Official Summary Text
HB2134 - 572R - Senate Fact Sheet
Assigned to
PS
& ATT���������������������������������������������������������������������������������������������������������� FOR
COMMITTEE
ARIZONA STATE SENATE
Fifty-Seventh
Legislature, Second Regular Session
REVISED #3
FACT SHEET FOR
H.B. 2134
critical
infrastructure; foreign adversaries; prohibition
Purpose
����������� Establishes the
Arizona
Critical Infrastructure Protection Act
which prohibits critical
infrastructure software and critical communications infrastructure equipment that
is produced by a Chinese company, preempts contracts and agreements that would
allow for the access or control of critical infrastructure in Arizona,
prescribes certification, reporting and publishing requirements and outlines related
exceptions and penalties for noncompliance.
Background
����������� The federal Committee
on Foreign Investment in the United States (CFIUS) is charged with conducting
investigations of the effects of covered transactions on national security if
the transaction would result in the control of any critical infrastructure of
or within the United States by or on behalf of any foreign person. If CFIUS
determines that the transaction could impair national security, and that such
impairment has not been mitigated, CFIUS must take necessary actions in
connection with the transaction to protect the national security of the United
States.
Covered transactions
include investments by a foreign person in
any unaffiliated U.S. business that owns, operates, manufactures, supplies or
services critical infrastructure (
50
U.S.C. � 4565
).
����������� The federal Secure
and Trusted Communications Networks Reimbursement Program (federal Program) is
administered by the Federal Communications Commission to reimburse providers of
advanced communications services with up to 10 million customers for the removal,
replacement and disposal of communications equipment and services produced by
Huawei Technologies Company or ZTE Corporation that was obtained on or before
June 30, 2020, from the Company's or Corporation's network. Advanced
communication service providers must annually certify possession of advanced
communication equipment and services and report on the location, type, original
cost, estimated replacement cost and any replacement plans, date of acquisition
and a detailed justification for obtaining the covered equipment or services (
FCC
).
����������� The Arizona
Corporation Commission (ACC) consists of five elected commissioners and is
responsible for regulating public utilities, facilitating incorporation of
businesses and organizations, granting or denying rate adjustments, enforcing
safety and public service requirements and approving securities matters (
A.R.S. Title 40, Chapters 1
and 2
).
����������� The Joint Legislative
Budget Committee estimates that H.B. 2134 would increase state and local
government costs by: 1) creating ongoing costs for the ACC and the Department
of Military Affairs (DEMA) associated with their responsibilities under H.B.
2134; and 2) generating additional one-time capital costs to the extent
existing equipment owned by state entities would need to be replaced. The ACC
estimates a fiscal impact of $4.0 million annually and 15 new fulltime
equivalent positions. DEMA estimates a one-time cost of $10.4 million to $12.0
million as well as $760,000 to $5.9 million in ongoing costs depending on whether
H.B. 2134 requires the establishment of a communication infrastructure that is secure
voice-to-data or voice only. The Arizona Department of Transportation estimates
a one-time cost of $3.8 million for equipment replacements that include about
2,000 laptops and 13 different software products manufactured in China, as well
as additional ongoing costs due to changing software (
JLBC
fiscal note
).
Provisions
1.
Prohibits any software that is used for critical infrastructure in
Arizona from being produced by a Chinese company.
2.
Requires, by January 1 of each year, a critical communications
infrastructure provider that is a participant in the federal Program to certify
to the ACC any instance of prohibited critical communications infrastructure
equipment use, along with the geographic coordinates of the areas served by the
prohibited equipment.
3.
Requires a critical communications infrastructure provider that is
certified by the ACC to submit a status report to the ACC at the same time that
any report is sent to the federal government in compliance with the federal
Program.
4.
Precludes any critical communications infrastructure provider that
removes, discontinues or replaces any prohibited equipment from being required
to obtain an additional permit from any state agency or political subdivision
of the state for the removal, discontinuance or replacement.
5.
Prohibits a governmental entity or a critical infrastructure service
provider in Arizona from entering into or renewing a contract with a Chinese
company if the contract provides the company with direct or indirect access to
the critical infrastructure.
6.
Requires, by March 31, 2027, and each year thereafter, each governmental
entity and critical infrastructure service provider in Arizona to certify to
the ACC that the provider has not attached to the critical infrastructure or
connected to any operating system that is used by the provider any additional
equipment that is prohibited by the ACC and that was not in use in Arizona
before the general effective date.
7.
Requires the ACC, by December 31, 2026, and each year thereafter, to
publish a list of all equipment that is prohibited from being attached to the
critical infrastructure or connected to any operating system that is used by
the critical infrastructure and post the list on the ACC's website.
8.
