The most aggressive right-to-repair law in the United States has been in effect for exactly three months. Cisco and IBM are already trying to kill it.

Colorado's Consumer Right to Repair Digital Electronic Equipment Act (HB24-1121) passed in 2024 and took effect in January 2026. It gave consumers and independent repair shops the legal right to access parts, tools, and documentation to fix their own electronics - the same rights that authorized repair centers have. It was the most comprehensive law of its kind anywhere in the country.

Now, a new bill called SB26-090 - titled "Exempt Critical Infrastructure from Right to Repair" - is moving through the Colorado Senate. It passed out of the Senate Business, Labor, and Technology Committee unanimously on April 4, 2026. It could reach a full Senate floor vote within days.

The bill has a clean, technocratic name. What it does is far messier. It would exempt any "information technology equipment intended for use in critical infrastructure" from Colorado's repair rights law. The problem, according to repair advocates, cybersecurity researchers, and legal experts: the phrase "critical infrastructure" is so loosely defined in the bill's text that it could cover virtually any enterprise technology product in existence.

Colorado right-to-repair legislative timeline

Colorado's repair rights framework built up over four years - SB26-090 is the first serious rollback attempt. (BLACKWIRE / PRISM)

The Bill and What It Actually Says

SB26-090 modifies Colorado's existing consumer electronics repair law by creating an exemption category. The bill removes protection for "information technology equipment that is intended for use in critical infrastructure." That language comes from a 2001 federal statute that defined critical infrastructure as systems "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety."

The problem with borrowing that definition is that it was written for post-9/11 national security policy - not for consumer protection law. In 2001, nobody was thinking about whether a data center server counted as "critical infrastructure" for the purpose of whether the guy who owns it gets to fix it himself.

"The definition of critical infrastructure is completely inadequate," Gay Gordon-Byrne, executive director of the Repair Association, told the Colorado Senate committee during Friday's hearing. "The definition that has been proposed in this bill is not even a definition."

The repair advocacy community's concern is specific and structural: the bill does not define who gets to determine whether a given piece of equipment falls under "critical infrastructure." The plain reading of the text would allow manufacturers to self-certify their own products as exempt. A Cisco router deployed at a mid-size company? Critical infrastructure. An IBM server sitting in a hospital basement? Critical infrastructure. A computer used by a financial firm? The manufacturer could argue it qualifies.

"It leaves it up to the manufacturers to determine which items they will need to provide repair tools and parts to owners and independent repairers and which ones they don't. This is bad policy and would be a big step back for Coloradans' repair rights." - Danny Katz, Executive Director, CoPIRG, April 4, 2026

Danny Katz, head of CoPIRG and a driving force behind Colorado's original repair legislation, called the bill's language "the broadest possible interpretation." He argued that under the bill's framing, "information technology" - a term not clearly defined - could extend far beyond traditional enterprise hardware and encompass virtually any connected device in a business context.

The bill cleared committee with unanimous support from the lawmakers present. It now faces floor votes in both the Colorado Senate and House. Those votes could happen as early as next week.

What the critical infrastructure exemption covers

The bill's vague language could cover far more than intended - or exactly what the lobbying companies intended. (BLACKWIRE / PRISM)

Follow the Money - Who Is Backing This

The bill's supporters are not obscure. Lobbying disclosures filed with the Colorado legislature identify Cisco and IBM as companies that have registered support for SB26-090. Both companies have direct financial interests in controlling who can repair their products and what tools are available to do so.

Cisco is the dominant player in enterprise networking gear - routers, switches, firewalls, and the infrastructure backbone of corporate America. The company's service and maintenance revenue stream depends substantially on customers being unable to repair or reconfigure hardware themselves without Cisco-certified technicians. When independent repair shops can legally access the same diagnostic tools and replacement parts that Cisco's own repair centers use, the premium Cisco charges for official service contracts erodes.

IBM's stake is similar but concentrated in the high end of the market. The company's mainframe business - including its z-series systems that run the backbone of global banking and government computing - operates on a service model that has historically kept tight control over spare parts and maintenance access. IBM has fought repair legislation in multiple jurisdictions. The company's position in its statement to WIRED was carefully hedged: "IBM supports right-to-repair policies that empower consumers while protecting cybersecurity, intellectual property, and critical infrastructure." The carveout framing does a lot of work in that sentence.

