Colorado SB26-090 critical infrastructure exemption

Colorado SB26-090 is a 2026 bill that would exempt "information technology equipment intended for use in critical infrastructure" from Colorado's Consumer Right to Repair Digital Electronic Equipment Act (HB24-1121), a law that eliminated the business-to-business exemptions found in other states' repair laws & deliberately excluded a critical infrastructure carve-out.^[1] Danny Katz, executive director of CoPIRG, described Colorado as having "the broadest repair rights in the country."^[2] The bill borrows its definition of "critical infrastructure" from the USA PATRIOT Act (42 U.S.C. 5195c(e)), a definition that covers 16 federal sectors including communications, healthcare, food & agriculture, financial services, & information technology.^[3] It doesn't define "information technology equipment" at all, which Katz said "leaves it up to the manufacturers to determine which items they will need to provide repair tools and parts to owners and independent repairers and which ones they don't."^[2]

Colorado has passed three right to repair laws in four years, making it one of the most active states in the movement.

In 2022, Colorado passed HB22-1031, protecting the right to repair powered wheelchairs.^[4] The following year, HB23-1011 made Colorado the first state to pass an agricultural equipment right to repair law.^[5][6]

The most consequential was HB24-1121, the Consumer Right to Repair Digital Electronic Equipment Act. Sponsored by Representatives Brianna Titone & Steven Woodrow & Senators Jeff Bridges & Nick Hinrichsen, it passed the House 39-18 & the Senate 21-13.^[7] Governor Polis signed it on May 28, 2024, with an effective date of January 1, 2026.^[8] The law requires OEMs of digital electronic equipment manufactured after July 1, 2021 to provide independent repair providers & owners with parts, tools, documentation, & schematics on fair & reasonable terms. "Fair and reasonable" is defined as costs "equivalent to the most favorable costs and terms that the manufacturer offers to an authorized repair provider."^[8] The law also bans parts pairing.^[8]

HB24-1121 already exempts motor vehicles, medical devices (except powered wheelchairs), construction & energy-related equipment, fire alarm systems, safety communications equipment, & internet/video/voice routers.^[8] Violations are treated as deceptive trade practices.^[7]

What set HB24-1121 apart from every other state repair law was its scope. Oregon, New York, California, & Minnesota all carved out exemptions for business-to-business equipment from the start.^[1] Colorado didn't. Enterprise networking hardware, servers, & business infrastructure were all subject to the same repair mandates as consumer phones & laptops.^[1] Minnesota's law specifically included a "critical infrastructure" exemption; Colorado deliberately excluded one.^[1] SB26-090 would add back the same type of critical infrastructure carve-out that Colorado excluded when writing HB24-1121.^[1][2]

iFixit CEO Kyle Wiens described HB24-1121 as Colorado "taking a search-and-destroy approach to repair monopolies."^[1] The enterprise IT equipment market reaches $50 to $70 billion annually, & companies like Cisco, Oracle, & IBM use restrictive support agreements to force replacement over repair.^[1] HB24-1121's B2B scope was a direct threat to that revenue model.

SB26-090, titled "Exempt Critical Infrastructure from Right to Repair," was introduced on February 10, 2026.^[9] Its sponsors are Senator John Carson (R-30), Senator Marc Snyder (D-12), & Representative Tony Hartsook (R-44), the House Minority Caucus Chair.^[9]

The bill adds a single sentence to Colorado Revised Statutes sections 6-1-1502 & 6-1-1504: "Nothing in this part 15 applies to information technology equipment that is intended for use in critical infrastructure."^[9]

On April 2, 2026, the Senate Business, Labor, & Technology Committee voted 5-0 to advance the bill to the Committee of the Whole.^[9][2] Second reading was scheduled for April 7, 2026.^[9] The bill still needs full Senate & House floor votes before taking effect.^[2]

The bill defines critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."^[10] This language comes directly from the USA PATRIOT Act of 2001 & was later incorporated into Presidential Policy Directive 21 (PPD-21), issued by President Obama in 2013.^[11]

Under PPD-21, CISA designates 16 critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food & Agriculture, Government Facilities, Healthcare & Public Health, Information Technology, Nuclear Reactors/Materials/Waste, Transportation Systems, & Water & Wastewater Systems.^[3]

The practical scope of this definition became clear during COVID-19. CISA's "essential critical infrastructure workers" guidance expanded the functional definition to include automotive repair, retail groceries, call centers, & logistics.^[12] Under SB26-090's logic, a $20 network switch used in a federal office building could be "critical infrastructure." A Dell laptop at the Pentagon. A printer at a hospital. The bill's definition doesn't draw a line between a server running a power grid & a network switch on a desk.

