USTR Maintains China Tech Tariffs as BIS Tightens Cyber Export Controls

Executive Summary

• USTR keeps Section 301 tariffs on China tech categories in place, affecting cyber security hardware costs (Reuters coverage).
• U.S. For more on [related cyber security developments](/cyber-security-market-size-surges-as-ai-cloud-and-regulation-reshape-spend). Commerce BIS expands Entity List designations for cyber and surveillance-linked firms, tightening export controls (BIS policy guidance).
• EU updates cyber sanctions regime targeting malicious cyber actors and suppliers, constraining trade flows for sanctioned entities (EU Council cyber sanctions).
• India steps up compliance and import conditions for CCTV and IP camera categories, reshaping procurement timelines (DGFT notifications).

Trade Actions and Immediate Sector Impacts The Office of the United States Trade Representative (USTR) is maintaining Section 301 tariffs on a range of China-origin electronics and ICT categories into 2026, which continue to include hardware relevant to network security appliances and surveillance components. Industry sources indicate tariffs in the 10–25% range persist across multiple Harmonized Tariff Schedule codes used for routers, firewalls, and cameras, raising landed costs for enterprise buyers (Reuters reporting on tariff continuation; USTR). Vendors such as Cisco, Fortinet, and Palo Alto Networks with mixed global supply chains report ongoing efforts to diversify manufacturing away from higher-tariff jurisdictions and lock in alternative component sources to manage gross margins (Cisco investor relations; Fortinet IR; Palo Alto Networks IR). On export controls, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has recently expanded Entity List designations tied to surveillance, advanced computing, and cyber tooling support, limiting U.S. persons and companies’ ability to export certain items or provide services without a license. Companies with links to cyber intrusion capabilities and state-aligned surveillance ecosystems face additional licensing hurdles, further curbing bilateral trade in cyber-relevant hardware and software (BIS guidance on export controls; Federal Register filings). Analysts note that combined tariff and export control regimes are adding 3–8% to procurement costs for U.S. and EU buyers when factoring logistics and compliance overheads, based on recent enterprise procurement data (McKinsey risk insights). Regional Measures in Europe and India In Europe, the Council of the EU updated listings under its cyber sanctions regime in recent weeks, building on measures that target individuals and entities responsible for significant cyber-attacks or enabling malicious activity. Designations restrict asset movements, ban EU persons from transacting, and complicate procurement of security tools from sanctioned entities, particularly where spyware or intrusion platforms are involved (EU Council cyber sanctions page). This intersects with compliance obligations from the EU Cybersecurity Act and NIS2, which together push enterprise buyers to verify provenance and supplier trustworthiness for critical cyber products, effectively shaping import choices even absent formal tariffs (European Commission Cybersecurity Act; NIS2 Directive). India has intensified standards compliance and import conditions on categories covering CCTV and IP cameras, which often originate from Chinese OEMs. Procurement officers report extended lead times and higher total cost of ownership as shipments must meet Bureau of Indian Standards certification and DGFT licensing checks under new or tightened notifications issued over the past month, affecting buyers in banking and critical infrastructure (DGFT portal; BIS India). This environment is prompting some global vendors to re-route manufacturing and final assembly toward Malaysia, Vietnam, and Mexico to stabilize pricing. For more on related Cyber Security developments. Company Exposure and Pricing Responses Network and endpoint security suppliers are adjusting SKUs and pricing to handle trade friction. Cisco has historically spread manufacturing across multiple geographies and continues to emphasize supply-chain resilience to cushion tariff impacts on switches and security appliances (Cisco IR). Fortinet and Palo Alto Networks are signaling selective price updates on hardware bundles while absorbing part of logistics and compliance costs to protect competitive deals in North America and EMEA (Fortinet IR; Palo Alto IR). Software-first platforms such as CrowdStrike and Zscaler face less direct tariff exposure on bits, but still incur additional expenses for managed services delivered to sanctioned jurisdictions and compliance checks on cross-border data flows (CrowdStrike IR; Zscaler IR). Procurement teams in financial services and telecoms report that IP camera providers including China-based Hikvision and Dahua face procurement constraints in certain markets due to sanctions, import conditions, and government guidance against high-risk vendors, pushing buyers toward Western, Japanese, and Korean alternatives in public-sector contracts (Reuters on UK guidance). These inputs align with broader Cyber Security trends where geopolitical risk is a top-three factor in vendor selection, alongside performance and compliance benchmarks (Gartner risk research). Key Trade Measures and Vendor Effects

