NSITSP Update: Taxes, Repair, Safe Harbor (EP 1030)

Regulations are shifting fast, and this NSITSP update walks through the new cyber laws, safe harbor protections, right to repair battles, and tax trends that are already reshaping how we run MSPs and IT service businesses. I break down what’s happening, why it matters, and where NSITSP is stepping in so you’re not blindsided by policy changes at the state level.
Statehouses have been busy, and the Center for Long-Term Cybersecurity at UC Berkeley found that in 2025 alone, state governments passed 99 cybersecurity-related bills, creating 393 new statutory requirements. Most of these new laws hit public schools, state agencies, cyber insurance policyholders, and critical infrastructure, which means your client base is becoming more regulated even if MSPs aren’t named directly in the statutes. I walk through how this shows up in your day-to-day work as new documentation, governance, and compliance expectations that land on your plate, and how to use the referenced database as a cheat sheet for scoping projects and updating your service catalog.
We also unpack cybersecurity safe harbor laws, now on the books in states like Ohio, Connecticut, Iowa, Nebraska, Oklahoma (for hospitals), Tennessee, and Texas, where a written, framework-aligned security program can give you an affirmative legal defense after a breach. From there we head into Colorado’s digital right to repair fight, California’s proposal to tax downloaded software, the broader trend of states taxing software in more than 30 jurisdictions, and NSITSP’s work building a legislative toolkit, outreach guides, and model IT provider legislation that’s ready to use if regulators decide to come back for our industry.
=== Chapters
- 00:25 NSITSP Update Intro
- 02:07 State Cyber Laws Surge
- 05:14 Safe Harbor Protections
- 08:52 Right to Repair Battle
- 12:27 Software Tax Debate
- 14:53 Policy Toolkit Launch
=== Companies / Vendors / Products / Books
- National Society of IT Service Providers (NSITSP): https://nsitsp.org
- Center for Long-Term Cybersecurity (UC Berkeley): https://cltc.berkeley.edu
- NIST (National Institute of Standards and Technology): https://www.nist.gov
- FedRAMP (Federal Risk and Authorization Management Program): https://www.fedramp.gov
- Center for Internet Security (CIS): https://www.cisecurity.org
- ISO 27000 (ISO/IEC 27000 family): https://www.iso.org/isoiec-27001-information-security.html
- HIPAA (Health Insurance Portability and Accountability Act): https://www.hhs.gov/hipaa
- Ohio Revised Code (Sections 1354.01 and 1354.05): https://codes.ohio.gov/ohio-revised-code/chapter-1354
- Colorado Consumer Right To Repair Digital Electronic Equipment Law: https://leg.colorado.gov
- California State Government (sales tax on downloaded software context): https://www.cdtfa.ca.gov
- Maryland Tax on IT Services (Maryland State Government): https://www.marylandtaxes.gov
=== SPONSORS:
- Livestream Partner, ThreatLocker: https://www.itbusinesspodcast.com/threatlocker
- Technology Partner, NetAlly: https://www.itbusinesspodcast.com/netally/
- Technology Partner: Bvoip: https://www.itbusinesspodcast.com/bvoip
- Travel Partner: TruGrid: https://www.itbusinesspodcast.com/trugrid
- Digital Partner, Designer Ready: http://itbusinesspodcast.com/designerready
=== SHOW MUSIC:
- Item Title: Upbeat & Fun Sports Rock Logo
- Item URL: https://elements.envato.com/upbeat-fun-sports-rock-logo-CSR3UET
- Author Username: AlexanderRufire
- Item License Code: 7X9F52DNML
=== Connect with Uncle Marv
🌐 Website: https://www.itbusinesspodcast.com/
🎙 Host: Marvin Bee
🛒 Uncle Marv’s Amazon Store (gear & tools I recommend): https://amzn.to/3EiyKoZ
☕ Support the show: https://ko-fi.com/itbusinesspodcast
If you found value in this episode, share it with another MSP, IT provider, or tech entrepreneur. Your support helps keep practical, no-nonsense IT business conversations coming every week.
[0:13] Hello, friends. Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers where we help you run your business better, smarter, and faster.
[0:25] Today, folks, we are going to do something a little bit different. I'm going to be doing a update for the NSITSP.
[0:34] And this is an update where we're going to talk about some of the things that the organization has been doing over the last few months. We've not heard a lot from them unless you've been a part of the organization. So this news brief is going to be a summary of some of the things that they've done. It won't encompass everything. But for those of you that do not know, the NSITSP is named the National Society of IT Service Providers.
[1:02] And their mission is to keep you up to speed on the laws, regulations, and trends shaping your business as an MSP or IT service provider. Now, I will say if you're listening and you're not yet a member, NSITSP exists for you. It's a member-driven non-profit organization working to make sure IT service providers have a real voice with legislators, regulators, and industry stakeholders, not just when the bad bills show up, but year-round as policy as being written. And as you listen today, think about this. Who is speaking for you when states talk about taxing IT, regulating providers, or limiting what you can repair for your clients? If you want a seat at the table, head over to nsitsp.org, click on join and become a member. It's quick, it's affordable, and it's how you move from just reacting to laws to actually helping shape them.
