Senator Janice Marchman had just announced she would vote yes — and then immediately made clear that her yes came with a warning.
"I am going to be a yes today," she told her colleagues on the Senate Business, Labor & Technology Committee. Then she listed four specific amendments she expected to see before the bill reached the Senate floor. Narrow the exemption to operational control systems. Protect owner repair rights for school districts and rural hospitals. Limit protection only to security-sensitive documentation, not everything else. And handle the Xerox problem — a separate compliance issue with federal counterfeiting law — the way other states have, outside the critical infrastructure definition entirely.
Without those changes, Marchman said, her floor vote would be a different story.
Sen. Nick Hinrichsen echoed the warning: "My yes today will be to further this bill in the process. But with that commitment — I do appreciate that from the sponsors to continue working on these definitions — because I don't believe that we're there yet."
The committee then voted 5-0 to advance SB 26-090 to the full Senate.
A Landmark Law, Two Years Later
To understand why that unanimous vote was so contentious, you have to go back to 2024, when Colorado passed House Bill 24-1121, making it one of the most expansive right-to-repair states in the country. The law said clearly: if you own a device, you have the right to fix it. Manufacturers had to provide the tools, software, and documentation needed to repair anything from a cell phone to a laptop.
The problem, according to the bill's sponsors, Senators John Carson and Marc Snyder, was that Colorado became the only state in the nation to extend those requirements to equipment embedded in critical infrastructure — power grids, water systems, financial networks. Every other state with a right-to-repair law had carved out some version of an exception. Colorado had not.
Governor Jared Polis noticed. When he signed HB 24-1121, Carson told the committee, Polis issued a directive saying the law needed to be fixed before its January 1, 2026 implementation date. The attorney general's office, Carson said, had since held off enforcing some provisions while the fix was worked out.
SB 26-090 is that fix — or, depending on who you ask, a Trojan horse.
"A Blank Check for Manufacturers to Exempt Themselves"
The bill is straightforward in principle: it exempts IT equipment "intended for use in critical infrastructure" from Colorado's repair law, using the existing federal definition of critical infrastructure — systems so vital to the United States that their incapacity or destruction would have a "debilitating impact on security, national economic security, or public health or safety."
To supporters from the Colorado Chamber of Commerce, the Colorado Technology Association, Cisco, NEMA, TechNet, and the Consumer Technology Association, this was simply aligning Colorado with national norms. As Brittany Morris Saunders of the Colorado Technology Association put it, the existing law "requires manufacturers to provide security codes, passwords and other sensitive access tools to any repair entity that requests them" — a real cybersecurity risk for systems managing hospitals, energy grids, and airports.
To the more than a dozen opponents who testified — from iFixit, Secure Repairs, Service Express, EcoCycle, Blue Star Recyclers, CoPIRG, the Digital Right to Repair Coalition, the NFIB, and Green Latinos Colorado — the bill's fatal flaw was simpler and more dangerous than any cybersecurity argument: the federal definition of critical infrastructure doesn't specify which devices are covered. It covers whole sectors. And sectors include computers.
Louis Rossman, who built a 16-person repair business in New York before watching declining repairability gut his workforce down to four, put it bluntly. The bill, he said, "allows the manufacturer themselves to self designate whether their equipment is for critical infrastructure." The result: "If a laptop manufacturer knows the Pentagon buys their laptops, they can declare that line exempt. If a networking company sells a $20 switch to a federal building, they can claim that hardware is critical infrastructure. It's a blank check for manufacturers to exempt themselves."
Paul Roberts of Secure Repairs, an organization he said represents more than 500 cybersecurity and IT professionals, was equally direct: the federal definition "is not specific about the types of devices that constitute critical infrastructure. It is vague" — and that vagueness serves large firms like Cisco and IBM, who are "using a very real concern about cybersecurity and resilience of US critical infrastructure to pad their bottom line."
The Cybersecurity Argument — and Its Rebuttal
The bill's entire premise rests on a claim: that limiting who can repair critical infrastructure equipment makes it more secure. Opponents spent most of the hearing dismantling that claim, piece by piece.
Kyle Wiens, CEO of iFixit — a repair resource used roughly 100 million times a year, with relationships with manufacturers including Google and Microsoft — told the committee that "security via obscurity... is generally considered less secure than something that is put out in the open." The idea that restricting repair access improves security, he said, "is false."
Gay Gordon-Byrne, executive director of the Digital Right to Repair Coalition, said she had spoken directly with executives at the Cybersecurity and Infrastructure Security Agency, the federal body responsible for protecting critical infrastructure. Their verdict: "there is no relationship" between repair and cybersecurity. She added that "the proponents have provided zero evidence that there's a problem" — and after more than two decades of the cybersecurity industry's existence, you'd expect some evidence to exist if the risk were real.
Andrew Brandt, a 20-year cybersecurity veteran who said he presented research at the Black Hat and DEF CON security conferences about a Chinese threat-actor campaign he dubbed "Operation Pacific Rim," argued that right-to-repair access is essential to security, not hostile to it. The firewalls his former employer made were being compromised — turned into spy devices against the very organizations they were supposed to protect. His conclusion: removing repair rights "will leave people far less secure."
Rossman offered a pointed case study involving one of the bill's loudest supporters. Cisco's Meraki wireless access point, he said, reached end of life and developers found a way to install open-source firmware called OpenWRT, allowing the hardware to remain functional and secure. Cisco's response, according to Rossman: a mandatory firmware update that caused the device's CPU to "permanently brick itself" if anyone tried to install the updated firmware. "They sent out a suicide update to destroy perfectly good hardware rather than let people update it to secure firmware," Rossman said. "If they cared about security of critical infrastructure, they would not force people to use outdated, insecure firmware on their access points."