Stipulates
that the list of prohibited equipment must include, at a minimum, the following
produced by a Chinese company:
a)
any
wi-fi router and modem system;
b)
any
camera-based school bus infraction detection system, speed detection
system, traffic infraction detector system and other camera system,
c)
battery
technology or smart meter technology,
d)
solar
inverters; and
e)
any
product that contains cellular internet-of-things modules.
9.
Directs,
if monies are appropriated and distributed to facilitate the removal, each governmental
entity and critical infrastructure service provider in Arizona to remove any
prohibited equipment on the ACC's list.
10.
Allows a government entity
or critical infrastructure service provider in Arizona to continue to purchase
and use any prohibited equipment, if:
a)
there
are no other reasonable providers of the prohibited equipment;
b)
the
purchase or use of the prohibited equipment is preapproved by the ACC; and
c)
not
purchasing or using the prohibited equipment would pose a greater threat to the
state than the threat associated with the prohibited equipment.
11.
Asserts that the ACC is not
required to inspect all critical infrastructure and equipment or conduct
continuous monitoring or universal physical inspections of critical
infrastructure and equipment in Arizona.
12.
Requires the ACC to
implement a Risk-Based Oversight Program that includes:
a)
a
requirement that each governmental entity and critical infrastructure service
provider has completed the required self-certification in the form of a
sworn statement under penalty of perjury;
b)
a requirement
for a randomized audit that is conducted on a statistically significant sample
of critical infrastructure service and critical communications infrastructure
providers each year;
c)
a
targeted audit if the ACC receives credible intelligence, a complaint, a
federal advisory or an identified risk factor;
d)
a
provision that allows the ACC to rely on determinations, advisories or
prohibitions that are issued by a federal agency that has jurisdiction over
national security or communications equipment and cybersecurity in the United
States; and
e)
a
provision for safe harbor protections for critical infrastructure service and
critical communications infrastructure providers that reasonably rely on
manufacturer certifications and supply-chain disclosures if there is not
evidence of willful misrepresentation.
13.
Preempts a governmental
entity or publicly regulated utility in Arizona from entering into an agreement
or contract involving critical infrastructure in Arizona with the People's
Republic of China (China) if under the agreement or contract China, directly or
remotely, would be able to access or control critical infrastructure in Arizona
.
14.
Allows a governmental entity
or publicly regulated utility in Arizona to enter into an agreement or contract
involving critical infrastructure in Arizona with China if:
a)
no
other reasonable option exists for addressing a need that is relevant to
critical infrastructure in Arizona;
b)
the
agreement or contract is approved by the ACC; or
c)
not
entering into the agreement or contract would pose a greater threat to the
state than the threat associated with entering into the agreement or contract.
15.
Requires DEMA to establish a
secure and dedicated communications channel for critical infrastructure
providers and military installations across the state to connect with DEMA and
the Governor's Office in the event of an emergency that damages critical
communications infrastructure.
16.
Defines a
Chinese company
as any company, other than a U.S. person or subsidiary, that:
a)
is domiciled,
incorporated, issued or listed in China;
b)
is headquartered
in China;
c)
has
its principal place of business in China;
d)
is controlled,
or majority-owned by an entity controlled, by the government of China, the
Chinese communist party or the Chinese military, or any instrumentality
thereof, including the State-owned Assets Supervision and Administration Commission
of the State Council or the National Social Security Fund.
17.
Excludes, from the
definition of a
Chinese company
, a parent, subsidiary or affiliate
company of a
Chinese company
if the parent, subsidiary or affiliate
company:
a)
does
not meet the criteria of a
Chinese company
; and
b)
does
not recognize more than 50 percent of the parent's, subsidiary's or affiliate
company's total annual global revenue from China and Hong Kong combined
18.
Defines
critical
infrastructure
as infrastructure that is owned or operated by the state, a
political subdivision of the state or a publicly regulated utility and that is:
a)
a
gas and oil production, storage or delivery system;
b)
a
water supply refinement, storage or delivery system;
c)
an
electrical power delivery system;
d)
a
telecommunications network;
e)
a
transportation system and service, excluding passenger vehicles;
f)
a
personal data storage system, including cybersecurity; or
g)
an
emergency service.
19.
Defines
critical
communications infrastructure
as all physical broadband infrastructure and
equipment that supports the transmission of information and that allows the
user to engage in communications, including service provided directly to the
public.
20.
Defines a
school bus
infraction detection system
as an automated system installed on a school
bus that consists of cameras, sensors and software designed to detect, record
and document traffic violations, including illegally passing the bus when its
stop arm is extended and warning lights are activated, to enhance student
safety and enforce compliance with traffic laws.
21.
Defines
domiciled
as located
in a country where either the company is registered, the company's affairs are
primarily completed or the majority of the company's ownership shares are held.
22.
Designates this legislation
as the
Arizona Critical Infrastructure Protection Act
.
23.
Becomes effective on the
general effective date.
