For decades, the unspoken contract of enterprise IT was simple: if a company bought a piece of hardware, they owned it. That ownership extended beyond the balance sheet to the actual circuitry and chassis of the machine. If a server failed at 3 a.m. On a Sunday, the internal team or a trusted third-party partner could step in to fix it, ensuring the business stayed online.
That contract is currently being rewritten. In Colorado, a proposed bill aims to exempt “critical infrastructure” from the state’s right-to-repair requirements. Whereas the legislation may seem like a localized policy tweak, it represents a high-stakes test of critical infrastructure right to repair and the limits of CIO power. If passed, the move would effectively hand the keys of maintenance back to the original equipment manufacturers (OEMs), limiting who can service the systems that retain essential services running.
The debate is being framed as a choice between security, and autonomy. Major technology vendors, including Cisco and IBM, support the proposal, arguing that restricting repair access to authorized channels is the only way to ensure system integrity and prevent tampering. For them, the risk of an unauthorized technician misconfiguring a critical switch is a threat to national and corporate security.
But for the Chief Information Officers (CIOs) tasked with managing these systems, the “security” argument feels like a Trojan horse. To them, the real risk isn’t a rogue technician—it is the operational paralysis that occurs when a company is forbidden from fixing its own equipment and must instead wait for a vendor’s support queue to clear.
The security narrative versus operational reality
The tension centers on how “risk” is defined. Vendors view risk through the lens of vulnerability: the possibility that an open system could be compromised. CIOs, however, view risk through the lens of availability: the cost of every minute a system is offline.
David Linthicum, a cloud and AI expert and founder of Linthicum Research, suggests that the push for tighter control is less about security and more about the economics of the service lifecycle. “Security is a valid concern, especially in critical infrastructure,” Linthicum said. “But vendors also know that control over repair creates control over service contracts, upgrade cycles, spare parts and customer dependence.”
From a technical perspective, the argument that restricted access improves security is often a theoretical one. Most enterprises already employ rigorous access controls and auditing to manage who touches their sensitive systems. By removing the ability to perform independent repairs, the legislation doesn’t necessarily eliminate risk—it simply redistributes it, creating a dangerous dependency on the vendor’s internal capacity.
When a critical system fails, the most immediate danger is downtime. If repair is limited to vendor-approved channels, response times are no longer dictated by the urgency of the business need, but by the vendor’s scheduling constraints and parts availability. In a crisis, this delay can transform a manageable glitch into a public-facing disaster.
Ownership without authority
This fight exposes a widening gap between legal ownership and operational authority. In the early days of the data center, buying the hardware meant you controlled the lifecycle. Today, through a combination of proprietary software locks and legislative carve-outs, ownership is becoming symbolic.
Niel Nickolaisen, a technology leader advisor at VLCM and chairman of the CIO Council at FC Centripetal, argues that this shift violates the fundamental boundaries of IT governance. Historically, the customer is the one responsible for evaluating patches and deciding when to deploy upgrades to avoid crashing their own environment.
“The enterprise customer is responsible for evaluating patches and upgrades and deciding what to deploy and when,” Nickolaisen said. “This seems to violate those boundaries.”
When a manufacturer takes control of the maintenance process, the CIO loses operational flexibility. The ability to pivot, to use a third-party specialist, or to implement a temporary workaround is stripped away. This leaves the organization with fewer options during a disruption, which is exactly when options matter most.
The long-term governance trap
Beyond the immediate fear of downtime, there are deeper concerns regarding the long-term health of the IT ecosystem. If “critical infrastructure” is exempted from right-to-repair laws, it creates a protected monopoly for OEMs over the entire lifecycle of the product.
The implications for IT budgets and resilience are significant:
- Increased Lifecycle Costs: Without competition from third-party maintenance providers, vendors can raise service contract prices without fear of churn.
- Forced Obsolescence: When repair becomes too expensive or legally restricted, organizations are pressured to replace entire systems rather than fixing a single component.
- Fragile Resilience: A system that cannot be acted upon independently during an outage is inherently more fragile than one that can be serviced by a diverse pool of experts.
Nickolaisen also points to a looming accountability crisis. If a vendor controls the fix but the CIO is responsible for the uptime, who is held liable when a service-level agreement (SLA) is breached? “Who is responsible for service-level breaches, and at what cost?” he asked. “How do I ‘fire’ a manufacturer when they have control over the maintenance of my infrastructure?”
A blueprint for broader control
The Colorado proposal is a bellwether. The definition of “critical infrastructure” is notoriously fluid; as more business processes move to the cloud and edge, the scope of what is considered “critical” naturally expands. If this model of restricted repair is accepted for power grids and water systems, it is only a matter of time before it is applied to healthcare systems, financial ledgers, and corporate backbones.
For CIOs, the challenge is recognizing that Here’s not just a legal debate about the Colorado General Assembly’s legislative agenda, but a strategic shift in the balance of power between the buyer and the seller. The move toward “stewardship” by vendors is often marketed as a benefit to the customer, but the reality is often different.
“I am skeptical of legislation that is sponsored and driven by technology manufacturers,” Nickolaisen said. “I have never seen any that turned out to benefit the customers. And I do mean never.”
As the legislation moves through the House and Senate, the outcome will signal whether the future of enterprise IT is one of autonomous ownership or managed dependence. The next checkpoint for the bill will be its progression through the committee phase, where the specific definitions of “critical infrastructure” will be debated and potentially expanded.
Do you believe vendors should have exclusive control over critical infrastructure repairs in the name of security? Share your thoughts in the comments or join the conversation on our social channels.
Disclaimer: This article discusses pending legislation and IT governance strategies; it does not constitute legal or financial advice.