The bill also doesn't define "information technology equipment." Gay Gordon-Byrne, executive director of the Repair Association, testified at the committee hearing: "I can point out at least five problems with the bill as drafted. The definition of critical infrastructure is completely inadequate. The definition that has been proposed in this bill is not even a definition."^[2]

The bill uses the phrase "intended for use in critical infrastructure" but doesn't specify who decides whether a product meets that threshold & doesn't define "information technology equipment."^[2]

Nathan Proctor, leader of PIRG's national right to repair campaign, called the framing cynical: "The 'information technology' and 'critical infrastructure' thing is as cynical as you can possibly be about it. It sounds scary to lawmakers, but it just means the internet."^[2]

Cisco is the primary corporate backer of SB26-090. iFixit described the company as "the biggest voice in support" of the exemption.^[6] Consumer-grade internet/video/voice routers are already exempt from HB24-1121.^[8] SB26-090 would create an additional, broader exemption covering enterprise networking equipment.^[6]

Cisco's Non-Entitlement Policy states that "unauthorized repair voids the Cisco Warranty Entitlement" & that the company "does not offer or provide any replacement or spare parts to third-party service repair businesses."^[13] Third-party repairs are listed as "grounds for Cisco to cancel service or warranty support."^[13] The Magnuson-Moss Warranty Act (15 U.S.C. Section 2302(c)) prohibits manufacturers from conditioning warranty coverage on the use of a specific service provider or brand of replacement part.^[14]

At the committee hearing, a Cisco representative stated: "Cisco supports SB-90. While it appreciates the arguments offered in favor of the right to repair, not all digital technology devices are equal."^[2]

IBM is also supporting the bill. An IBM spokesperson told Wired: "IBM supports right-to-repair policies that empower consumers while protecting cybersecurity, intellectual property, and critical infrastructure. Given the critical and often sensitive nature of enterprise-level products, any legislation should be clearly scoped to consumer devices."^[2]

The Colorado Secretary of State's Online Lobby System lists 68 lobbying registrations on SB26-090: 40 supporting, 11 opposing, 15 monitoring, & 2 other.^[15]

Twenty of the 40 supporting registrations (50%) come from lobbyists registered under two different clients on the same bill.^[15] HB Strategies registered eight lobbyists for IBM on February 11, 2026: Erin Goff, Micki Hackenberger, HB Strategies (the firm itself), Carrie Hackenberger, J. Andrew Green & Assoc., Lisa LaBriola, Elizabeth Lo, & Kevin Neimond.^[15] Nineteen days later, on March 2, the same eight registered for the Colorado Springs Chamber & EDC.^[15] That produced 16 registrations from one firm.

Josh Hanfling & Sewald Hanfling Public Affairs registered for both Cisco & the Colorado Technology Association, adding four more duplicate registrations.^[15] Jeffrey Weist & Weist Capitol Group, Inc. registered on the same day (February 18) for two separate cable industry trade groups with nearly identical names: the Colorado Cable Telecommunications Association & the Colorado Cable Television Association.^[15] Three clusters of double-dipping: HB Strategies (16 registrations from 8 names across two clients), Sewald Hanfling (4 registrations from 2 names across two clients), & Weist (2 clients with almost the same name on the same day).

The registrations arrived in waves. Cisco's in-house lobbyist Joseph Lee registered on February 10, the same day the bill was introduced.^[15] IBM's eight HB Strategies lobbyists registered the next morning. A lobbyist can't file a position on a bill that hasn't been introduced; same-day and next-day registrations from two separate companies indicate both had advance knowledge of the bill before it was publicly filed. Cisco's outside firm (Sewald Hanfling), the cable associations, & the Denver Metro Chamber registered between February 16 & 18. The Colorado Springs Chamber added its matching HB Strategies team on March 2. The Colorado Technology Association added Sewald Hanfling on March 5-6. TechNet registered five lobbyists on March 12. The Colorado Chamber of Commerce was last, 44 days after introduction, on March 26.^[15]

At least $362,735 in known lobbying spending backs this exemption.^[16] Four of the ten supporting organizations have spending data on file with the Colorado Secretary of State. The other six (TechNet, Denver Metro Chamber, Colorado Chamber, both cable associations, & FGR Hub) don't appear in the database during this period, & March & April 2026 filings are not yet available.

