Imagine your small business’s network router fails on a Monday morning. Under Colorado’s current right-to-repair law, you could take it to an independent shop or fix it yourself using manufacturer-provided parts and documentation. But under a bill now moving through the Colorado legislature, that same router could be reclassified as “critical infrastructure” IT equipment — exempt from repair protections entirely — simply because it connects to a network that touches one of sixteen federally defined infrastructure sectors. Your only option: wait for the manufacturer’s authorized technician and pay whatever they charge. That scenario is what repair advocates say is at stake as enterprise technology companies push to carve out sweeping exemptions from the state’s landmark repair laws.
The fight over this bill matters well beyond Colorado’s borders. It reveals a pattern that plays out across industries whenever regulation threatens manufacturer control: corporate lobbying reframes consumer rights as security risks, and legislators face pressure to carve out exemptions so broad they swallow the rule. The space and defense industries know this dynamic well, and the tactics being deployed in Denver should look familiar to anyone who has watched how contractors protect repair monopolies on government and commercial systems.
What Colorado Built
Since 2022, Colorado has assembled one of the most expansive sets of right-to-repair laws in the country. The state has passed legislation covering powered wheelchairs, agricultural farming equipment, and consumer digital electronics. The 2024 consumer electronics law, HB24-1121, requires manufacturers to provide consumers and independent repair shops with the tools, parts, and documentation needed to fix their own devices — making Colorado one of only a handful of states where those rights are codified across multiple product categories.
Colorado is not alone in pushing repair protections forward. According to the U.S. PIRG Education Fund, repair bills have been introduced in all fifty states, and at least ten have signed repair legislation into law as of early 2026. But Colorado’s laws are among the most sweeping, which makes them an attractive target for rollback.
The Corporate Counterattack
The proposed bill would exempt “critical infrastructure” IT equipment from the state’s recent repair law. The bill’s coalition of supporters includes companies such as Cisco, Palo Alto Networks, and other enterprise technology firms, according to iFixit and testimony submitted during committee hearings. Their stated rationale centers on cybersecurity and intellectual property. In written testimony, industry representatives argued they support right-to-repair policies that empower consumers while protecting cybersecurity, intellectual property, and critical infrastructure.
The framing is strategic. Few legislators want to vote against measures framed as protecting critical infrastructure. The problem is that the bill’s definitions are so elastic they could cover almost anything connected to a network. The bill borrows the term “critical infrastructure” from the Department of Homeland Security’s framework, which defines sixteen sectors — including communications, information technology, and financial services — as vital to national security. That framework was designed for power grids, water treatment plants, and telecommunications networks. When applied to state-level repair law, the sixteen-sector taxonomy is broad enough to arguably encompass any enterprise router, firewall, or managed switch deployed in a bank branch, a hospital network, or a university data center.
As Gay Gordon-Byrne, executive director of the Repair Association, has argued publicly, terminology like “information technology” and “critical infrastructure” is designed to sound threatening to lawmakers while potentially sweeping in routine internet-connected devices that have nothing to do with national security.
The Security Argument Doesn’t Hold Up
The cybersecurity justification is the centerpiece of the industry push, and it’s also the weakest part of the case. The argument runs like this: if unauthorized parties can access repair tools and technical documentation for IT equipment, they could exploit vulnerabilities in systems that support critical infrastructure.
Security researchers have heard this argument before, and the overwhelming consensus rejects it. Kerckhoffs’s principle — the foundational cryptographic concept that a system’s security should depend on its keys, not on the secrecy of its design — has been a bedrock of information security since the nineteenth century and is endorsed by organizations from NIST to the Electronic Frontier Foundation. Hiding how a system works does not make it secure. Finding and fixing vulnerabilities does. A 2022 SecurePairs.org coalition letter signed by dozens of security researchers directly challenged the claim that restricting repair access improves cybersecurity, arguing instead that manufacturer repair monopolies delay vulnerability patching and leave systems exposed longer.
During Colorado legislative committee hearings on the bill, multiple independent repair professionals and advocacy organizations testified against the proposed exemption. Nathan Proctor, who leads the U.S. PIRG right-to-repair campaign, has stated directly that the financial interests of manufacturers — not genuine security concerns — are driving this legislation.
The Playbook Is Familiar
What is happening in Colorado follows a well-worn pattern. When manufacturers can’t stop repair legislation outright, they work to hollow it out through exemptions. The defense and space sectors have long operated on similar logic, where original equipment manufacturers argue that only authorized service providers can safely maintain complex systems. Sometimes that argument is legitimate. A satellite’s propulsion system is not the same as a networking switch in an office building.
But the distinctions matter enormously. When the exemption language is vague enough to cover any equipment connected to a network, the repair law stops protecting the people it was designed to help. An enterprise router is not a power grid. A network switch in a hospital’s IT closet is not a nuclear reactor’s control system. Conflating them serves the manufacturers, not the public.
The space industry has its own version of this tension. Companies that build satellite components or ground station equipment often restrict repair and modification rights through licensing agreements and proprietary documentation. The justification is always the same: safety, security, reliability. Sometimes that justification is warranted. But the default posture of manufacturer control, absent specific evidence of harm from independent repair, protects revenue streams more than it protects infrastructure.
What Happens Next in Colorado
The proposed exemption bill is making its way through the Colorado legislature, and repair advocates are organized and vocal. Right-to-repair bills are making a comeback across the country in 2026, and the movement has built significant public support. Colorado’s outcome could set the template for how other states handle industry pushback.
The bill’s vague language is its greatest vulnerability in public debate and its greatest asset in legislative maneuvering. If supporters can frame it narrowly as protecting power plants and water systems, it becomes politically difficult to oppose. If opponents can demonstrate that it effectively exempts any enterprise technology product from repair requirements, the bill looks like what repair advocates say it is: a corporate carve-out dressed up in national security language.
The stakes are real. Colorado’s recent repair law was designed to ensure that consumers and independent shops could fix the devices they own. If the definition of “critical infrastructure” expands to absorb enterprise IT equipment broadly, a significant category of devices — the routers, switches, firewalls, and servers that small businesses, schools, and local governments depend on — would revert to the old model: manufacturers controlling who can repair them, at what price, and on what timeline.
The Bigger Pattern
Right-to-repair legislation has gained momentum because consumers and businesses alike recognized a basic problem. When only the manufacturer can repair a product, repair costs rise, timelines stretch, and equipment sits idle. Farmers waiting weeks for a John Deere technician. Hospitals paying premium rates for authorized service on medical devices. Small businesses unable to get a server rack fixed without a manufacturer-approved contractor.
The states that have passed repair laws represent a growing consensus that manufacturer repair monopolies impose real costs on consumers and the economy. That consensus is being tested in Colorado by an industry that has enormous resources and strong institutional relationships with legislators. Companies like Cisco reported over $57 billion in revenue in fiscal year 2024, with services — including maintenance contracts and technical support — representing a substantial and growing share. Cybersecurity is the framing. Revenue protection is the motive.
Colorado built something ambitious with its repair laws. Whether it can defend those laws against well-funded efforts to dismantle them piece by piece will tell us a great deal about whether right-to-repair can survive the transition from legislative victory to durable policy.
The answer matters far beyond consumer electronics. Any industry that relies on complex, networked equipment, from commercial space operators to agricultural technology firms, is watching to see whether “critical infrastructure” becomes the magic phrase that lets manufacturers veto repair rights whenever they choose.
Photo by www.kaboompics.com on Pexels