Right-to-repair is having a long decade. In the United States, twelve states now have repair laws on the books or pending. The Federal Trade Commission has been working the issue since 2021. The European Union’s Right-to-Repair Directive entered into force in 2024. The conversation that started with iPhones and John Deere tractors has steadily moved up the stack: medical devices during the COVID years, electric-vehicle batteries last year, and now a category that was always going to be hardest, network infrastructure.
A small bill in Colorado made the latest round of the conversation visible. We use it as the hook for this piece, but the piece is about the substance, not the bill.
What happened in Colorado.
Colorado’s HB24-1121, signed in May 2024, is the broadest consumer right-to-repair statute in the United States. In February 2026, Senate Bill 26-090 was introduced. The bill would have added one sentence to HB24-1121: information technology equipment “intended to be used in critical infrastructure” would be exempt. The Senate Business, Labor, and Technology Committee advanced the bill 5-0 on April 2. The full Senate passed an amended version 22-13. On April 27, the House State Affairs Committee voted to postpone the bill indefinitely. The bill is dead for this session.
The hearing record is publicly available at the Colorado General Assembly site. Witnesses against the bill, including the Repair Association, CoPIRG, and iFixit, raised two concerns repeatedly. The absence of a clear definition of “information technology equipment” would let manufacturers self-classify devices. And there is no evidence base for the security premise that vendor-only repair improves outcomes in critical infrastructure. Witnesses in support, including representatives of a major networking vendor and a tech-industry trade group, testified that not all digital technology devices are equal and that critical-infrastructure gear merits specialized handling.
Public lobbying registrations for SB26-090 are filed with the Colorado Secretary of State. Sixty-eight registrations were on record: forty in support, eleven opposed, fifteen monitoring, two other. Disclosed lobbying spending tied to the bill, across the full set of supporting organizations, exceeded three hundred sixty thousand dollars.
The pattern across categories.
The arguments against repair tend to repeat across very different products. Smartphones: parts pairing prevents non-authorized repair. Tractors: software locks tie a working machine to a dealer service contract. Ventilators: during the early pandemic, hospital biomedical engineering teams could not repair their own equipment because of vendor restrictions, and the issue ended up in front of Congress. Electric vehicles: battery-pack serviceability decisions made at design time determine whether a five-year-old EV is repairable or scrap.
In each category, the manufacturer’s stated rationale is some combination of safety, intellectual property, and quality control. In each category, post-hoc analysis tends to find that the costs of restricted repair fall on operators, owners, and downstream users.
Critical infrastructure and patch latency.
Network infrastructure inherits a sharper version of the same problem because of patch latency.
In October 2023, a major networking vendor disclosed a CVSS-10 vulnerability in the web user interface of a widely-deployed router operating system. The vendor shipped a patch the same month. Eighteen months later, public reporting from federal investigators documented a state-sponsored threat group still using the same flaw against unpatched edge devices in production at over six hundred organizations worldwide. February 2025 reporting noted the same intrusions also leveraged stolen credentials and a separate vendor software issue that had been disclosed seven years earlier.
This is not unusual. Edge-device flaws of this severity sit unpatched in production all the time, in gear from many vendors, because the operational reality of vendor-only patching is that operators wait. The point of right-to-repair in critical infrastructure is not that operators want to write their own patches. The point is that operators want to be able to read what runs on their network, audit it, and act when the patch is late.
Where Airfy sits on this.
We made a choice early. Our router-side firmware is open source. The cloud orchestration and managed-AI services are proprietary. Operators can read the code that runs on their network, audit it, and contribute back if they want. Regulated branch networks and research environments have used this model in production.
We did not make this choice to take a position against any vendor. We made it because in a critical-infrastructure conversation, the operator’s right to look inside the box is not a security risk. It is a security primitive.
Right-to-repair will keep moving up the stack. The next bill, in the next state, will use a different number, a different definition, a different set of carve-outs. The honest debate, when that bill arrives, is not about whether vendors are good or bad actors. It is about whether the operator of a critical-infrastructure network is allowed to read the code that runs on it.
We think the answer is yes.