Lobbying payments from SB26-090 supporting organizations, October 2024 through February 2026

Organization	Total paid to Colorado lobbyists	Lobbying firm
Cisco	$127,854[17]	Sewald Hanfling Public Affairs
Colorado Technology Association	$116,000[18]	Sewald Hanfling Public Affairs
IBM	$74,570[19]	HB Strategies + in-house
Colorado Springs Chamber & EDC	$44,311[20][21]	HB Strategies + Weaver Strategies
Total	$362,735

Cisco paid Sewald Hanfling $6,500 per month for at least 14 of the 15 months between October 2024 & December 2025. In January 2026, the payment jumped to $7,500; SB26-090 was introduced on February 10.^[17][9]

IBM paid HB Strategies $72,500 in 13 payments between October 2024 & February 2026. IBM's in-house lobbyist Alexi Madon reported another $2,069.76 over three months.^[19]

The Colorado Technology Association paid $116,000 to Sewald Hanfling, the same firm Cisco pays.^[18] The Colorado Springs Chamber & EDC paid $44,311 split between HB Strategies & Weaver Strategies.^[20][21]

Micki Hackenberger, who runs HB Strategies, reported $510,922.50 in personal lobbying income for the year ending June 2025.^[22]

Hackenberger also personally donated to four of the five SB26-090 sponsors & committee members who received lobbying network money: $400 to Catlin, $450 to Hartsook, $225 to Snyder, & $450 to Carson.^[23] The only recipient she didn't donate to was Danielson, who received $3,800 from Sewald Hanfling instead.^[24]

J. Andrew Green & Assoc. is registered as IBM's lobbyist on SB26-090, but the state income database shows zero payments from IBM to Green.^[25] Green reports $14,840 from HB Strategies in January 2026.^[26] HB Strategies collects from both IBM & the Colorado Springs Chamber, then subcontracts Green from that pool.

The five organizations opposing the bill (CoPIRG, Eco-Cycle, Repair.org, the Digital Right to Repair Coalition, & NFIB) have zero disclosed lobbying spending in the same database during 2024-2026.^[16]

Lobbyists & firms registered to support SB26-090 donated a total of $15,725 to the bill's three sponsors & five committee members between 2024 & early 2026.^[27][28][29]

On December 19, 2025, Josh Hanfling of Sewald Hanfling Public Affairs donated $450 to the Committee to Elect Marc Snyder.^[30] Snyder sponsored SB26-090 53 days later. Cisco pays Hanfling's firm $7,500 per month, and Hanfling is registered as Cisco's lobbyist on the bill.^[17][15] The donation amount is small; the timeline connecting Cisco's lobbyist to a bill sponsor weeks before introduction is the pattern.

Donations from SB26-090 lobbying network to sponsors & committee members

Firm	SB26-090 client(s)	Total	Recipients
Sewald Hanfling Public Affairs	Cisco, CO Tech Assn	$6,225[27]	Danielson, Carson, Snyder, Hartsook, Liston
Brandeberry McKenna Public Affairs	CO Springs Chamber	$3,650[28]	Danielson, Carson, Snyder, Liston, Catlin
HB Strategies / Husch Blackwell	IBM, CO Springs Chamber	$3,575[29][31]	Carson, Snyder, Hartsook, Catlin, Liston
Colorado Chamber PAC	(self)	$1,800[32]	Snyder, Hartsook, Liston, Catlin
J. Andrew Green & Assoc.	IBM (via HB subcontract)	$450[33]	Carson
Weaver Strategies	CO Cable Television Assn	$450[34]	Carson, Liston

R.D. Sewald & Josh Hanfling of Sewald Hanfling Public Affairs donated a combined $3,800 to committee chair Jessie Danielson across four transactions:^[24]