Corporate interests behind repair law rollback

The companies backing SB26-090 have measurable financial stakes in keeping repair rights restricted. (BLACKWIRE / PRISM)

Cisco's representative at the committee hearing was direct: "Cisco supports SB-90. While it appreciates the arguments offered in favor of the right to repair, not all digital technology devices are equal." The statement acknowledges the merit of repair rights in the abstract while carving out a category vast enough to absorb much of the equipment Cisco actually sells.

What neither company addressed in their public statements: the bill was introduced three months after Colorado's repair law came into force. The timing is not subtle. The legislation gives Cisco and IBM's commercial hardware a retroactive exemption from a law that was already on the books and already enforceable. It is, functionally, a rollback disguised as a clarification.

"The money that's behind the scenes - that's what's driving the bill." - Kyle Wiens, CEO, iFixit, Colorado Senate hearing, April 4, 2026

The Cybersecurity Argument - and Why Experts Reject It

The manufacturers' central argument is that right-to-repair laws create security vulnerabilities. If anyone can access repair tools and diagnostic software for enterprise networking equipment, those same tools could theoretically be used by malicious actors to probe or compromise the hardware. Cisco made this argument explicitly during the committee hearing, citing concerns about bad actors using repair access to attack critical network infrastructure.

It sounds reasonable at first. It falls apart under scrutiny.

Manufacturers security argument vs security community reality

The cybersecurity argument used to block repair legislation has been rejected by independent security researchers for years. (BLACKWIRE / PRISM)

Kyle Wiens, CEO of iFixit - the company that has become the de facto technical encyclopedia for device repair and a major legislative advocate - put the rebuttal cleanly: "There's a general principle in cybersecurity that obscurity is not security."

This is not a fringe position. Security-through-obscurity - the idea that keeping system internals secret makes them more secure - has been debunked in professional security research for decades. The principle dates back at least to Kerckhoffs's principle from 1883, which holds that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge. Modern security practice extends this: open systems that allow broad scrutiny tend to be more secure than closed systems, because vulnerabilities get found and fixed faster when more people can examine the hardware and software.

The practical argument runs deeper. When repair of critical infrastructure equipment is restricted to manufacturer-certified channels, a break in that supply chain - a shortage of authorized technicians, a manufacturer going bankrupt, a service dispute, a natural disaster - means the infrastructure stays broken. Independent repair capability is a resilience layer, not a vulnerability.

Colorado already faced this reality during the COVID-19 pandemic, when hospital equipment manufacturers sometimes refused to provide repair documentation to hospital engineering staff trying to fix life-critical devices in the middle of a shortage of manufacturer technicians. The cases were widely documented and directly contributed to the political momentum that eventually produced Colorado's repair legislation.

Nathan Proctor, who leads PIRG's national right-to-repair campaign, was blunt about the security framing at the committee hearing: "The 'information technology' and 'critical infrastructure' thing is as cynical as you can possibly be about it. It sounds scary to lawmakers, but it just means the internet."

Nathan Proctor quote on SB26-090

PIRG's national repair campaign leader at the Colorado Senate hearing, April 4, 2026. (BLACKWIRE / PRISM)

What Was Built - and What Is Now at Risk

Colorado did not pass one right-to-repair law. It built a framework over four years, covering multiple categories of equipment, each targeted at documented harms consumers were experiencing.

In 2022, Colorado passed HB22-1031, the first law of its kind in the country, guaranteeing wheelchair users and people who rely on powered mobility equipment the right to repair and modify their own devices without voiding warranties or losing access to parts. The legislation came directly out of documented cases where disabled people were waiting months for manufacturer-authorized repairs on powered wheelchairs they couldn't live without.

In 2023, HB23-1011 extended repair rights to agricultural equipment - a battle that had been fought nationally for years, most visibly through the John Deere controversy that saw farmers unable to diagnose basic problems with tractors because the diagnostic software was proprietary. In 2024, HB24-1121 extended these protections to consumer electronics broadly, creating the most comprehensive repair rights framework in the United States.

