Colorado SB26-090 critical infrastructure exemption

Colorado SB26-090 is a 2026 bill that would exempt "information technology equipment intended for use in critical infrastructure" from Colorado's Consumer Right to Repair Digital Electronic Equipment Act (HB24-1121), the only state right to repair law that covers business-to-business equipment without a critical infrastructure carve-out.^[1][2] The bill borrows its definition of "critical infrastructure" from the USA PATRIOT Act (42 U.S.C. 5195c(e)), a definition that covers 16 federal sectors including communications, healthcare, food & agriculture, financial services, & information technology.^[3] It doesn't define "information technology equipment" at all, which means manufacturers can decide for themselves whether their products qualify for the exemption.^[2]

Colorado has passed three right to repair laws in four years, making it one of the most active states in the movement.

In 2022, Colorado passed HB22-1031, protecting the right to repair powered wheelchairs.^[4][5] The following year, HB23-1011 made Colorado the first state to pass an agricultural equipment right to repair law.^[4][5]

The most consequential was HB24-1121, the Consumer Right to Repair Digital Electronic Equipment Act. Sponsored by Representatives Brianna Titone & Steven Woodrow & Senators Jeff Bridges & Nick Hinrichsen, it passed the House 39-18 & the Senate 21-13.^[6] Governor Polis signed it on May 28, 2024, with an effective date of January 1, 2026.^[7] The law requires OEMs of digital electronic equipment manufactured after July 1, 2021 to provide independent repair providers & owners with parts, tools, documentation, & schematics on fair & reasonable terms. "Fair and reasonable" is defined as costs "equivalent to the most favorable costs and terms that the manufacturer offers to an authorized repair provider."^[7] The law also bans parts pairing.^[7]

HB24-1121 already exempts motor vehicles, medical devices (except powered wheelchairs), construction & energy-related equipment, fire alarm systems, safety communications equipment, & internet/video/voice routers.^[7] Violations are treated as deceptive trade practices.^[6]

What set HB24-1121 apart from every other state repair law was its scope. Oregon, New York, California, & Minnesota all carved out exemptions for business-to-business equipment from the start.^[1] Colorado didn't. Enterprise networking hardware, servers, & business infrastructure were all subject to the same repair mandates as consumer phones & laptops.^[1] Minnesota's law specifically included a "critical infrastructure" exemption; Colorado deliberately excluded one.^[1] SB26-090 would add back the same type of critical infrastructure carve-out that Colorado excluded when writing HB24-1121.^[1][2]

iFixit CEO Kyle Wiens described HB24-1121 as Colorado "taking a search-and-destroy approach to repair monopolies."^[1] The enterprise IT equipment market reaches $50 to $70 billion annually, & companies like Cisco, Oracle, & IBM use restrictive support agreements to force replacement over repair.^[1] HB24-1121's B2B scope was a direct threat to that revenue model.

SB26-090, titled "Exempt Critical Infrastructure from Right to Repair," was introduced on February 10, 2026.^[8] Its sponsors are Senator John Carson (R-30), Senator Marc Snyder (D-12), & Representative Tony Hartsook (R-44), the House Minority Caucus Chair.^[8]

The bill adds a single sentence to Colorado Revised Statutes sections 6-1-1502 & 6-1-1504: "Nothing in this part 15 applies to information technology equipment that is intended for use in critical infrastructure."^[8]

On April 2, 2026, the Senate Business, Labor, & Technology Committee voted 5-0 to advance the bill to the Committee of the Whole.^[8][2] Second reading was scheduled for April 7, 2026.^[8] The bill still needs full Senate & House floor votes before taking effect.^[2]

The bill defines critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."^[9] This language comes directly from the USA PATRIOT Act of 2001 & was later incorporated into Presidential Policy Directive 21 (PPD-21), issued by President Obama in 2013.^[10]

Under PPD-21, CISA designates 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food & Agriculture, Government Facilities, Healthcare & Public Health, Information Technology, Nuclear Reactors/Materials/Waste, Transportation Systems, & Water & Wastewater Systems.^[3]

The practical scope of this definition became clear during COVID-19. CISA's "essential critical infrastructure workers" guidance expanded the functional definition to include automotive repair, retail groceries, call centers, & logistics.^[11] Under SB26-090's logic, a $20 network switch used in a federal office building could be "critical infrastructure." A Dell laptop at the Pentagon. A printer at a hospital. The bill's definition doesn't draw a line between a server running a power grid & a network switch on a desk.

The bill also doesn't define "information technology equipment." Gay Gordon-Byrne, executive director of the Repair Association, testified at the committee hearing: "I can point out at least five problems with the bill as drafted. The definition of critical infrastructure is completely inadequate. The definition that has been proposed in this bill is not even a definition."^[2]

The bill uses the phrase "intended for use in critical infrastructure" & doesn't specify who decides whether a product meets that threshold. Danny Katz, executive director of CoPIRG, testified that the bill "leaves it up to the manufacturers to determine which items they will need to provide repair tools and parts to owners and independent repairers and which ones they don't."^[2]

Nathan Proctor, leader of PIRG's national right to repair campaign, called the framing cynical: "The 'information technology' and 'critical infrastructure' thing is as cynical as you can possibly be about it. It sounds scary to lawmakers, but it just means the internet."^[2]

