The REPAIR Act requires motor vehicle manufacturers to give owners and their designees unfettered access to vehicle-generated data and to sell the diagnostic information, tools, and parts needed to maintain and repair vehicles — including making proprietary diagnostic devices available on fair terms. It prohibits technological or contractual barriers that impede owner-directed repairs, forbids software updates intended to render compatible alternative parts inoperable (with narrow safety exceptions), and mandates owner notification when designees access vehicle data.
The bill assigns regulatory and enforcement roles to the National Highway Traffic Safety Administration (to set security standards) and the Federal Trade Commission (to enforce the Act and host a complaint mechanism), establishes an advisory committee with public- and private-sector representation, and preempts state laws that would require branded parts or bar aftermarket/remanufactured parts. For OEMs, independent shops, parts manufacturers, fleets, and compliance officers, the Act creates clear new obligations and a federal floor for right-to-repair and data access, while delegating technical details and security trade-offs to agency rulemaking.
At a Glance
What It Does
The bill bans technological and contractual 'barriers' that prevent owners, their designees, and independent repair actors from accessing vehicle-generated data, critical repair information, tools, and parts; requires manufacturers to provide such data and materials on fair, reasonable, and non-discriminatory terms; and restricts manufacturer mandates favoring particular brands. It pairs those obligations with NHTSA rulemaking on security standards and FTC enforcement authority.
Who It Affects
New duties fall on motor vehicle manufacturers, franchised dealers, and any proprietary-device holders; the aftermarket ecosystem — aftermarket/remanufactured parts producers, diagnostic tool manufacturers, distributors, independent repair facilities, junk/salvage yards — gain explicit access rights; fleets, insurers, and vehicle owners/lessees are also directly affected.
Why It Matters
The Act establishes a federal right-to-repair/data-access floor that undercuts OEM practices that tie repairs and parts to proprietary systems or business models. It forces manufacturers to reconcile cybersecurity protections with mandated access, reshapes aftermarket competition, and concentrates dispute resolution and rulemaking at FTC and NHTSA.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The REPAIR Act creates a right for vehicle owners (and anyone the owner designates) to obtain the data their vehicles generate and to buy the technical information, diagnostic tools, and parts needed to maintain or restore the vehicle. The statute defines what counts as vehicle-generated data and critical repair information, and then says manufacturers cannot employ technological or contractual means that 'materially interfere' with an owner's ability to access that data, pair alternative parts, or use independent repair and towing services.
The operative access and anti-lock provisions kick in 180 days after enactment.
The bill recognizes cybersecurity and safety concerns but places the burden on NHTSA to write technical security standards within a year, in consultation with NIST. Manufacturers may use cryptographic protections to secure data and vehicle systems only if those measures still allow the access and nondiscrimination the Act requires.
The law also says manufacturers cannot push brand-specific tool or part mandates in routine repair instructions (except for recalls, warranty repairs, and voluntary campaigns), and they must notify owners when a designee is accessing their vehicle data.Enforcement and dispute-handling sit primarily with the Federal Trade Commission. The FTC treats violations as unfair or deceptive acts under its existing authority, must set up a consumer complaint mechanism within 90 days, and follows a compressed process: manufacturers get up to 30 days to respond to complaints and the FTC must conclude investigations within five months.
The statute also establishes an eleven-member advisory committee — mixing independent repair, parts makers, OEMs, dealers, insurers, fleets, and consumer groups — to recommend best practices and monitor barriers to competition.Finally, the Act preempts state laws that would require use of a particular brand of tools or parts or that ban the use of aftermarket, recycled, or remanufactured parts purely on that basis. Several definitional hooks (for what constitutes a barrier or additional categories of vehicle data) are left to FTC rulemaking in consultation with NHTSA, so agencies will shape the detailed contours once the statutory clock runs.
The Five Things You Need to Know
Key obligations take effect 180 days after enactment: manufacturers must stop using technological or contractual barriers that impede owners’ access to data, repairs, towing, or installation of compatible alternative parts.
The bill bars manufacturers from issuing software updates intended specifically to render compatible aftermarket or alternative parts inoperable, except when ordered by NHTSA or when addressing driver and operational safety.
NHTSA must issue security standards for data access within one year (in consultation with NIST); the FTC must establish a consumer-notification rule at point of sale within two years and a complaint intake mechanism within 90 days.
Violations are enforced by the FTC as unfair or deceptive acts under the FTC Act; manufacturers must respond to forwarded complaints within 30 days and the FTC aims to complete related investigations within five months.
The Act preempts state laws that mandate use of particular branded tools or parts or prohibit aftermarket/recycled/remanufactured parts solely because they are not original equipment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that set scope for data and repair rights
This section supplies precise statutory definitions for key terms — vehicle-generated data, critical repair information, aftermarket/alternative parts, barriers, telematics systems, and service providers. Those definitions determine the reach of the access and anti-locking rules. Importantly, the statute explicitly allows the FTC (with NHTSA consultation) to expand these definitions by regulation, which means agency rulemaking will shape which new data types and technologies fall under the Act.
Core prohibition on barriers and affirmative access duty
The heart of the bill prohibits manufacturers from deploying technological or contractual 'barriers' that materially interfere with owners or independent actors accessing data, pairing aftermarket parts, or using independent repair/towing services. It also creates an affirmative duty: manufacturers must provide owners and designees access to vehicle-generated data and sell critical repair information, tools, and parts to repair-industry actors on fair, reasonable, and non-discriminatory terms. For compliance teams, that means reworking access controls, sales channels for diagnostic tools and information, and licensing models tied to authorized repair networks.