Cisco did not directly rebut Rossman's claims during the hearing.
The Room Shifts — But Doesn't Break
Sponsor Senator Carson sought to hold the line. "This bill, Senate Bill 90, is not a retreat from that victory from that legislation," he said of the 2024 right-to-repair law. "It's a narrow, targeted clarification that the broad consumer protections in our right to repair law are not designed to extend to systems that if compromised, could pose a threat to public safety, national security and or our national economy."
Carson pointed out that the original 2024 law already contained significant exemptions — medical monitoring and diagnostic devices, electric vehicle charging stations, portable generators, renewable energy equipment, and safety communications equipment used by police and fire. A critical infrastructure exemption, he argued, fit naturally into that framework.
Senator Snyder, the co-prime sponsor, acknowledged the definition problem directly. "Despite all our efforts, we weren't able to come up with a better definition than using the federal definition of critical infrastructure," he said. But he committed to continuing to work on narrowing language after the committee vote, should the bill advance.
Senator Marchman's four amendment ideas — narrowing the exemption to operational control systems, preserving repair rights for public entities like school districts and rural hospitals, protecting only security-sensitive documentation, and resolving the Xerox compliance conflict separately — gave the sponsors a concrete to-do list. Senator Liston, whose policy area this plainly was not, said he'd spent the hearing learning. "This bill has a long ways to go," he said, "and I'm sure that the sponsors will take the input from everybody."
The bill passed 5-0 and will not appear on the consent calendar — meaning it will receive a full floor debate in the Senate, not a rubber-stamp voice vote.
Newspapers, Delivery Workers, and a Careful Threading of the Needle
After the fireworks of SB 26-090, the committee turned to two smaller but still contested bills.
SB 26-091 addresses a quiet crisis in Colorado's local news ecosystem. Under current law, newspaper delivery workers face potential reclassification as employees — a change that sponsors Senators Cutter and Snyder said would dramatically increase costs and force some papers to close entirely. The original bill simply declared newspaper carriers to be independent contractors. That version drew sharp opposition.
The strike-below amendment that replaced it — amendment L002 — took a more careful approach: it removes the existing categorical exemption for newspaper delivery personnel in the Unemployment Insurance Act, applies the standard independent contractor test, and specifies that three particular delivery practices (designated pickup locations, assigned geographic routes, and customer delivery deadlines) do not alone classify someone as an employee.
Valerie Collins of Towards Justice remained unconvinced. The amendment, she said, "takes away that role of an independent neutral being able to look at all the relevant facts" and "opens up the door to other industries requesting similar carve outs." Senator Snyder, unswayed, responded that the factors in the amendment simply replicate what courts and administrative law judges already use — and added that he was "skeptical if many of them would qualify for any type of exemption," dismissing the slippery-slope concern. The bill passed 4-1 and moves to the Committee on Appropriations.
Distilleries, Beer Taps, and a Compromise That Worked
SB 26-114 was the evening's clearest example of a compromise that actually held. The bill would allow Colorado distilleries to serve beer, wine, and cider in their tasting rooms under an optional state permit — a response to what witnesses from Stranahan's Colorado Whiskey, Balmer Peak Distillery, and the Colorado Distillers Guild described as a sustainability problem: losing customers who don't drink spirits.
The Colorado Municipal League, the Tavern League of Colorado, and the Colorado Restaurant Association opposed the original version, arguing it let distilleries operate as bars without local licensing — an unfair competitive advantage over every tavern and restaurant in the state.
Senator Liston, who sits on the Appropriations Committee that will hear the bill next, offered two amendments — L002 and L003 — that required local jurisdiction approval before the state's Liquor Enforcement Division could issue a permit, and aligned local fees with those paid by bars and taverns. Both were accepted as friendly by the sponsors. The opposition largely melted away. The bill passed 5-0.
One wrinkle remains: Senator Marchman said she plans to contest the fiscal note's assumption that 80% of Colorado distillers will open additional tasting rooms — the figure that drives the bill's projected cost. That fight will happen in Appropriations.
What Happens Next — and Why It Matters
SB 26-090 now goes to the full Colorado Senate for floor debate, where it will not receive a quick consent-calendar vote. Sponsors have promised to bring amendments addressing the definition problem before that vote. Senator Marchman and Senator Hinrichsen have made clear those amendments are not optional — their floor votes depend on them.
If the bill passes the Senate as amended and then clears the House, manufacturers of IT equipment used in critical infrastructure sectors will be exempt from Colorado's right-to-repair requirements. For the hundreds of independent repair technicians, small IT service businesses, rural hospitals, nonprofits, school districts, and recycling organizations that testified or aligned with the opposition, that means fewer choices, potentially higher costs, and equipment that may be harder to keep running securely when something breaks.
For the manufacturers and their allies, it means Colorado stops being the only state in the country where a company like Cisco must provide its most sensitive diagnostic codes to any repair entity that asks.
If the bill dies — or if the amendments Marchman and Hinrichsen are demanding don't materialize — Colorado's 2024 right-to-repair law remains the broadest in the nation, covering not just consumer devices but the enterprise IT systems that keep hospitals, water utilities, and financial networks running. The fight over who gets to fix those systems, and on whose terms, will continue regardless of what the full Senate decides.