Committee rejects narrow exemption to right-to-repair law for critical-infrastructure IT equipment
April 27, 2026 | 2026 Legislature CO, Colorado
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Senate Bill 90 would have allowed the Attorney General to adopt rules exempting information-technology equipment used in government service or critical infrastructure from Colorado's Consumer Repair Bill of Rights Act. Sponsor Vice Chair Clifford said the change is narrowly tailored to let the AG protect devices whose repair information (schematics, certain diagnostic interfaces or firmware) could enable attackers to disrupt public safety or critical systems such as traffic signals, SCADA water controls or state radio networks.
Industry witnesses including trade associations and vendors (Cisco, NEMA, ITI, CTA and others) urged a narrow exemption process because many large-scale network and industrial devices are distributed business-to-business and embed proprietary diagnostic tools that, if disclosed wholesale, could expose encryption keys, source code or other sensitive internals. Several supported an AG-rulemaking pathway to review and approve exemptions.
Opponents spanned independent security researchers, consumer and repair-rights groups, recyclers, local governments and academics. They argued the bill's language is overly broad, that security-by-obscurity is ineffective, and that the same makes-and-model devices used in critical infrastructure are also widely used in schools, nonprofits and small businesses. Independent technicians and cybersecurity professionals warned that restricting access to repair tools or diagnostics could slow local response to active cyber incidents and increase downtime and costs, while environmental advocates said exemptions would hinder reuse and increase e-waste.
Committee members questioned how the AG process would work and whether the statute as drafted presumes exemption during AG review. The committee adopted a narrow technical amendment to preserve federal law requirements for print-imaging traceability (Xerox amendment L9) but members remained split on whether the statutory text was sufficiently surgical. The committee did not advance the bill (committee recorded vote: 7-4 against advancing) and subsequently adopted a motion to postpone the bill indefinitely by reverse roll call.
Why it matters: Supporters say the exemption protects public-safety systems from cyberattack; opponents say the bill is too broad and will empower manufacturers to withhold repair options from schools, local governments and small businesses and will harm reuse markets. The bill is effectively dead in this committee for the 2026 session.
Industry witnesses including trade associations and vendors (Cisco, NEMA, ITI, CTA and others) urged a narrow exemption process because many large-scale network and industrial devices are distributed business-to-business and embed proprietary diagnostic tools that, if disclosed wholesale, could expose encryption keys, source code or other sensitive internals. Several supported an AG-rulemaking pathway to review and approve exemptions.
Opponents spanned independent security researchers, consumer and repair-rights groups, recyclers, local governments and academics. They argued the bill's language is overly broad, that security-by-obscurity is ineffective, and that the same makes-and-model devices used in critical infrastructure are also widely used in schools, nonprofits and small businesses. Independent technicians and cybersecurity professionals warned that restricting access to repair tools or diagnostics could slow local response to active cyber incidents and increase downtime and costs, while environmental advocates said exemptions would hinder reuse and increase e-waste.
Committee members questioned how the AG process would work and whether the statute as drafted presumes exemption during AG review. The committee adopted a narrow technical amendment to preserve federal law requirements for print-imaging traceability (Xerox amendment L9) but members remained split on whether the statutory text was sufficiently surgical. The committee did not advance the bill (committee recorded vote: 7-4 against advancing) and subsequently adopted a motion to postpone the bill indefinitely by reverse roll call.
Why it matters: Supporters say the exemption protects public-safety systems from cyberattack; opponents say the bill is too broad and will empower manufacturers to withhold repair options from schools, local governments and small businesses and will harm reuse markets. The bill is effectively dead in this committee for the 2026 session.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
