Senate committee advances narrow fix to Colorado's right-to-repair law to exempt critical infrastructure
April 02, 2026 | 2026 Legislature CO, Colorado
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The Senate Business, Labor and Technology Committee advanced Senate Bill 90 on a 5–0 vote after hearing hours of testimony from cybersecurity experts, repair advocates and industry representatives.
Sen. Carson, a co-prime sponsor, said the bill is "a narrow, targeted clarification" to Colorado's 2024 right-to-repair law, intended to prevent the statute from requiring manufacturers to disclose tools or information for equipment "if compromised could pose a threat to public safety, national security, or our national economy." He noted the governor and the Attorney General's office have urged fixes prior to the law's implementation date.
Supporters including the Colorado Technology Association, NEMA and TechNet argued enterprise networking and industrial-control equipment differ from consumer devices and that the current law—broadly written—could require disclosure of source code or authorization credentials for systems that keep water, power and financial networks running. Joseph Lee of Cisco told the committee that while basic components like power cords and fan belts are readily available, deeper artifacts such as source code and authorization codes are protected intellectual property and raise cybersecurity concerns.
Opponents said the bill, as drafted, relies on a vague definition that could be used by manufacturers to exempt large swaths of commonly repaired devices and to lock repair business to authorized providers. "Please do not take away the right to repair," Andrew Brandt, executive director of Elect More Hackers, told the committee. He and others described scenarios where third-party firmware and independent fixes kept older equipment secure and available. Paul Roberts of Secure Repairs and Louis Rossman, a long-time repair-shop owner, warned that broad exemptions would reduce competition and raise repair costs for small businesses and nonprofits.
Committee members pressed witnesses on where lines should be drawn. Sen. Marchman asked whether cybersecurity frameworks such as NIST could provide a narrower definition; repair proponents said the security premise behind the bill was misplaced and that broader disclosure typically improves security.
Sen. Snyder moved SB 90 to the Committee of the Whole with a favorable recommendation; the motion passed 5–0. Sponsors said they will continue working with stakeholders on narrower language should the bill advance.
The committee did not place SB 90 on the consent calendar and signaled additional stakeholding on definitional language before floor action.
Sen. Carson, a co-prime sponsor, said the bill is "a narrow, targeted clarification" to Colorado's 2024 right-to-repair law, intended to prevent the statute from requiring manufacturers to disclose tools or information for equipment "if compromised could pose a threat to public safety, national security, or our national economy." He noted the governor and the Attorney General's office have urged fixes prior to the law's implementation date.
Supporters including the Colorado Technology Association, NEMA and TechNet argued enterprise networking and industrial-control equipment differ from consumer devices and that the current law—broadly written—could require disclosure of source code or authorization credentials for systems that keep water, power and financial networks running. Joseph Lee of Cisco told the committee that while basic components like power cords and fan belts are readily available, deeper artifacts such as source code and authorization codes are protected intellectual property and raise cybersecurity concerns.
Opponents said the bill, as drafted, relies on a vague definition that could be used by manufacturers to exempt large swaths of commonly repaired devices and to lock repair business to authorized providers. "Please do not take away the right to repair," Andrew Brandt, executive director of Elect More Hackers, told the committee. He and others described scenarios where third-party firmware and independent fixes kept older equipment secure and available. Paul Roberts of Secure Repairs and Louis Rossman, a long-time repair-shop owner, warned that broad exemptions would reduce competition and raise repair costs for small businesses and nonprofits.
Committee members pressed witnesses on where lines should be drawn. Sen. Marchman asked whether cybersecurity frameworks such as NIST could provide a narrower definition; repair proponents said the security premise behind the bill was misplaced and that broader disclosure typically improves security.
Sen. Snyder moved SB 90 to the Committee of the Whole with a favorable recommendation; the motion passed 5–0. Sponsors said they will continue working with stakeholders on narrower language should the bill advance.
The committee did not place SB 90 on the consent calendar and signaled additional stakeholding on definitional language before floor action.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
