On September 11, 2025, the FCC closed an investigation into T-Mobile for a single mistake: the carrier started marketing its REVVL 7 PRO 5G smartphone on May 14, 2024, nine days before the device received its FCC equipment authorization. Thousands of phones sold in that window were, technically, unauthorized radio frequency devices. The settlement cost was small, a $7,000 voluntary contribution, but the compliance overhaul that came with it was not: a designated compliance officer, a written Compliance Manual, mandatory training, and three years of annual reports to the Commission.
That case is a warning about timing, not technology. A far larger one, a $1,202,454 proposed forfeiture against Sound Around, Inc. in December 2023 for marketing 33 unauthorized RF models after already being cited once before, shows what happens when noncompliance becomes a pattern. Between those two poles sits every company placing radio, telecom, or electrical equipment on the US or Canadian market in 2026, at a moment when both the FCC and Innovation, Science and Economic Development Canada (ISED) are rewriting the rules that govern how that equipment gets approved.
The stakes are rising because the rules themselves are moving. The FCC adopted sweeping changes to its equipment authorization program on April 30, 2026, aimed at test lab integrity and national security. ISED closed a public consultation on May 29, 2026 covering the first rewrite of its core radio compliance standard since 2018. And for any North American manufacturer exporting into the EU, the clock on the Cyber Resilience Act's first binding deadline, September 11, 2026, is already running.
Which regulators actually drive RF and electrical equipment compliance in North America?
Two federal bodies control market access, and neither delegates to states or provinces on the core technical requirements. In the United States, the FCC administers equipment authorization under 47 CFR Part 2 (Subpart J) and the technical emission limits under Part 15, drawing its enforcement authority from Section 302 of the Communications Act. In Canada, ISED sets requirements through Radio Standards Specifications (RSS series) for radio apparatus and Interference-Causing Equipment Standards (ICES series) for electromagnetic compatibility, both administered under the Radiocommunication Act.
The two regimes are procedurally similar but not identical. The FCC splits authorization into two paths: Certification, which requires third-party review by a Telecommunication Certification Body (TCB) and results in a public FCC ID, and Supplier's Declaration of Conformity (SDoC), a self-declaration with no government filing. ISED uses the same self-declaration logic for most equipment, but under its own RSS-Gen and ICES-Gen general requirements. A device intentionally transmitting RF energy, like a Wi-Fi or Bluetooth radio, needs FCC Certification and an ISED radio certification number. A device that only incidentally generates RF as digital circuitry, like a laptop motherboard, can typically use SDoC on both sides of the border, and testing under CISPR 32 or ANSI C63.4 methodology can satisfy FCC Part 15B and ISED ICES-003 simultaneously. Tracking which path applies to which product line, and where the two jurisdictions diverge, is exactly the kind of per-jurisdiction detail Obsidian's regulatory monitoring is built to surface automatically.
What did the FCC just change about who can test your equipment?
On April 30, 2026, the Commission adopted a final rule in ET Docket No. 24-136, "Promoting the Integrity and Security of Telecommunications Certification Bodies, Measurement Facilities, and the Equipment Authorization Program," released May 1, 2026 and effective 30 days after Federal Register publication on May 15, 2026. The rule responds to a documented problem: in 2024, only 3.6% of devices receiving FCC IDs were tested by labs located in the United States, and just 12.5% more by labs in countries with a Mutual Recognition Agreement (MRA), meaning over 80% of equipment authorization testing happened outside any US-aligned trust framework.
The fix creates a two-tier system. TCBs must now request Commission guidance before approving equipment on a published "Pre-Approval Guidance (PAG) List," but applications tested in "Trusted Test Labs," meaning labs in the US or in an MRA/trade-agreement country, get a fast-track priority review. TCBs and accredited labs also gained new disclosure duties: reporting the number and location of employees engaged in FCC-recognized testing or certification, and for the largest TCBs, certifying they are not owned or controlled by a prohibited entity, with ownership-change reporting timelines now aligned to SEC disclosure requirements. If your roadmap depends on a specific overseas test lab, this rule changes how fast that lab's results move through FCC review starting mid-2026.
Is ISED about to change how radio equipment gets labeled and tested in Canada?
Yes, and the consultation window just closed. ISED opened public comment on February 26, 2026 on draft RSS-Gen Issue 6 and RSS-310 Issue 6, the general compliance standard and the licence-exempt Category II equipment standard that together set the baseline for most radio apparatus certified in Canada. Comments closed May 29, 2026, and once ISED publishes the final versions, a standard six-month transition period applies during which either the outgoing or incoming issue is accepted.