Right to repair laws across the United States 2026

Repair rights have passed in eight states. Colorado's is the broadest. SB26-090 would be the first rollback of an existing state repair law. (BLACKWIRE / PRISM)

That law took effect on January 1, 2026. Three months later, SB26-090 appeared.

The sequence matters. Under the consumer electronics repair act, equipment owners and independent repair shops in Colorado gained the right to access the same diagnostic tools, replacement parts, and repair documentation that manufacturer-authorized service centers use. For enterprise customers - companies running Cisco routers or IBM servers - this meant they could potentially hire independent technicians or develop in-house repair capabilities rather than being locked into manufacturer service contracts.

SB26-090 would take that right away, retroactively, for any equipment a manufacturer decides to classify as "critical infrastructure" technology.

What SB26-090 Changes

Before SB26-090: Colorado's HB24-1121 (in effect since January 2026) requires manufacturers of digital electronic equipment to provide owners and independent repair shops with the same access to parts, tools, and documentation as authorized repair centers. No carve-outs for enterprise hardware.

After SB26-090 (if passed): Any "information technology equipment intended for use in critical infrastructure" is exempt from the repair rights requirement. No clear definition of "critical infrastructure" in the bill. No process for challenging a manufacturer's self-classification. Manufacturers can opt out of the law for any equipment they sell to business customers.

The Hearing - Voices in the Room

Friday's committee hearing drew more than a dozen speakers opposing the bill from organizations including the Repair Association, iFixit, CoPIRG, and independent repair advocates. The opposition was organized, specific, and technically grounded. The support was brief and corporate.

Louis Rossmann, a YouTube creator and repair advocate with roughly 3 million subscribers who has documented manufacturer anti-repair practices for years, was present at the hearing. His presence reflected the degree to which right-to-repair has become a consumer movement with genuine grassroots depth, not just a policy debate among lobbyists.

The Repair Association's Gay Gordon-Byrne identified at least five specific legal problems with the bill as drafted. Beyond the definitional issues, she raised concerns about how the exemption interacts with existing federal definitions, how enforcement would work, and what recourse a consumer would have if they believed a manufacturer had incorrectly self-classified equipment to avoid repair obligations.

The answer, under the bill as written, appears to be: none. There is no challenge mechanism. No regulatory body is assigned to audit manufacturer self-classifications. A company could decide that routers it sells to small businesses qualify as critical infrastructure technology, and under the bill's current text, there is no formal process to contest that.

"I can point out at least five problems with the bill as drafted. The definition of critical infrastructure is completely inadequate." - Gay Gordon-Byrne, Executive Director, The Repair Association, Colorado Senate hearing, April 4, 2026

Despite the organized opposition, the committee voted unanimously to advance the bill. The dynamics of committee rooms explain some of this. "Critical infrastructure" is a phrase that carries enormous weight in a post-9/11 legislative environment. Cisco and IBM have built their public positions around phrases like "protect national security" and "enterprise-grade equipment." Repair advocates are arguing about vague definitions and implementation gaps - technically correct, but harder to sell in a committee room against polished corporate lobbying language.

The bill's path to a floor vote is now clear. Amendments remain possible, but the committee's unanimous vote did not include any demands for the definitional tightening that critics are calling for.

The Economics - Why Repair Rights Are Worth Billions

The dollar stakes explain why Cisco and IBM are investing political capital in this fight.

Economics of repair vs replacement

The cost gap between repair and replacement is why manufacturers fight repair rights legislation so aggressively. (BLACKWIRE / PRISM)

Cisco's global services revenue - which includes maintenance contracts, technical support, and managed services - runs to roughly $15 billion per year. A significant portion of that revenue comes from service contracts on enterprise networking equipment that customers are legally or practically unable to maintain themselves. When a customer can hire an independent technician with access to the same diagnostic tools as a Cisco-certified engineer, the value proposition of a premium Cisco service contract weakens significantly.

IBM's situation is comparable, with an added layer. IBM mainframes - the z-series systems that process the majority of the world's financial transactions - have historically been supported through IBM's own services division with very limited third-party access. The hardware is extremely expensive (entry-level z-series systems start around $200,000; high-end configurations reach millions of dollars). Repair costs from IBM-certified engineers are priced accordingly. Independent third-party maintenance companies do exist for IBM hardware, but they operate in a constrained environment. Any expansion of repair rights would pressure IBM's service pricing on its most lucrative hardware category.