Date	Donor	Amount	TRACER RecordID
September 24, 2024	R.D. Sewald	$450	6858173
September 24, 2024	Joshua Hanfling	$450	6858175
July 15, 2025	Joshua Hanfling	$1,450	7092122
November 4, 2025	R.D. Sewald	$1,450	7186003

Danielson chairs the Senate Business, Labor, & Technology Committee. She voted to advance SB26-090 on April 2, 2026.^[9]

On September 4, 2024, Jenifer Brandeberry & Julie McKenna of Brandeberry McKenna Public Affairs each donated $450 to committee member Senator Marc Catlin (RecordIDs 6851546, 6851547).^[35] Two days later, on September 6, four employees of Husch Blackwell Strategies (the parent company behind HB Strategies) donated to Catlin on the same day: Micki Hackenberger ($400, RecordID 6851545), Elizabeth Lo ($250, RecordID 6851542), Erin Goff ($200, RecordID 6851535), & Kevin Neimond ($100, RecordID 6851531).^[35] Six lobbyists from two firms, all later registered on SB26-090, donated $1,850 to the same senator within 48 hours. Catlin voted to advance the bill.^[9]

Donations from SB26-090 lobbying network by recipient

Legislator	Role	Total received	Number of donors
Jessie Danielson	Committee Chair (D)	$4,300[33]	4
Larry Liston	Committee Member (R)	$2,850	7
Marc Snyder	Bill Sponsor (D)	$2,525	7
Marc Catlin	Committee Member (R)	$2,300	7
John Carson	Bill Sponsor (R)	$1,900	7
Anthony Hartsook	Bill Sponsor (R)	$1,850	5
Nick Hinrichsen	Committee Vice Chair (D)	$0	0
Iman Jodeh	Committee Member (D)	$0	0

Senators Nick Hinrichsen & Iman Jodeh received zero donations from any SB26-090 lobbying firm, PAC, or corporate employee in the 2024-2026 TRACER data.^[36][37] Both sit on the committee. Both voted to advance the bill.^[9]

Colorado law doesn't require lobbyists to break down spending by bill.^[38] The $362,735 figure is total client payments to their lobbyists during this period; the connection to SB26-090 comes from separate position filings where those same lobbyists registered as supporting the bill.^[15][16] There is no single database where a citizen can type in "SB26-090" & see how much Cisco spent to support it.

Three separate systems hold the data: the Secretary of State's Online Lobby System (lobbying registrations & bill positions), the Professional Lobbyist Income dataset on Colorado's open data portal (monthly payments from clients to lobbyists), & TRACER (campaign donations).^[38] Connecting a corporation's lobbying money to a specific vote requires pulling data from all three & matching records by hand.

Colorado law allows lobbyists to donate to legislators they lobby, as long as the donation falls outside the regular legislative session (C.R.S. 1-45-105.5).^[39] SB25-148, a bill to ban lobbyist donations to legislators year-round, was killed by the Senate Committee on State, Veterans, & Military Affairs in March 2025.^[40] Twelve months later, SB26-090's lobbyists had donated $15,725 to the bill's sponsors & committee members.^[27][28][29]

Manufacturers backing SB26-090 argue that sharing diagnostic tools, firmware, & schematics for enterprise infrastructure could enable bad actors to exploit vulnerabilities.^[2] iFixit CEO Kyle Wiens testified at the hearing: "There's a general principle in cybersecurity that obscurity is not security. The money that's behind the scenes, that's what's driving the bill."^[2]

Cybersecurity researchers directly dispute the manufacturer framing. Security researcher Billy Rios & threat researcher Andrew Brandt spoke against the exemption on the Securepairs podcast.^[6] Paul Roberts, chief of The Security Ledger & founder of Securepairs.org, stated: "A vibrant and healthy market for repair isn't a cybersecurity risk. In fact, it should be considered a cybersecurity imperative!"^[6]

Repair advocates also point out that restricting independent repair makes critical infrastructure less secure, not more. If a piece of critical networking equipment fails, the operator needs to fix it immediately rather than wait for manufacturer approval & a service contract dispatch.^[2]

The April 2, 2026 hearing before the Senate Business, Labor, & Technology Committee drew over a dozen repair advocates who testified against the bill.^[2] Organizations represented included iFixit, CoPIRG, the Repair Association, & PIRG's national campaign. Repair advocate Louis Rossmann was also present.^[2]

