Headline & intro
Colorado just turned into an early stress test for the future of right to repair—and for how far big tech is willing to go to weaken it. A bill backed by major manufacturers tried to punch a huge cybersecurity-shaped hole into Colorado’s new repair law. It failed at the last minute, but the tactics on display are almost certainly a preview of what’s coming to other US states and, indirectly, to Europe. In this piece we’ll unpack what actually happened, why the arguments matter far beyond Colorado, and how similar carve‑out attempts could shape the next decade of repair policy.
The news in brief
According to reporting from Wired (republished by Ars Technica), a bill in Colorado—SB26‑090—aimed at partially undoing the state’s 2024 Consumer Right to Repair Digital Electronic Equipment law has been rejected.
Colorado’s original law, in force since January 2026, requires manufacturers of digital electronics such as smartphones, laptops and routers to provide parts, tools and documentation so that owners and independent shops can repair the devices.
SB26‑090 sought to exclude so‑called "critical infrastructure" from these obligations. The term was loosely defined, raising concerns that large tech vendors could classify wide swaths of networking and enterprise hardware as exempt.
The bill was introduced in early April 2026, supported by lobbying from companies including Cisco and IBM. It passed a Senate committee, then the full Senate. But after an extended hearing with testimony from consumer groups, repair advocates, recyclers and cybersecurity specialists, the House State, Civic, Military, and Veterans Affairs Committee voted 7–4 to postpone the bill indefinitely—effectively killing it for this session.
Why this matters
Colorado just provided a live demo of the most sophisticated anti–right‑to‑repair tactic we’ve seen so far: don’t fight the overall concept head‑on, instead hollow it out with a broad exemption in the name of cybersecurity and critical infrastructure.
If SB26‑090 had passed, it would have created a powerful precedent. Any manufacturer with enterprise, cloud, or networking products could have tried to rebrand them as "critical" and therefore not fully subject to repair rules. Consumer hardware that overlaps with business use—routers, Wi‑Fi access points, maybe even high‑end laptops—could gradually slide into that category. On paper, right to repair would survive; in practice, a huge chunk of modern electronics would be unreachable.
The industry’s argument is telling: that giving repair tools and documentation to legitimate owners inherently increases attack surface for hackers. Cybersecurity researchers who testified in Colorado essentially demolished that claim, pointing out that real‑world intrusions overwhelmingly happen remotely via exploitable software, misconfiguration, or stolen credentials—not through someone with a screwdriver and a service manual.
So who wins and who loses?
- Winners (for now): Consumers, independent repair shops, and the circular economy businesses that rely on refurbishing hardware. They keep a strong law without a Swiss‑cheese carve‑out.
- Would‑be winners: Large vendors hoping to preserve lock‑in around expensive service contracts and forced upgrades.
- Losers: Legislators who hoped to quietly satisfy lobbyists without a public fight—and, more broadly, any company gambling that "security" will remain an unchallenged magic word in policy debates.
The immediate implication: every future right‑to‑repair campaign, in the US or EU, now has to assume that a near‑final law might face this kind of late‑stage carve‑out attempt.
The bigger picture
The Colorado battle doesn’t exist in isolation. It fits into at least three broader trends.
1. Right to repair is moving from fringe to mainstream.
What used to be a niche movement of tinkerers and environmentalists is now baked into legislation across multiple US states and the EU. Farmers’ frustration with locked‑down tractors, consumers annoyed by unrepairable smartphones, and municipalities drowning in e‑waste have all fuelled this shift. Colorado’s 2024 law is part of the same wave that produced New York’s repair statute and Europe’s upcoming Right to Repair directive.
2. Big tech is evolving from outright opposition to strategic containment.
The old play was simple: fight the entire concept of right to repair. That strategy is losing. Companies like Apple have launched limited self‑service repair programs, while others quietly adjust warranty policies. The new play, evident in Colorado, is to accept some repair rights in principle while carving out the most profitable, highest‑margin categories—enterprise networking, industrial IoT, specialized hardware—using arguments about safety, IP protection or cybersecurity.
3. Security is becoming the universal pretext.
We’ve seen this pattern in encryption debates ("we just need a small backdoor"), content moderation ("we must scan all content for safety"), and now repair ("we can’t reveal tools or attackers will win"). In all three, technical experts usually argue that these trade‑offs are oversimplified or counterproductive, but the narrative remains politically potent.
