HB 96 Ushers in a New Era of Cybersecurity for Ohio

When Governor Mike DeWine signed Ohio House Bill 96 into law on June 30, 2025, it set the stage for a major shift in how local governments and school districts handle cyber risk. This new law takes effect on September 30, 2025, and it brings with it clear expectations, tighter reporting timelines, and a higher standard for protecting public data.

For many communities, this will be the first time cybersecurity is treated as a core public service responsibility rather than an IT side project.

Raising the Cybersecurity Bar

HB 96 now requires every county, municipality, township, and school district in Ohio to have a formal cybersecurity program. The law outlines six key areas that must be covered: risk identification, impact assessment, threat detection, incident response, post-incident recovery, and role-based employee training.

If you have ever looked at the NIST Cybersecurity Framework or the CIS Controls, you will recognize this structure. The difference is that this is now a legal requirement, not just a set of best practices. It means documenting how your systems are protected, training your people to recognize threats, and planning for both prevention and recovery.

Ransomware Decisions Under the Spotlight

Ransomware has hit public sector organizations hard in recent years, and HB 96 addresses it head-on. Under the new law, a local government or school cannot pay a ransom unless the governing body approves it through a formal vote. That means city councils, township trustees, and school boards will have to go on record before sending any payment.

This approach slows down the decision-making process and brings public accountability to a situation that often plays out under intense pressure. It may also discourage paying attackers, which in turn could reduce the number of targeted attacks.

Reporting Incidents Faster

Once a cybersecurity incident is discovered, the organization has seven days to notify Ohio’s Division of Homeland Security and thirty days to report it to the Auditor of State. These deadlines push local agencies to act quickly and ensure that state-level resources are aware and ready to assist.

Fast reporting also creates a clearer picture of what threats are active across the state, making it easier to coordinate responses and share information.

Keeping Sensitive Cyber Information Out of Public View

HB 96 also protects certain cybersecurity records from public disclosure. Plans, incident reports, and procurement details will not be available through public records requests. This prevents attackers from using these documents to identify weaknesses while still allowing oversight from authorized agencies.

Why This Matters in Ohio

For many smaller governments and school districts, cybersecurity has often been reactive and underfunded. HB 96 changes the expectation. It requires a shift toward proactive planning, documented processes, and ongoing training. It moves cybersecurity from the background to the boardroom.

The law is not just about compliance. It is about resilience. Communities that meet these requirements will be better positioned to prevent attacks, recover faster when incidents occur, and maintain public trust.

How This Fits into the National Picture

Ohio is not acting in isolation. Across the country, states are introducing laws that push public sector organizations to improve their cybersecurity posture.

Florida has had similar requirements in place for several years. Local governments there must train all employees with network access within 30 days of hire and annually thereafter. Those in sensitive roles must complete advanced training. Ransomware incidents must be reported to the Florida Digital Service and the Florida Department of Law Enforcement within 12 hours, with additional requirements for high-severity events and after-action reporting. Florida also mandates adoption of NIST-aligned cybersecurity standards, along with detailed cybersecurity planning and operational controls. Compliance timelines have been phased in based on jurisdiction size, with most deadlines landing in 2024 or 2025.

Other examples include:

- New York, which has established cybersecurity requirements for certain regulated entities, including mandatory risk assessments and incident reporting.

- Texas, which requires state agencies and some local governments to complete regular cybersecurity training and follow specific security standards.

- Louisiana, which has banned the use of public funds to pay ransomware demands altogether.

- California, which has expanded data breach notification requirements and applied them to a broader set of public entities.

The trend is clear: more states are holding public agencies accountable for cybersecurity readiness and reporting. Federal guidance, including the CISA Cybersecurity Performance Goals, is also influencing how state laws are written.

A Funding Opportunity Many Are Missing

In addition to new state mandates, there is approximately $100 million in federal grant funding available for state governments, municipalities, and Tribal entities to strengthen cybersecurity. This funding can cover technology upgrades, training, and program development that align with HB 96’s requirements.

Cyberleaf can help local governments pursue this funding. We work with partners to provide grant-writing support and ensure proposals align with both technical and compliance needs.

About Cyberleaf

At Cyberleaf, we build and manage cybersecurity programs that meet regulatory requirements while addressing the real-world threats organizations face every day. For Ohio’s local governments and schools, that means we can help with readiness assessments, program development, incident response, and 24/7 monitoring through our U.S.-exclusive Security Operations Center.

We also help public sector organizations secure and manage grant funding to cover these initiatives, working closely with partners like Splunk to support grant-writing efforts that align with both technical and compliance needs.

If your organization wants to prepare for HB 96 or secure funding to strengthen your defenses, contact Cyberleaf today to get started.

The Clock is Ticking

September 30 will come quickly. Now is the time to review your current cybersecurity posture, identify any gaps, secure available funding, and start building the program that HB 96 requires. The sooner you begin, the better prepared you will be when the law takes effect.