[2:07] So let's go ahead and jump into our first story.
[2:12] Across the country, state legislatures have been busy. Research from the Center for Long-Term Cybersecurity at UC Berkeley found that in 2025 alone, state governments passed 99 cybersecurity-related bills, resulting in 393 new statutory requirements. Now, most of these new laws were aimed at public schools, state agencies, cyber insurance policyholders, and high-risk critical infrastructure sectors that are already resource constrained. Many of the laws align with the governance function of the NIST cybersecurity framework, emphasizing risk management, oversight, and documented security practices. So, for MSPs and IT service providers, The big story is not that lawmakers are suddenly trying to regulate your business directly But they are the fact that they are rapidly building sector-specific compliance obligations That your clients now have to meet.
[3:21] The report highlights a trend Rather than writing broad laws for IT providers, Legislatures are targeting specific lines of business like education, financial institutions, and public agencies, and they're layering on cybersecurity requirements there. So in practice, that means your client base is becoming more regulated even if you are not explicitly named in the statute.
[3:50] Operationally, this creates a quiet but real shift in your responsibilities. When schools, local governments, or regulated critical infrastructure customers get new statutory requirements, someone has to implement controls, document processes, and demonstrate compliance, and that someone is often their service provider. The database referenced in the article lets you search what bills passed in your state, what business line they target, what issue they address, and what policy changes they introduce, including second-order changes where a single bill produces multiple new obligations. The practical move here is straightforward. Identify which of your clients fall into those heavily targeted sectors and review the state-level laws that now apply to them. Use the database and accompanying report as a cheat sheet for scoping new compliance projects, adjusting your service catalog, and flagging where you might need new templates, policies, or an addenda in your agreements. This isn't just regulatory trivia. It's a roadmap for new service opportunities, and a warning that compliance by accident is no longer going to fly.
[5:14] Let's move from what states are doing to your clients to what states might do for you when things go wrong safe harbor laws are starting to show up on more MSP radar screens and for good reason, a cyber security safe harbor law doesn't prevent you from being sued after a breach but it can give you an affirmative defense, essentially a legal shield if you can prove that you followed the cybersecurity provisions spelled out in your state's law. So in plain English, you may still go to court, but if your program meets the law's requirements, it's harder for a plaintiff to convince a judge or jury that you were negligent.
[6:01] As of the article's publication, eight states had enacted some form of cybersecurity safe harbor law. Connecticut, Iowa, Nebraska, Ohio, Oklahoma, but for hospitals only, and then we round out with Tennessee and Texas. Many of these are based on Ohio's law, found in sections 1354.01 and 1354.05 of the Ohio Revised Code. The Ohio Framework spells out who is covered, what a written cybersecurity program must address, and which cybersecurity frameworks are considered acceptable, including NIST frameworks, FedRAMP, CIS controls, ISO 27000, HIPAA, and several others.
[6:53] It also requires that you update your program with one year of any update to your chosen framework, and it explicitly applies to both private and class action lawsuits. So for service providers, the key is that Safe Harbor Protection is not automatic. Your cyber security program has to be in writing, implemented, and aligned with one of the approved frameworks before an incident occurs.
[7:21] In practice, you will likely need an external audit or assessment to validate that you have a documented program and that you are actually following it. Now, these laws are relatively new, and there is still very little case law, so we don't have many real-world decisions showing exactly how courts will interpret them. And remember, safe harbor laws have nothing to do with breach notification. Every state has its own rules for how and when you must report breaches, and regulated industries have additional federal requirements on top.
[8:01] If your state has a safe harbor law, you should treat it like an incentive to formalize what you may have already been doing informally. Pick an appropriate framework, document your program, track updates, and be prepared to prove your alignment. If your state doesn't have a safe harbor law, NSITSP recommends building relationships with your legislators and advocating for one. Probably using Ohio's law as a model and explaining why framework-based cybersecurity is good business for everyone, not just IT providers. Either way, following a recognized framework is just good practice and can reduce the likelihood that if you ever need to rely on safe harbor in court at all.
[8:53] Now let's shift from cyber policy to hardware and repair rights. Colorado has become a major test case in the digital right to repair debate. The state's consumer right to repair digital electronic equipment law, which has been in effect since January 1st of 2026, grants owners and independent repair providers access to parts, tools, documentation, and software needed to repair a broad range of IT and electronic devices.