Historically, industry overreach often triggers stronger regulation. Automakers’ attempts to control diagnostics spurred US state‑level automotive repair laws. Printer manufacturers’ abuse of DRM for ink cartridges led to consumer backlash and legal challenges. If vendors push too hard on the "critical infrastructure" angle, they may find lawmakers responding with tighter, more explicit obligations.
The key takeaway: Colorado marks the beginning of phase two in the right‑to‑repair fight, where the battleground shifts from whether repair is allowed to where the boundaries are drawn.
The European / regional angle
At first glance, a state‑level US fight might seem distant to European readers. It shouldn’t. The same arguments and lobbyists are already active in Brussels, Berlin, Paris, Madrid and beyond.
The EU has moved faster than the US at the framework level: the Ecodesign rules, the repairability index in France, and the EU‑wide Right to Repair directive backed by the European Parliament in 2024 all push manufacturers toward longer‑lived, fixable products. But none of this is immune to the kind of carve‑out strategy tested in Colorado.
Europe already has broad legal concepts like "critical infrastructure" in the NIS2 Directive and national security laws. It would be easy for vendors to argue that networking equipment, industrial control systems, and even some professional‑grade laptops should be exempt from full repair transparency because of security or trade‑secret concerns.
There’s also a regulatory tangle:
- GDPR and the Digital Services Act elevate security and data protection as core obligations.
- The EU Cyber Resilience Act pushes manufacturers to maintain control over software updates.
It’s not hard to imagine these being used rhetorically—if not legally—to justify limiting third‑party repair options.
For European companies, especially SMEs that maintain infrastructure or run local repair businesses, Colorado is a warning. If exemptions around "critical" equipment become standard, much of the value of EU right‑to‑repair rules could be captured by the biggest global vendors, while local service ecosystems are left with only low‑margin consumer gadgets.
The practical lesson for the EU: draft exceptions as narrowly as possible, require evidence‑based security risk assessments, and involve independent security researchers—not just vendor lobbyists—when defining what truly needs special protection.
Looking ahead
Colorado won this round, but the conflict is nowhere near over.
Expect three things next:
Copy‑paste bills in other US states. Once a template exists, it’s cost‑effective for industry groups to push near‑identical language elsewhere, calibrated for local politics. Watch for vague "critical infrastructure" or "high‑security systems" exemptions suddenly appearing in otherwise pro‑repair proposals.
More sophisticated security narratives. The arguments in Colorado were often technically weak. Next time, expect better‑packaged claims: whitepapers, commissioned "risk" studies, and scenarios that highlight worst‑case supply‑chain attacks. That will put more pressure on lawmakers who lack deep technical backgrounds.
Preemptive shaping of EU and national rules. In Brussels and national capitals, vendors will likely lobby for broad discretion over which tools and documentation must be shared for "sensitive" products. The battle may shift from parliaments to technical standards bodies, where fewer journalists and citizens are watching.
For consumers and repair professionals, the opportunity is to professionalize the counter‑narrative. Cybersecurity experts, recyclers, and independent service networks showed in Colorado that they can present credible, technically grounded testimony. If those coalitions form earlier in the legislative process—both in US states and in EU member countries—carve‑outs will be harder to sneak in.
Timeline‑wise, the next two to three years are decisive. Many repair laws are either being implemented (EU) or drafted (additional US states). Whatever default exemptions and definitions are written now will be extremely hard to reverse later.
Unanswered questions remain: How will courts interpret "critical infrastructure" when it clashes with repair rights? Will large vendors test the waters by refusing compliance until challenged? And will any jurisdiction be bold enough to explicitly forbid over‑broad critical‑infrastructure exemptions?
The bottom line
Colorado’s failed rollback is both a victory and a warning. It confirms that broad, security‑flavoured attacks on right to repair can be beaten—but only with organized, technically literate resistance. For Europe and the rest of the world, the message is clear: as you write your own repair rules, assume that "critical infrastructure" and "cybersecurity" will be used as battering rams. The open question is whether lawmakers will listen more to engineers and citizens—or to the vendors who profit from keeping our devices sealed.