The substantive changes matter for product design cycles, not just paperwork. RSS-Gen Issue 6 extends unwanted emission measurement requirements up to 750 GHz, mandates defined calibration intervals for test equipment, and requires radiated emission test sites to meet site validation under ANSI/USEMCSC C63.25.1, C63.25.2, or CISPR 16-1-4. It also permits QR-code and electronic labeling for the first time, a real cost saving for high-volume consumer products, while shifting passive RFID tags and receive-only devices out of its scope and into RSS-310, which drops the old blanket exemption for transmitters under 6 nW or below 9 kHz in favor of narrower, specific exemptions. A manufacturer designing to RSS-Gen Issue 5 today needs to confirm, once the final issue 6 publishes, whether its device classification or test site accreditation still qualifies.
| Regime | What is changing | Key date |
|---|---|---|
| FCC equipment authorization (ET Docket 24-136) | Trusted Test Lab fast-track, TCB ownership disclosure, prohibited-entity screening | Effective June 15, 2026 (30 days after May 15 Federal Register publication) |
| ISED RSS-Gen / RSS-310, Issue 6 | 750 GHz emission ceiling, calibration intervals, QR/electronic labeling, RFID and receive-only devices moved to RSS-310 | Consultation closed May 29, 2026; six-month transition once published |
| EU RED Cybersecurity Delegated Regulation (EU) 2022/30 | Mandatory cybersecurity requirements (Art. 3(3)(d)/(e)/(f)) for connected radio equipment sold into the EU, including by North American exporters | Applicable since August 1, 2025; repealed December 11, 2027 when the CRA takes over |
| EU Cyber Resilience Act (Regulation (EU) 2024/2847) | Mandatory 24-hour reporting of actively exploited vulnerabilities and severe incidents for products with digital elements sold in the EU | Reporting duty applies from September 11, 2026; full application December 11, 2027 |
What does the FCC actually treat as a serious enforcement case versus a fixable one?
The gap between a $7,000 consent decree and a seven-figure forfeiture comes down to two things: whether the violation was a first-time timing slip or a pattern, and whether the company cooperated with the FCC's Enforcement Bureau or obstructed it. T-Mobile's REVVL 7 PRO case involved a two-week marketing gap before authorization, documented remediation, and full cooperation, resulting in a voluntary contribution under Section 2.803(b) of the FCC's rules. Sound Around's case involved 33 separate unauthorized models, a prior 2022 Forfeiture Order for the same conduct, and what the Commission's Notice of Apparent Liability described as incomplete responses to two Letters of Inquiry, factors that pushed the proposed penalty past $1.2 million at roughly $35,000 per model.
Below that, the Commission's citation process gives smaller violators a chance to correct course before real money is at stake: a 2022 citation against drone retailer Ride208 warned of forfeitures up to $22,021 per day of continuing violation and $165,159 per single act, but only if the conduct continued or the company ignored the order. The pattern across all three cases is the same: import, market, or sell an RF device before authorization is complete, and the FCC's response scales with how long the violation ran and how the company responded when caught. Getting a clear picture of which SKUs already hold a valid FCC ID or ISED certification number, and which are mid-authorization, is the kind of cross-referencing question Obsidian's AI companion can answer against verified regulatory data instead of a spreadsheet someone updates quarterly.
Why does an EU cybersecurity rule matter to a US or Canadian manufacturer?
Because market access to the EU runs through the same product, not a separate compliance track. Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive has applied since August 1, 2025 to internet-connected radio equipment, requiring manufacturers, including North American ones exporting into the EU, to meet cybersecurity essential requirements under RED Article 3(3)(d), (e), and (f) before CE marking. The harmonised standard EN 18031 gained restricted presumption-of-conformity status in the Official Journal on January 28, 2025: products that avoid its restricted clauses, such as allowing users to skip setting a password, can self-certify; products that trigger a restricted clause need Notified Body involvement.
That regime does not last forever, and its replacement arrives on a schedule worth planning around now. The European Commission adopted Delegated Regulation (EU) 2026/339 on February 16, 2026, repealing (EU) 2022/30 effective December 11, 2027, the exact date the broader Cyber Resilience Act reaches full application. In between, on September 11, 2026, the CRA's Article 14 incident reporting duty becomes mandatory on its own, requiring any manufacturer whose connected product is sold in the EU to report actively exploited vulnerabilities or severe incidents within 24 hours, regardless of where the manufacturer is based. A North American electronics company selling the same SKU in Toronto, Dallas, and Berlin is looking at three regimes on three different clocks, converging toward one in 2027.
What should a compliance team actually do with all of this in the next six months?
Start with an inventory question, not a regulatory one: for every SKU shipping into the US or Canada, which authorization path applies, and does the current test report predate the standards now in transition. A product tested under RSS-Gen Issue 5 today is not out of compliance, but it will need a documented decision, retest, amend, or wait for the transition window, once ISED finalizes Issue 6.
Then map exposure by test lab location. If any product line relies on offshore testing outside an MRA country, the FCC's June 2026 Trusted Test Lab framework means that product's authorization now moves through a slower review lane, a genuine time-to-market variable that engineering and regulatory-affairs teams should be discussing together. Obsidian tracks the FCC, ISED, and the EU's RED and Cyber Resilience Act regimes as linked tier-0 sources, with alerts when an effective date moves or a delegated act like 2026/339 changes the compliance clock, so the question of "which rule applies to this product, in which market, as of which date" has a sourced answer instead of a guess. See the plans built for product-compliance and regulatory-affairs teams, or connect Obsidian's MCP directly into your own tools if your workflow already runs through an AI assistant.