[9:27] In 2026, Senate Bill 26-090 tried to carve out information technology equipment used in critical infrastructure from those protections, a change strongly backed by large technology vendors who claimed it was needed for security. The problem was the breadth of the federal, quote, critical infrastructure definition. The same laptops, servers, firewalls, and switches you deploy in small business, are often also deployed in hospitals, utilities, and financial institutions. So under SB26-090, those devices could have been treated as exempt from right to repair protections simply because they are also used in critical sectors, even when they sit in a dentist's office or a local manufacturer. For your clients, that would have been translated into fewer options and higher costs as they would have been pushed back towards OEM-only repair channels. It also would have meant longer downtime, especially in rural or underserved communities that rely on local MSPs rather than distant vendor technicians, and more operational friction when you try to replace failing hardware, apply firmware updates, or restore systems during incidents.
[10:56] After testimony from consumer advocates, small business groups, recyclers, and others, a Colorado House committee rejected SB 26-090. The existing right to repair protections for digital equipment remain intact, preserving your ability to source parts, tools, and information to keep client systems running. For NSITSP members, the takeaway is that digital right to repair is not just a consumer issue. It goes directly to your ability to provide timely, cost-effective, and resilient services.
[11:33] Looking ahead, NSITSP is signaling that any broad, definition-based, quote, critical infrastructure, carve-out is a red flag that could quietly strip repair rights from ordinary high-T gear your clients depend on. The organization supports strong right-to-repair laws paired with sensible security safeguards, and it opposes efforts to use security language as a backdoor to roll back repair rights for everyday equipment. If you see similar right-to-repair proposals in your state, particularly those that reference critical infrastructure, NSITSP is asking members to share those bills with the legislative committee so they can review, respond, and to coordinate an industry voice.
[12:27] From hardware, let's talk money, specifically taxes. The NSITSP Legislative Committee was recently asked by a member to take a position on a proposal to extend California's sales tax to downloaded software. When the committee looked at the broader landscape, they found that more than 30 states already taxed software, and of those, 25 specifically taxed downloaded software. From that perspective, the California proposal is less of a radical new idea and more of a catch-up move, which is why the committee ultimately chose not to take an official position. There is a blog post, and it has notes paraphrasing Ben Franklin, Nothing is more certain than death and taxes. And no, I'm not going to edit that out.
[13:24] This stance is notably different from NSIT-SP's earlier position to the Maryland Tax on IT Services. In that case, the tax-targeted IT services specifically after an initial draft that would have applied to all business-to-business services. Tax on services are still relatively uncommon across the states, and the committee believed IT services were being singled out in part because IT providers lack strong representation and a unified political voice. This is precisely the gap NSITSP aims to fill, pushing back when IT services are uniquely and unfairly targeted. The bottom line is nobody enjoys paying taxes and fast-moving, cloud-centric business models make it even harder to determine what is taxable, where, and when. Legislators often do not fully understand the nuances of IT and cloud services, which can create confusion or poorly scoped rules. NSITSP is committed to being a voice for IT service providers in policy discussions, particularly when proposed taxes appear to unfairly impact the industry, even if that does not mean taking a position on every tax change like California's move on downloaded software.
[14:54] Well, we've talked a lot about what legislators are doing. Let's close the loop with what you can do. Behind the scenes, the NSITSP Legislative Committee has been building a toolkit, to help IT service providers step into the policy arena more confidently. Committee Chair Ted Geisler outlined several resources now available on the NSITSP website, starting with a legislative resource guide in a tri-fold format designed for conferences and events. The goal of the piece is simple. Help IT professionals understand why engagement matters and give them something tangible to hand out when encouraging peers to join NSITSP and talk to their legislators.
[15:43] The committee has also published a short guideline document that walks IT providers how to reach out to their legislators, essentially a practical how-to for that first contact. On top of that, they spent two years developing model legislation for IT service providers, created at a time when roughly 99 bills had been floated across the states to directly regulate IT service providers. None of those bills ultimately passed, and there does not appear to be an active push to regulate the industry right now. But the model bill remains ready as a proactive recommendation if regulation resurfaces. It's written from the industry's perspective, so it reflects what providers consider reasonable and workable.
[16:36] All right, well, that is going to do it for this NSITSP community update. If any of these stories made you think, quote, somebody needs to talk to our legislators about this, remember that someone is us, together. NSITSP was created so IT service providers don't have to fight these battles one by one, in silence, or after it's too late.
[17:01] If you're not a member yet, take a minute today and visit nsitsp.org. You can join as an individual or as a company, sign up for updates, check out the legislative resource section, and see how you can start building relationships with your own lawmakers. Even one email, one meeting, or one shared resource can make a difference. And if you're already a member, thank you. The next step is getting involved. Share this update with your peers. Bring one more provider into the community and consider volunteering for a committee or helping us track legislation in your state. The more informed and engaged we are as a profession, the harder we are to ignore. Thanks for listening, folks. That'll be it for this update. We'll be back with more. and until then holla.






















































