You can kill a Right to Repair law without ever voting against Right to Repair.
You just carve out a category so broad, so fuzzy, and so lawyer-friendly that the companies you meant to regulate can simply point to it and walk away.
That’s what Colorado Senate Bill 26-090 threatens to do. On paper, it looks technical. In practice, it could hollow out the strongest electronics Right to Repair protections in the country, using one of the broadest terms in federal policy: “critical infrastructure.”
If Colorado Opens This Door, Other States Will Copy It
Colorado has spent the last few years becoming the state that actually means it on repair.
The state protects repair for powered wheelchairs, agricultural equipment, and digital electronic equipment. In 2022, the state passed the first Right to Repair bill in a decade (HB22-1031), covering powered wheelchairs. In 2023, it passed the first-ever Right to Repair bill for agricultural equipment, and HB23-1011 remains the only agricultural repair bill to have passed so far. In 2024, with HB24-1121, Colorado expanded repair rights to digital electronic equipment. That law took effect in January this year.
Colorado did not settle for a symbolic “we support repair” press release. It built a real framework, category by category, until it had the broadest and strongest Right to Repair protections in the country. Where Colorado goes, other states will follow: since 2022, eight other states have passed Right to Repair legislation.
That is why this fight matters. When the strongest state law gets weakened, the damage does not stay local. Other legislatures look to Colorado for model language. Manufacturers do too. If this carveout passes, it will stand as a ready-made example of how to gut repair rights while keeping the branding intact.
“Critical Infrastructure” Is Dangerously Overbroad
SB26-090, pending before the Senate Business, Labor, & Technology Committee, would exempt “information technology equipment that is intended for use in critical infrastructure” from Colorado’s Right to Repair law.
The wording sounds more precise than it is. The bill does not name a defined set of products, and it does not draw a clean technical line. It reaches for the federal definition of critical infrastructure in 42 U.S.C. § 5195c(e) instead.
That definition, built by the Cybersecurity and Infrastructure Security Agency (CISA), came from national security and resilience planning, not any specific product or brand. In that context, breadth is the point. CISA’s critical infrastructure framework spans communications, information technology, healthcare, energy, transportation, water, government facilities, and more.
A consumer protection law needs a different kind of boundary. Lawmakers need to know what is covered, what is excluded, and how those lines will hold up once companies start testing them. SB26-090 swaps that kind of precision for one of the largest categories in federal security policy.
Image via Torkild Retvedt on Flickr.
An Enormous Loophole with Room to Grow
The problem sits in the full phrase: information technology equipment intended for use in critical infrastructure.
It’s a bafflingly large category; nearly any electronic product could arguably be considered “critical infrastructure,” if it’s used by a government agency in a public-serving capacity. And as written, all a manufacturer has to do is utter those magic words and declare themselves exempt.
That language gives manufacturers plenty of room to argue. Routers, switches, servers, firewalls, industrial networking gear, hospital IT, utility hardware, municipal systems, telecom-adjacent equipment, and plenty of the electronics that support them can all be described as part of, connected to, or intended for critical infrastructure settings.
Once that argument is on the table, the center of gravity shifts. The question before a court or regulator stops being what lawmakers thought they were exempting and becomes how much a manufacturer can tuck inside that wording.
That is how a carveout starts small on paper and grows in the real world.
Colorado already has a better model. HB24-1121 contains exemptions for categories lawmakers specifically decided to treat differently, including motor vehicles, aviation, marine vessels, medical devices other than powered wheelchairs, certain safety and security equipment, certain construction- and energy-related equipment, and video game consoles. Those exclusions may be debated, but at least they are concrete. Lawmakers named categories and drew lines deliberately.
SB26-090 takes the opposite path. It hands industry a broad federal catchall and trusts everyone to behave modestly with it. That is not how these fights usually go.
Cisco Wants to Protect Their Service Monopoly
The biggest voice in support of this “critical infrastructure” exemption has been multinational technology conglomerate Cisco. Cisco’s interest here is straightforward. Colorado’s electronics repair law reaches the kinds of devices that matter to enterprise and networking manufacturers.
Repair rights shape who controls the life of a product after sale. They determine who can get the parts, tools, diagnostics, firmware access, service documentation, and repair pathways needed to keep equipment running. A strong repair law threatens Cisco’s monopoly on service. A broad “critical infrastructure” exemption could help them keep a tighter grip on repair.
That makes SB26-090 more than a technical adjustment. It offers a way to pull significant categories of equipment back toward manufacturer-controlled service models without having to attack Right to Repair in the abstract. For a company like Cisco, that is a much easier argument to make.
If Repair Is Risky, Ask Who Made It Risky
Supporters of this bill will likely try to frame independent repair as a threat. Legislators should reject that framing.
Repair is a normal part of owning and maintaining equipment. When a repair becomes unusually dangerous, fragile, or access-controlled, that usually reflects a manufacturer choice about design, documentation, tooling, or software locks, not something inherent about repair itself.
Hospitals, utilities, telecom networks, and emergency systems do not become more resilient when manufacturers keep repair locked behind a service monopoly. They become more dependent, more delayed, and more fragile. When a piece of equipment is unusually difficult to diagnose, restore, or service safely, that usually reflects a manufacturer choice about design, tooling, software locks, documentation, or access controls.
That is the question lawmakers should be asking here: what exactly is the technical problem, and who created it? If a company believes a specific device needs a specific safeguard, it should identify the device and make that case directly. This bill does not do that. It offers OEMs a sweeping exemption without requiring them to show that independent repair is the source of the problem in the first place.
Repair Should Be Considered a Cybersecurity Imperative
Cybersecurity experts agree that Colorado needs to hold the line here. World-renowned security researcher Billy Rios and cybersecurity expert Andrew Brandt spoke against this exemption on the Securepairs podcast earlier this year. As Security Ledger Chief Paul Roberts summarizes:
A vibrant and healthy market for repair isn’t a cybersecurity risk. In fact, it should be considered a cybersecurity imperative!
— Paul Roberts, Security Ledger
Manufacturers should not get a free pass to lock down repair by attaching the words “critical infrastructure” to their products.
Colorado Cannot Blink Now
Colorado is now the state other legislatures study when they want to know what serious repair law looks like. That status brings influence, and it brings risk.
If SB26-090 passes, other states will not read it as a quirky Colorado-specific exception. They will read it as a tested strategy. Industry lobbyists will have a new script ready to go: praise repair in general, praise security even more, then carve out “critical infrastructure” broadly enough that major classes of electronics start slipping out of the law.
That kind of language travels fast. So do the consequences.
Vote No on SB26-090
Members of the Senate Business, Labor, & Technology Committee should reject SB26-090.
If the concern involves a specific category of equipment, the bill should name that category and make the case for it directly. If the rationale depends on one of the broadest labels in federal security planning, lawmakers should treat that breadth as the problem.
Colorado built something important with its landmark Right to Repair legislation. SB26-090 would weaken that framework and hand other states a template for doing the same. For lawmakers who have spent years getting repair policy right, this is the moment to hold the line.
To voice your opposition, add your name to this letter. If you’re still looking for more to do, you can contact your legislators directly via Repair.org.
0 Comments