Limits on brand mandates, designee rights, and owner notifications
The law forbids manufacturers from mandating specific brands in repair literature or from categorically prohibiting alternative parts in repair guidance — with an explicit carve-out for recalls and warranty/voluntary campaigns. It requires that owners be able to designate multiple designees and revoke those designations as easily as they granted them. Manufacturers must also notify owners via in-vehicle screens or mobile devices when a designee is accessing their vehicle data, creating a transparency duty tied to telematics implementations.
Software updates and cybersecurity guardrails
Manufacturers cannot intentionally push OTA or other software updates that disable compatible alternative parts, except as required by NHTSA order; however, they may deploy cryptographic protections necessary to secure data and safety-critical systems so long as those protections still permit the access the Act mandates. That creates a dual compliance test: security measures must be effective but not serve as de facto locks that thwart lawful access or competition.
Advisory Committee to monitor market barriers
The bill instructs the FTC to create a Fair Competition After Vehicles Are Sold Advisory Committee with multi-stakeholder membership (independent repair, OEMs, parts makers, dealers, insurers, fleets, consumer groups, NHTSA and FTC officials). The committee must meet regularly, produce an initial report within 180 days of its first meeting, and annually thereafter assessing barriers and recommending best practices — a mechanism intended to keep regulators apprised of rapid technology shifts.
NHTSA and FTC rulemaking timelines
NHTSA has one year to issue regulations setting security procedures and standards for owner access to vehicle data (with NIST input). The FTC, jointly with NHTSA, must create rules within two years requiring manufacturers and dealers to inform buyers about their rights at point of sale or lease. Those deadlines allocate the technical balancing of privacy and security to agencies rather than Congress.
FTC enforcement framework and complaint process
The FTC enforces the statute under its unfair-or-deceptive-authority; violations are treated like breaches of an FTC rule. The agency must set up a complaint intake process within 90 days, forward complaints to named manufacturers, and expects manufacturers to answer within 30 days. If unanswered, the FTC investigates and must issue a final order resolving the investigation within five months; orders are appealable to federal court. That structure compresses timelines and centralizes dispute resolution at the FTC.
Federal preemption of conflicting state laws
The Act preempts state and local requirements that would mandate use of specific brands or bar aftermarket/recycled/remanufactured parts solely for being non-original-equipment. This creates a national floor and prevents a patchwork of state rules that could impede interstate aftermarket commerce, but also denies states the ability to impose stricter parts- or brand-specific restrictions.
This bill is one of many.
Codify tracks hundreds of bills on Transportation across all five countries.
Explore Transportation in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Independent repair facilities and technicians — They gain statutory access to vehicle data, diagnostic information, and tools, reducing dependence on OEM-authorized networks and expanding service offerings.
- Aftermarket, remanufacturing, and recycled-parts producers — The bill removes contractual and technical impediments to designing and selling compatible parts, improving market access and enabling competition on price and availability.
- Motor vehicle owners and lessees — Owners obtain stronger control over who accesses their telematics and who repairs their vehicles, plus explicit rights to choose parts and service providers and to receive notifications when designees access data.
- Fleets and trucking companies — Fleets can designate in-house or third-party maintenance providers and obtain vehicle data needed for diagnostics and fleet management without OEM gatekeeping, improving uptime and cost predictability.
- Diagnostic tool manufacturers and distributors — The requirement that manufacturers make diagnostic tools and information available on fair terms opens market opportunities for independent tool makers and resellers.
Who Bears the Cost
- Motor vehicle manufacturers and affiliated dealer networks — OEMs must rearchitect access controls, revise licensing and sales models for diagnostic tools and software, disclose technical data, and adapt OTA update practices, which could be expensive and complex.
- Telematics and connected-services business models — Manufacturers and telematics vendors that monetize data or tie features to proprietary service subscriptions may lose exclusivity and revenue streams tied to closed data access.
- Regulatory agencies (NHTSA and FTC) — Agencies inherit tight rulemaking deadlines, ongoing oversight, and complaint/investigation workloads without explicit appropriation, increasing administrative burden.
- Independent repair shops lacking cybersecurity capacity — While they benefit commercially, some small shops will need to invest in new tools, training, or security practices to meet cryptographic access methods and avoid introducing risks.
- Parts and software testing operations — Ensuring compatibility and safety when alternative parts interface with software-controlled systems will require additional testing, certification, and potential liability exposure.
Key Issues
The Core Tension
At its core the Act pits consumer control and market competition against manufacturers’ legitimate needs to secure vehicles and preserve safety-critical software integrity; resolving that tension requires technical standards and enforcement judgments that will determine whether access becomes meaningful in practice or whether security and business-model exceptions recreate de facto locks.
The REPAIR Act forces a technical and policy reconciliation that the statute deliberately delegates to NHTSA and the FTC. The bill instructs agencies to allow robust owner and third-party access while simultaneously preserving cryptographic protections for safety and security; executing that in practice is a hard engineering and regulatory task.
Agencies will have to specify interoperability protocols, authentication standards for designees, and conditions under which an OTA update may alter part behavior — decisions that will materially affect compliance costs, intellectual property protections, and the security posture of vehicles.
Another tension lies in enforcement design. The Act compresses complaint and investigation timelines (30-day manufacturer response, five-month investigation resolution) and treats violations as unfair or deceptive acts under the FTC Act.
That creates predictable remedies but also pressures the FTC’s investigatory resources. The preemption clause simplifies the national legal landscape for parts and repairs, but it also prevents states from experimenting with alternative protections (for example, stronger consumer privacy or local safety mandates) that may be desirable in specific jurisdictions.
Lastly, the definitions of 'barrier' and 'vehicle-generated data' are broad and open-ended; the scope of those terms will be determinative and uncertain until agency rulemaking clarifies them, leaving a period of regulatory uncertainty for regulated parties.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.