Katz, who described Colorado as having "the broadest repair rights in the country," warned that the bill "is a bad policy and would be a big step back for Coloradans' repair rights."^[2] Gordon-Byrne pointed to at least five drafting problems.^[2]

During the hearing, bill sponsor Senator John Carson stated the following:

"And I want to note that when Governor Polis signed House Bill 24-1121, when he signed it into law, he issued a directive in his signing statement that the law should be fixed before its implementation date of January 1, 2026. He noted that Colorado is the only state in the nation that requires devices used for critical infrastructure be included in their repair law. So we're running this bill to fix a critical mistake made in the original law and protect our devices from malicious attacks."^[41]

No such directive exists. Governor Polis's official press release on signing HB24-1121, dated May 28, 2024, contains no mention of critical infrastructure, no directive to "fix" the law, and no statement that Colorado is an outlier.^[42] Polis's actual statement read:

"Protecting our right to repair our own broken equipment will save money, strengthen small businesses, and reduce technology waste."^[42]

The press release links to the formal signing statement; neither document contains any conditional language regarding critical infrastructure or a mandate to amend the law before its effective date.

The specific framing Carson attributed to the Governor, that the law "should be fixed" to exclude critical infrastructure before January 1, 2026, matches the exact purpose of SB26-090, a bill Carson himself sponsors.

Despite unanimous opposition from repair advocates, the committee voted 5-0 to advance the bill.^[2] The five yes votes came from legislators whose campaigns collectively received $15,725 from the bill's lobbying network.^[27][28][29]

Proctor, speaking after the vote, said: "This only hardens my resolve. We cannot stop until this problem is addressed. In practice everywhere, people need to be able to fix their stuff. This is proof that we have to keep going."^[2]

The Department of Defense has been fighting manufacturer repair restrictions on its own equipment.^[43]

On June 10, 2025, Navy Secretary John Phelan testified before the Senate Armed Services Committee: "I am a huge supporter of right to repair."^[44] Phelan described conditions aboard the aircraft carrier USS Gerald R. Ford, where six of the ship's eight ovens broke down. The ship serves 15,300 meals per day. Sailors were capable of fixing the ovens but were contractually forbidden from doing so; the Navy had to wait for a private contractor to arrive.^[45]

Army Secretary Dan Driscoll made a similar point at the Association of the U.S. Army convention in October 2025. He held up a broken fin from a Black Hawk helicopter's external fuel tank. The vendor charged over $144,000 for a replacement.^[46] Driscoll's team reverse-engineered the part & 3D-printed it in 43 days for $3,000.^[47][46] In June 2025 testimony before the House Armed Services Committee, Driscoll stated: "On a go-forward basis, we have been directed to not sign any contracts that don't give us a right to repair."^[43]

Congress responded with the Warrior Right to Repair Act. Senator Elizabeth Warren (D-MA) & Senator Tim Sheehy (R-MT) introduced S. 2209 on July 8, 2025; Representative Marie Gluesenkamp Perez (D-WA) co-led the companion H.R. 5155 in the House.^[48][49] The bill would require defense contractors to provide the DoD with fair & reasonable access to technical data, software, tools, & manuals for in-house repair.^[49] Language supporting these principles was incorporated into both House & Senate versions of the FY26 National Defense Authorization Act.^[48]

Both service secretaries publicly called for right to repair protections for military equipment in the same year that Cisco & IBM backed SB26-090 in Colorado.^[43][2][44]

Colorado isn't the only state where manufacturers have tried to exempt enterprise equipment from repair laws.

In 2025, the Texas legislature passed HB2963, a right to repair bill signed on June 20, 2025 & effective September 1, 2026. The bill used the identical USA PATRIOT Act critical infrastructure exemption (42 U.S.C. 5195c(e)) as SB26-090, along with additional exemptions for medical devices & heavy equipment.^[50]

Most states that have passed repair laws, including Oregon, New York, California, & Minnesota, exempted business-to-business equipment from the start.^[1]

As of 2026, right to repair bills have been introduced in every U.S. state & passed in eight.^[2]

• Right to Repair
• Parts pairing
• Magnuson-Moss Warranty Act
• Cisco
• Repair Association
• iFixit