What to Do If Your Business Is Running Hikvision or Dahua Cameras

Written By Kevin Chen

Key Takeaways

  • NDAA Section 889 prohibits federal agencies and contractors from using Hikvision and Dahua equipment in contract performance

  • The FCC closed the door on new product authorizations for both companies in November 2022

  • Both manufacturers have documented government ownership ties and a history of security vulnerabilities

  • Private businesses aren't automatically prohibited, but federal contract eligibility, cyber insurance exposure, and product lifecycle risk all create pressure to act

  • Axis Communications and Avigilon are NDAA/TAA-compliant alternatives with strong federal track records

  • Start with an inventory before committing to a replacement scope


Hikvision and Dahua built their market share on competitive pricing and capable hardware. For a decade, they were a default choice for surveillance cameras across commercial buildings, schools, warehouses, and government facilities. That position is changing and if your organization has these systems installed, the decisions you make now will matter.

Here's a plain-language breakdown of what the restrictions actually are, who they apply to, and what your options look like.

Hikvision and Dahua surveillance cameras highlighting NDAA compliance concerns, federal restrictions, and security risks associated with non-compliant video surveillance equipment.

The Restrictions, in Plain Terms

NDAA Section 889. The National Defense Authorization Act for Fiscal Year 2019 prohibits federal agencies and their contractors from purchasing or using covered equipment from Hikvision, Dahua, Huawei, ZTE, and Hytera. This is a statutory requirement, not agency policy. Federal contractors cannot use this equipment in the performance of a government contract — and that includes surveillance systems at locations where federal work is being done.

FCC equipment authorizations. The Federal Communications Commission placed both companies on its Covered List of entities that pose an unacceptable national security risk. In November 2022, the FCC finalized a rule prohibiting new equipment authorizations for these manufacturers. No new Hikvision or Dahua products can receive FCC authorization for sale in the United States. Products already in the field aren't being recalled, but the pipeline for new hardware and authorized replacements is closed.

U.S. Department of Commerce Department Entity List. Hikvision was added in 2019, Dahua in 2021. This restricts their access to U.S. technology exports and adds another layer of regulatory scrutiny to organizations that maintain these systems.

The ownership concern. CETHIK Group, a Chinese state-owned enterprise, holds roughly 42% of Hikvision. Dahua has similar government ties. Both companies were added to the U.S. Department of Commerce Entity List following documented use of their equipment in state-sponsored surveillance programs targeting ethnic and religious minority populations, as cited by U.S. government officials and independent researchers. The national security concern is that equipment built under state influence and used for state surveillance purposes may carry capabilities or vulnerabilities that create real exposure when connected to U.S. networks.

What the Technical Risk Actually Looks Like

A camera is a network device. If it has undisclosed access capabilities or unpatched vulnerabilities, it's a potential entry point into everything else on that network — access control systems, servers, shared drives.

Researchers from IPVM and academic institutions have identified serious vulnerabilities in Hikvision and Dahua products, including hardcoded credentials and remote access exploits. Both manufacturers have issued firmware patches over the years, but organizations that haven't kept up with updates are running exposed hardware. And with no new FCC authorizations being issued, the long-term support picture for these products in the U.S. is not good.

Hikvision surveillance cameras mounted on infrastructure showing real-world installation, highlighting NDAA compliance risks, federal restrictions, and security concerns with non-compliant equipment.

Does This Apply to Private Businesses?

The short answer: NDAA Section 889 directly governs federal agencies and contractors. Private companies with no government contracts are not currently prohibited from owning or operating this equipment.

That said, three factors are pushing private businesses to revisit these systems regardless of contractor status.

Federal work and contract eligibility. If your organization holds federal contracts, or plans to pursue them, non-compliant equipment at your facilities creates a real problem. The prohibition applies to equipment used in contract performance, which can extend to your physical location and infrastructure.

Cyber insurance. Underwriters are paying closer attention to the equipment inventories of policyholders. Cameras with documented vulnerabilities on a federal watchlist are a harder conversation after an incident than before one.

Product lifecycle. With no new authorizations, you're running equipment that will not receive firmware updates indefinitely. As vulnerabilities are discovered and patches stop coming, the risk profile of these systems grows.


FAQs

Is it illegal for my business to use Hikvision or Dahua cameras?

Not automatically. Private companies without federal contracts are not prohibited under current law. Federal agencies and contractors are prohibited from using this equipment in contract performance.

Do I have to replace my existing cameras immediately?

No immediate federal mandate applies to private businesses. The case for acting sooner is about contract eligibility, insurance exposure, and the closing product support window — not an immediate legal deadline.

What cameras are considered compliant?

Axis Communications and Avigilon are two manufacturers with consistent NDAA and TAA compliance documentation. Both are used in federal installations.

What is the FCC Covered List?

It's the FCC's list of companies determined to pose an unacceptable national security risk. Equipment from companies on this list cannot receive new FCC authorizations for sale in the U.S.

How do I find out if my cameras are affected?

A physical and network inventory is the starting point. A qualified integrator can help you identify covered equipment and assess how it's connected to your broader infrastructure.


What to Do Now

Start with an accurate inventory. Before making any replacement decisions, you need to know exactly what you have: which devices, where they sit on the network, how they connect to other systems, and whether your organization is subject to NDAA restrictions. That baseline determines the urgency and the scope of what comes next.

From there, the path is usually one of three things: targeted replacement of the highest-risk or most network-connected devices first, a full migration to a compliant platform, or a phased plan built around budget cycles. Not every situation requires immediate replacement. Some do.

Manufacturers that consistently meet NDAA and TAA compliance requirements include Axis Communications and Avigilon. Both have documented federal procurement compliance and offer platforms that support current network architecture and integrate with access control and enterprise systems.

If you're not sure where your system stands, that's a reasonable place to start. Connextivity works with commercial and federal clients on surveillance audits, system design, and compliant installations. We hold certifications with Axis Communications and Avigilon, and we've installed and maintained systems at federal installations and commercial facilities across the country.

If you want a straightforward conversation about what you're working with,

reach out at info@connextivity.comor visit connextivity.com

Kevin Chen
Next

What’s the Real Difference Between Avigilon and Generic IP Cameras?