ARIZONA HOUSE OF REPRESENTATIVES

57th Legislature, 2nd Regular Session

Majority Research Staff

House: ST DP 5-4-0-0 |Third Read 37-19-3-0-1

☐ Prop 105 (45 votes) ☐ Prop 108 (40 votes) ☐ Emergency (40 votes) ☐ Fiscal Note

HB 2134: critical infrastructure; foreign adversaries; prohibition

Sponsor: Representative Kupper, LD 25

House Engrossed

Overview

Prohibits any software produced from a Chinese company from being used for critical communications and infrastructure in the state.

History

The Arizona Department of Administration (ADOA) must develop, implement and maintain a coordinated statewide plan for information technology, including evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona Department of Homeland Security (A.R.S. § 18-104).

The Arizona Department of Emergency and Military Affairs (DEMA) is an executive agency that is responsible for administering Arizona's emergency management functions and consists of the Arizona National Guard (Air, Army, Joint Task Force), the Division of Emergency Management and the Division of Administrative Services (AZLibrary).

Critical infrastructure means systems and assets, whether physical or virtual, that are so vital to this state and the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, economic security, public health or safety (A.R.S. § 41-1801).

The United States (U.S.) Secretary of Commerce has determined that the following foreign governments or foreign non-government persons have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the U.S. or security and safety of U.S. persons and constitute foreign adversaries:

1)   The People's Republic of China, including the Hong Kong Special Administrative Region;

2)   Republic of Cuba;

3)   Islamic Republic of Iran;

4)   Democratic People's Republic of Korea;

5)   Russian Federation; and

6)   Venezuelan politician Nicolás Maduro (15 C.F.R. § 791.4).

Provisions

1.   Prohibits any software used for critical infrastructure in the state from being produced by a Chinese company. (Sec. 1)

2.   Requires any critical communications infrastructure provider (Communications Provider) to certify, by January 1 of each year, to the Arizona Corporation Commission (ACC) any instance of prohibited critical communications infrastructure equipment along with the geographical coordinates of the area served. (Sec. 1)

3.   Instructs a communications provider, certified by the ACC, to submit a status report to the ACC at the same time a report is sent to the federal government. (Sec. 1)

4.   Excludes Communication Providers who have removed, discontinued or replaced any prohibited technology from obtaining an additional permit from any state agency or political subdivision. (Sec. 1)

5.   Prohibits a government entity or critical infrastructure service provider (Service Provider) from entering into a new or renew a contract with a Chinese company with access to critical infrastructure. (Sec. 1)

6.   Mandates each government entity and service provider to certify to the ACC that the provider is not connected to any operating system or attached to any additional equipment that is prohibited by the ACC by March 31, 2027. (Sec. 1)

7.   Instructs the ACC to publish and post a list of all equipment that are prohibited from being attached to critical infrastructure or connected to an operating system on the ACC website by December 31, 2026. (Sec. 1)

8.   Instructs the ACC to publish the following list of prohibited equipment by December 31, 2026:

a.   any WI-FI routers or modems systems;

b.   any camera-based school bus infraction detections system;

c. speed detection system;

d.   traffic infraction detector system;

e. battery technology or smart meter technology;

f. solar inverters; and

g.   any product that contains cellular internet-of-things modules produced by a Chinese company. (Sec. 1)

9.   Directs a government entity and Service Provider to remove any equipment, if monies are appropriated and distributed with the intention of removing any equipment, that are included on the prohibited equipment list provided by the ACC. (Sec. 1)

10.  Allows a government entity and service provider to continue usage or purchase of prohibited equipment if all the following apply:

a.   there are no other reasonable providers of the prohibited equipment;

b.   the purchase is preapproved by the ACC; and

c. not purchasing the equipment would present a risk to the state. (Sec. 1)

11.  Exempts the ACC from inspecting all critical infrastructure and equipment or conduct continuous monitoring or inspections universal physical. (Sec. 1)

12.  Instructs the ACC to implement a Risk-Based Oversight Program that includes the following:

a.   a requirement that each government entity and Service Provider has completed self-certification under sworn statement under penalty of perjury;

b.   a requirement for a randomized audit on a statistically significant sample Service providers every year;

c. a targeted audit if the ACC received credible information of a risk factor;

d.   a provision that allows the ACC to rely on determinations, advisories or prohibitions issued by a federal agency that oversees national security or communications equipment and cybersecurity in this country; and

e. a provision for safe harbor protections for Service Providers and Communication Providers that reasonably rely on manufactures certifications and supply-chain disclosures if no deliberate misrepresentation is apparent. (Sec. 1)

13.  Prohibits a government entity or a publicly regulated utility from entering into an agreement or contract involving critical infrastructure with the People's Republic of China if under the agreement or contract the People's Republic of China, directly or remotely, can access or control critical infrastructure. (Sec. 2)

14.  Allows a government entity and publicly regulated utility to continue usage or purchase of prohibited technology if the following applies:

a.   no other reasonable option exists for addressing a need that is relevant to the critical infrastructure;

b.   agreement or contract is approved by the ACC; and

c. not entering into the agreement would present a risk to the state. (Sec. 2)

15.  Instructs DEMA to establish a secure and dedicated communications channel for critical infrastructure providers and military installations across the state to connect with DEMA and Governor's office in case of an emergency that damages critical communications infrastructure. (Sec. 2)

16.  Cites this legislation as the Arizona Critical Infrastructure Protection Act. (Sec. 3)

17.  Modifies the definition of critical infrastructure. (Sec. 1)

18.  Defines key terms. (Sec. 1)

 

 

 

---------- DOCUMENT FOOTER ---------

Initials TM                       HB 2134

3/03/2026  Page 0 House Engrossed

 

---------- DOCUMENT FOOTER ---------