Revisions
�
Updates the fiscal impact statement.
House Action
����������������������������������������������������������
Senate
Action
�������������������������������������������������������������������������
ST������������������� 1/28/26����� DP���� 5-4-0-0���������������� PS������������������� 3/18/26����� DP���� 4-3-0
3
rd
Read��������� 3/3/26������������������ 37-19-3-0-1
Prepared by
Senate Research
April 21, 2026
KJA/hk
Current Bill Text
Read the full stored bill text
HB2134 - 572R - H Ver
House Engrossed
critical
infrastructure; foreign adversaries; prohibition
State of Arizona
House of Representatives
Fifty-seventh Legislature
Second Regular Session
2026
HOUSE BILL 2134
AN
ACT
amending title 18, chapter 1, article 1,
Arizona Revised Statutes, by adding section 18-105; amending title 44,
Arizona Revised Statutes, by adding chapter 42; relating to critical
infrastructure.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be
it enacted by the Legislature of the State of Arizona:
Section 1. Title 18, chapter 1, article 1,
Arizona Revised Statutes, is amended by adding section 18-105, to read:
START_STATUTE
18-105.
Software; critical infrastructure; critical communications
infrastructure; annual prohibited equipment list; definitions
A. Any software that is used for
critical infrastructure in this state may not be produced by a Chinese company.
B. On or before January 1 of each
year, if a critical communications infrastructure provider is a participant in
the secure and trusted communications networks reimbursement program pursuant
to 47 United States Code section 1601, the critical communications
infrastructure provider shall certify to the corporation commission any
instance of prohibited critical communications infrastructure equipment use,
along with the geographic coordinates of the areas served by the prohibited
equipment. If the critical communications infrastructure provider is
certified by the corporation commission, the critical communications
infrastructure provider shall submit a status report to the corporation
commission at the same time that any report is sent to the federal government
in compliance with the secure and trusted communications networks reimbursement
program pursuant to this subsection.
C. Any critical
communications infrastructure
provider that removes,
discontinues or replaces any equipment that is prohibited by this section is
not required to obtain an additional permit from any state agency or political
subdivision of this state for the removal, discontinuance or replacement of the
prohibited equipment.
D. A governmental entity or a critical infrastructure
service provider in this state may not enter into or renew a contract with a
Chinese company if the contract provides the Chinese company with
direct or indirect access to the critical infrastructure.
E.
On or
before March 31, 2027 and each year thereafter,
each
governmental entity and critical infrastructure service provider in this state
shall certify to the corporation commission that the provider
has not
attached to the critical infrastructure or connected to any operating system
that is used by the critical infrastructure service provider any additional
equipment that is prohibited by the corporation commission and that was not in
use in this state before the effective date of this section.
F. On or before December 31, 2026 and
each year thereafter, the corporation commission shall publish a list of all
equipment that is prohibited pursuant to this section from being attached to
critical infrastructure or connected to the operating system that is used by
the critical infrastructure and shall post the list on the corporation
commission's website.
The list must include,
at a minimum, any wi-fi router and modem system, any camera-based
school bus infraction detection system, speed detection system, traffic
infraction detector system and other camera system, battery technology or smart
meter technology, solar inverters and any product that contains cellular
internet-of-things modules that are produced by a Chinese company.
G.
Except as
provided in subsection H
of this section, if monies are
appropriated and distributed to facilitate the removal, each governmental
entity and critical infrastructure service provider in this state shall remove
any equipment that the corporation commission includes on the prohibited
equipment list pursuant to subsection F
of this section.
H.
A
governmental entity or critical infrastructure service provider in this state
may continue to purchase and use any prohibited equipment pursuant to this
section if all of the following apply:
1. There are no other reasonable
providers of the prohibited equipment.
2. The purchase or use of the
prohibited equipment is preapproved by the corporation commission.
3. Not purchasing or using the
prohibited equipment would pose a greater threat to this state than the threat
associated with the prohibited equipment.
I. This section does not require the
corporation commission to inspect all critical INFRASTRUCTURE and equipment or
conduct continuous monitoring or universal physical inspections of critical
infrastructure and equipment in this state to comply with this section. �The
corporation commission shall implement a risk-based oversight program
that includes all of the following:
1. A requirement that each
governmental entity and critical infrastructure service provider HAS COMPLETED
THE self-certification THAT is required by subsection E of this section
in the form of a sworn statement under penalty of perjury.
2. A requirement for a randomized
audit that is conducted on a statistically significant sample of critical
infrastructure service providers and critical communications infrastructure
providers each year.
3. A targeted audit if the
CORPORATION commission receives credible intelligence, a complaint, a federal
advisory or an identified risk factor.
4. A provision that allows the
corporation commission to rely on determinations, advisories or prohibitions
that are issued by a federal agency that has jurisdiction over national
security or communications equipment and cybersecurity in this country.