For consumers and enterprises on the other side of this equation, the numbers matter too. The Repair Association estimates that households save an average of $330 annually by repairing rather than replacing electronics. Consumer Reports surveys consistently find that repair options are a significant factor in purchasing decisions. For enterprise customers, the economics are even more pronounced - a server board that costs $8,000 to replace through official channels can often be repaired for $1,200 by an independent technician with access to appropriate tools.

That gap - between repair cost and replacement cost - is precisely what manufacturers are protecting. SB26-090 is a legal mechanism to ensure that gap stays in place for the most profitable segment of the market.

What Happens Next - National Implications

The vote on SB26-090 in the Colorado Senate and House could come as early as next week. If the bill passes in its current form, it sets a precedent with implications far beyond Colorado.

Colorado has been the leading state on repair rights legislation since 2022. The sequence of bills it passed became a template that other states referenced when drafting their own legislation. If Colorado's law can be partially rolled back three months after implementation - using a vague "critical infrastructure" carve-out backed by corporate lobbying - other states will face similar attempts on their own repair legislation.

The Repair Association's legislative template for 2026 explicitly addresses the kind of maneuver SB26-090 represents. The updated template includes language specifically designed to prevent manufacturers from self-declaring exemptions and requires clear definitions of any excluded product categories. The gap between that template and the current Colorado bill is stark: SB26-090 does the opposite of what the 2026 repair rights framework recommends.

2022
Colorado passes HB22-1031 - first US wheelchair repair rights law. Sets template for future legislation across the country.
2023
HB23-1011 extends rights to agricultural equipment. John Deere fights it nationally and eventually partially settles under pressure.
2024
HB24-1121 passes - broadest consumer electronics repair law in the US. Covers parts, tools, and documentation.
January 2026
HB24-1121 takes effect. Colorado officially has the strongest repair rights framework in the country.
April 4, 2026
SB26-090 passes Senate committee unanimously. Cisco, IBM listed as supporters in lobbying disclosures. Floor vote expected within days.
Coming: Colorado Senate and House floor vote
If passed and signed, SB26-090 would be the first rollback of a state repair rights law in US history. Other states will face similar attempts.

Nathan Proctor's response to the committee vote underscored the movement's resolve: "This only hardens my resolve. We cannot stop until this problem is addressed. In practice everywhere, people need to be able to fix their stuff. This is proof that we have to keep going."

The fight is also playing out at the federal level. The Repair Association has been pushing for federal legislation that would address the digital rights management barriers that often underpin manufacturer anti-repair strategies - specifically the provisions of the Digital Millennium Copyright Act that manufacturers use to argue that bypassing software locks to perform repairs constitutes copyright infringement. State laws can require manufacturers to provide parts and documentation, but they cannot override federal law when manufacturers invoke DMCA protections over repair software.

The interplay between state and federal law creates a structural floor that manufacturers have learned to exploit. Right-to-repair advocates have been pushing for years to carve out a DMCA exemption specifically for repair. Until that happens, even the strongest state laws operate with a built-in vulnerability.

SB26-090 is corporate America discovering a different angle of attack: rather than fighting repair rights at the federal level - where public opinion is overwhelmingly supportive (84% of Americans back repair rights, according to Consumer Reports) - you carve out exceptions at the state level, cloaked in national security language, targeted at the categories of equipment where the financial stakes are highest.

It is a tactically sophisticated move. The language is vague by design. The timing - three months after the law took effect - is deliberate. The sponsoring companies are not fly-by-night operators but two of the most politically connected tech corporations in the United States.

Whether Colorado's full legislature ratifies SB26-090 will say something significant about whether the right-to-repair movement's four years of state-level work can survive the counter-offensive from the industry it disrupts. The movement built its framework bill by bill, category by category, documented harm by documented harm. The companies fighting it are betting that a single bill with a scary-sounding name can undo the most important piece of that work before most people notice it happening.

Get BLACKWIRE reports first.

Breaking news, investigations, and analysis - straight to your phone.

Join @blackwirenews on Telegram

Sources