regimes may have overlapping or unique triggers, requirements and timelines for review.

Employer obligations

Some states would require enhanced background checks for employees with access to state infrastructure. The FCC does not have rules on this topic.

Due to increasing federal activity and interest from the states, telecom providers and industry participants must now design compliance strategies around an evolving patchwork of requirements.

There is no one-size-fits-all solution for efficiently mitigating risk and liability. However, at a minimum, companies should consider the following advice.

Develop robust and pressure-tested internal controls.

The rapid expansion of restrictions and obligations by both federal and state authorities necessitates that companies create a methodical, centralized compliance program. Key elements of such a program may include:

• Adopting a gating process to ensure all projects, vendors and employees undergo compliance reviews before approval;
• Conducting an inventory of network infrastructure, equipment and services that identifies their geographic reach within or across states;
• Vetting suppliers and contractors, including for foreign owners or interest holders, personnel screening procedures, and compliance policies;
• Identifying employees and third parties with access to critical infrastructure;
• Developing enterprise-wide cyber and physical security policies, which may include centralized training, role-based access procedures, internal vetting and third-party penetration testing and audits; and
• Retaining documentation and records demonstrating compliance and best efforts.

Allocate responsibility for filing requirements and deadlines.

Differing federal and state regimes impose filing obligations with varying requirements and cadences. The legal team should identify and track its obligations to ensure that requirements are met and that enforcement penalties are avoided.

Monitor state-by-state developments.

Given the interconnected nature of the industry, companies operating nationwide may need to comply with the strictest requirements across all states. In addition, the likelihood of a foreign vendor or supplier being banned in one state increases significantly when that entity is flagged in other states.

Check for blind spots.

It is not a given that state-level requirements will only attach to entities regulated by the federal government. Not all states are choosing to regulate in the same way. Companies should analyze enacted laws in any state where they operate to verify whether they fall within the law's scope and face any new requirements.