5. A PROVISION for safe harbor
protections for critical infrastructure service providers and critical
communications infrastructure providers that reasonably rely on manufacturer
certifications and supply-chain disclosures if there is not evidence of
wilful misrepresentation.
J. For
the purposes of this section:
1. "Chinese
company":
(
a
) Means any
company, other than a United States person or United States subsidiary as
defined in 15 Code of Federal Regulations section 772.1, that is any of the
following:
(
i
) Domiciled,
incorporated, issued or listed in the People's Republic of China.
(
ii
) Headquartered
in the People's Republic of China.
(
iii
) Has its
principal place of business in the People's Republic of China.
(
iv
) Controlled
by the government of the People's Republic of China, the Chinese Communist
Party or the Chinese military, or any instrumentality thereof, including the
State-owned Assets Supervision and Administration Commission of the State Council
or the National Social Security Fund.
(
v
) Majority-owned
by an entity controlled by the government of the People's Republic of China,
the Chinese Communist Party or the Chinese military, or any instrumentality
thereof, including the State-owned Assets Supervision and Administration
Commission of the State Council or the National Social Security Fund.
(
b
) Does not include a
parent, subsidiary or affiliate company of an entity prescribed in SUBDIVISION
(
a
) of this paragraph if the parent, subsidiary or
affiliate company does not meet the criteria listed in SUBDIVISION (
a
) of this paragraph and does not recognize more than fifty percent of
the parent's, subsidiary's or affiliate company's total annual global revenue
from China and Hong Kong combined.
2. "
Critical
communications infrastructure
" means all physical broadband
infrastructure and equipment that supports the transmission of information and
that allows the user to engage in communications, including service provided
directly to the public.
3. "Critical
infrastructure" means infrastructure that is owned or operated by this
state, a political subdivision of this state or a publicly regulated utility
and that is any of the following:
(
a
) A gas and
oil production, storage or delivery system.
(
b
) A water
supply refinement, storage or delivery system.
(
c
) An
electrical power delivery system.
(
d
) A
telecommunications network.
(
e
) A
transportation system and service
, not including
PASSENGER vehicles
.
(
f
) A personal
data storage system, including cybersecurity.
(
g
) An
emergency service.
4. "Domiciled" means
located in a country where either the company is registered, the company's
affairs are primarily completed or the majority of the company's ownership
shares are held.
5. "School bus infraction
detection system" means an automated system installed on a school bus that
consists of cameras, sensors and software designed to detect, record and
document traffic violations, INCLUDING illegally passing the bus when its stop
arm is extended and warning lights are activated, to enhance student safety and
enforce compliance with traffic laws.
END_STATUTE
Sec. 2. Title 44, Arizona Revised Statutes, is
amended by adding chapter 42, to read:
CHAPTER 42
CRITICAL
INFRASTRUCTURE
ARTICLE
1. PROHIBITED AGREEMENTS
START_STATUTE
44-8051.
Definition of critical infrastructure
In this chapter, unless the context otherwise
requires,
"critical infrastructure" means
infrastructure that is owned or operated by this state, a political subdivision
of this state or a publicly regulated utility and that is any of the following:
1. A gas and oil production, storage
or delivery system.
2. A water supply refinement, storage
or delivery system.
3. An electrical power delivery
system.
4. A telecommunications network.
5. A transportation system and
service, not including PASSENGER vehicles.
6. A personal data storage system,
including cybersecurity.
7. An emergency service.
END_STATUTE
START_STATUTE
44-8052.
Critical infrastructure; prohibited agreements and contracts;
exceptions; secure and dedicated communications channel
A. Except as provided in subsection B
of this section, a governmental entity or a publicly regulated utility in this
state may not enter into an agreement or contract involving critical
infrastructure in this state with the people's republic of China if under the
agreement or contract the people's republic of China, directly or remotely,
would be able to access or control critical infrastructure in this state.
B. A governmental entity or a
publicly regulated utility in this state may enter into an agreement or
contract involving critical infrastructure in this state with the people's
republic of China if any of the following applies:
1. No other reasonable option exists
for addressing a need that is relevant to critical infrastructure in this
state.
2. The agreement or contract is
approved by the corporation commission.
3. Not entering into the agreement or
contract would pose a greater threat to this state than the threat associated
with entering into the agreement or contract.
C. The department of emergency and
military affairs shall establish a secure and dedicated communications channel
for critical infrastructure providers and military installations across this
state to connect with the department of emergency and military affairs and the
office of the governor in the event of an emergency that damages critical
communications infrastructure. For the purposes of this subsection,
"critical communications infrastructure" has the same meaning
prescribed in section 18-105.
END_STATUTE
Sec. 3.
Short title
This act may be cited as the
"Arizona Critical Infrastructure Protection Act".