Jurisdiction	Action	Affected Categories	Source
United States (USTR)	Section 301 tariffs maintained	Routers, firewalls, cameras, ICT parts	Reuters
United States (BIS)	Entity List expansion	Cyber tools, surveillance-linked firms	BIS
European Union	Cyber sanctions updates	Malicious cyber actors and enablers	EU Council
India (DGFT/BIS)	Import standards and licensing tightened	CCTV and IP cameras	DGFT

What Enterprises Should Expect Enterprises should plan for sustained volatility in landed costs for security hardware over the next two quarters, as tariffs, licensing decisions, and sanctions can change procurement pathways with little notice. Buyers are increasingly requesting dual-sourcing and alternative SKU certifications to mitigate country-of-origin risk while preserving performance specs for SOC workflows. Analysts estimate pricing adjustments of 2–6% on average for network security appliances in North America and the EU when factoring in tariff pass-throughs and compliance administration (IDC supply chain note). On the services side, MDR and MSSP offerings from providers aligned with U.S. and EU compliance regimes continue to gain share as customers route work away from constrained jurisdictions. Vendors like CrowdStrike, Zscaler, and Check Point Software report strong pipeline activity in regulated industries as procurement teams seek predictable compliance footprints amid shifting trade measures (CrowdStrike IR; Zscaler IR; Check Point IR). FAQs { "question": "How do current U.S. tariffs impact cyber security hardware pricing?", "answer": "U.S. Section 301 tariffs on China-origin ICT components sustain 10–25% duties on categories relevant to routers, firewalls, and surveillance gear, raising landed costs. Vendors such as Cisco, Fortinet, and Palo Alto Networks mitigate this through diversified manufacturing and selective price adjustments. Enterprises should expect 2–6% pricing shifts on average for network security appliances as tariffs and compliance overheads filter through procurement cycles, according to industry sources and IDC notes." } { "question": "What are BIS Entity List restrictions and why do they matter for cyber tools?", "answer": "BIS Entity List designations restrict U.S. persons and companies from exporting specified items, technology, or services to listed entities without a license. Recent additions linked to surveillance and cyber tooling constrain access to U.S.-origin components and support. This raises compliance complexity for exporters and integrators and may force rerouting of supply chains or substitution of components, impacting delivery timelines for enterprise security deployments and OEMs in affected jurisdictions." } { "question": "How are EU sanctions changing procurement of cyber security products?", "answer": "The EU’s cyber sanctions regime targets individuals and entities associated with significant cyber-attacks or enabling malicious operations. Listings restrict transactions by EU persons and freeze assets, which effectively limits procurement from sanctioned vendors. Combined with obligations under the Cybersecurity Act and NIS2, European buyers increasingly prioritize provenance checks and trusted supplier status, reshaping tenders and vendor shortlists for intrusion detection, endpoint solutions, and surveillance-related products." } { "question": "What is India doing about imports of surveillance equipment like CCTV and IP cameras?", "answer": "India has tightened compliance requirements and import conditions for CCTV and IP camera categories, including mandatory standards certifications and licensing checks. These measures extend lead times and increase total cost of ownership for buyers in banking, telecom, and public infrastructure. Procurement teams report shifting toward vendors with clear compliance roadmaps and local support while OEMs diversify final assembly to countries such as Malaysia and Vietnam to maintain supply continuity and manage pricing." } { "question": "Which cyber security vendors are least exposed to tariffs and why?", "answer": "Software-centric platforms including CrowdStrike and Zscaler have less direct exposure to tariffs on physical goods, though they still navigate export controls and sanctions when serving restricted jurisdictions. Their primary costs relate to cloud infrastructure and services compliance rather than hardware imports. However, integrated hardware-software providers like Cisco, Fortinet, and Palo Alto Networks face more tariff sensitivity and respond by rebalancing manufacturing footprints and adjusting SKU pricing to protect margins and customer contracts." } References

• Office of the U.S. Trade Representative - USTR, December 2025
• US Keeps China Tariffs in Place Amid Review - Reuters, December 2025
• BIS Guidance on Export Controls - U.S. Department of Commerce, December 2025
• Recent BIS Filings - Federal Register, December 2025
• EU Cyber Sanctions Regime Overview - Council of the EU, December 2025
• EU Cybersecurity Act - European Commission, December 2025
• NIS2 Directive - European Commission, December 2025
• DGFT Notifications - Government of India, December 2025
• Managing Supply Chain Risk in ICT - IDC, December 2025
• Cisco Investor Relations - Cisco, December 2025