Cisco is the primary corporate backer of SB26-090. iFixit described the company as "the biggest voice in support" of the exemption.^[5] Consumer-grade internet/video/voice routers are already exempt from HB24-1121.^[7] SB26-090 would create an additional, broader exemption covering enterprise networking equipment.^[5]

Cisco's Non-Entitlement Policy states that "unauthorized repair voids the Cisco Warranty Entitlement" & that the company "does not offer or provide any replacement or spare parts to third-party service repair businesses."^[12] Third-party repairs are listed as "grounds for Cisco to cancel service or warranty support."^[12] The Magnuson-Moss Warranty Act (15 U.S.C. Section 2302(c)) prohibits manufacturers from conditioning warranty coverage on the use of a specific service provider or brand of replacement part.^[13]

At the committee hearing, a Cisco representative stated: "Cisco supports SB-90. While it appreciates the arguments offered in favor of the right to repair, not all digital technology devices are equal."^[2]

IBM is also supporting the bill. An IBM spokesperson told Wired: "IBM supports right-to-repair policies that empower consumers while protecting cybersecurity, intellectual property, and critical infrastructure. Given the critical and often sensitive nature of enterprise-level products, any legislation should be clearly scoped to consumer devices."^[2]

Manufacturers backing SB26-090 argue that sharing diagnostic tools, firmware, & schematics for enterprise infrastructure could enable bad actors to exploit vulnerabilities.^[2] iFixit CEO Kyle Wiens testified at the hearing: "There's a general principle in cybersecurity that obscurity is not security. The money that's behind the scenes, that's what's driving the bill."^[2]

Cybersecurity researchers directly dispute the manufacturer framing. Security researcher Billy Rios & threat researcher Andrew Brandt stated that "a right to repair isn't a cyber risk, it's a cyber imperative."^[5] Paul Roberts, chief of The Security Ledger & founder of Securepairs.org, echoed the point: "A vibrant and healthy market for repair isn't a cybersecurity risk. In fact, it should be considered a cybersecurity imperative!"^[5]

Repair advocates also point out that restricting independent repair makes critical infrastructure less secure, not more. If a piece of critical networking equipment fails, the operator needs to fix it immediately rather than wait for manufacturer approval & a service contract dispatch.^[2]

The April 2, 2026 hearing before the Senate Business, Labor, & Technology Committee drew over a dozen repair advocates who testified against the bill.^[2] Organizations represented included iFixit, CoPIRG, the Repair Association, & PIRG's national campaign. Repair advocate Louis Rossmann was also present.^[2]

Katz, who described Colorado as having "the broadest repair rights in the country," warned that the bill "is a bad policy and would be a big step back for Coloradans' repair rights."^[2] Gordon-Byrne pointed to at least five drafting problems.^[2]

Despite unanimous opposition from repair advocates, the committee voted 5-0 to advance the bill.^[2]

Proctor, speaking after the vote, said: "This only hardens my resolve. We cannot stop until this problem is addressed. In practice everywhere, people need to be able to fix their stuff. This is proof that we have to keep going."^[2]

The Department of Defense has been fighting manufacturer repair restrictions on its own equipment.^[14]

On June 10, 2025, Navy Secretary John Phelan testified before the Senate Armed Services Committee: "I am a huge supporter of right to repair."^[15] Phelan described conditions aboard the aircraft carrier USS Gerald R. Ford, where six of the ship's eight ovens broke down. The ship serves 15,300 meals per day. Sailors were capable of fixing the ovens but were contractually forbidden from doing so; the Navy had to wait for a private contractor to arrive.^[16]

Army Secretary Dan Driscoll made a similar point at the Association of the U.S. Army convention in October 2025. He held up a broken fin from a Black Hawk helicopter's external fuel tank. The vendor charged more than $14,000 for a replacement.^[17] Driscoll's team reverse-engineered the part & 3D-printed it in 43 days for $3,000.^[18] In June 2025 testimony before the House Armed Services Committee, Driscoll stated: "On a go-forward basis, we have been directed to not sign any contracts that don't give us a right to repair."^[14]

Congress responded with the Warrior Right to Repair Act. Senator Elizabeth Warren (D-MA) & Senator Tim Sheehy (R-MT) introduced S. 2209 on July 8, 2025; Representative Marie Gluesenkamp Perez (D-WA) co-led the companion H.R. 5155 in the House.^[19][20] The bill would require defense contractors to provide the DoD with fair & reasonable access to technical data, software, tools, & manuals for in-house repair.^[20] Language supporting these principles was incorporated into both House & Senate versions of the FY26 National Defense Authorization Act.^[19]

Both service secretaries publicly called for right to repair protections for military equipment in the same year that Cisco & IBM backed SB26-090 in Colorado.^[14][2][15]

Colorado isn't the only state where manufacturers have tried to exempt enterprise equipment from repair laws.

In 2025, the Texas legislature passed HB2963, a right to repair bill signed on June 20, 2025 & effective September 1, 2026. The bill used the identical USA PATRIOT Act critical infrastructure exemption (42 U.S.C. 5195c(e)) as SB26-090, along with additional exemptions for medical devices & heavy equipment.^[21]

Most states that have passed repair laws, including Oregon, New York, California, & Minnesota, exempted business-to-business equipment from the start.^[1]

As of 2026, right to repair bills have been introduced in every U.S. state & passed in eight.^[2]

• Right to Repair
• Parts pairing
• Magnuson-Moss Warranty Act
• Cisco
• Repair Association
• iFixit