In an era of escalating cyber threats, Ohio has taken a bold step toward safeguarding its public infrastructure. With the passage of House Bill 96 (HB 96), signed into law by Governor Mike DeWine on June 30, 2025, the state has ushered in a new era of cybersecurity accountability for “political subdivisions”—such as counties, cities, townships, and school districts. This legislation, which takes effect on September 30, 2025, establishes clear expectations for how government entities must manage cyber risk, respond to incidents, and safeguard sensitive data.
“For many government entities, this marks the first time cybersecurity is treated not as an IT side project, but as a core public service responsibility,” says Jesse Kegley, Chief Revenue Officer at Emerge. “This is good news for the citizens of Ohio.”
Here’s what you need to know—and what you can do to prepare.
What Is Ohio HB 96?
Ohio HB 96 is a sweeping cybersecurity mandate embedded in the state’s Fiscal Year 2026 budget. It requires every political subdivision to implement a cybersecurity program that aligns with recognized industry frameworks. The law also introduces strict new rules around ransomware response and incident reporting. Local governments must demonstrate compliance through documented decisions and a record of reasonable security practices.
Who Is Covered?
The law applies to all Ohio political subdivisions, which include:
- County governments
- Municipalities (cities and villages)
- Townships
- School districts
- Special districts and authorities
If your organization falls under any of these categories, you are required to comply with HB 96 by the September 30, 2025, deadline.
Key Requirements of HB 96
Here are the core mandates outlined in the legislation:
Cybersecurity Program Implementation
Political subdivisions must adopt a cybersecurity program that aligns with recognized frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
“The NIST standard provides structured, proven approaches to identifying, protecting, detecting, responding to, and recovering from cyber threats,” says Kegley.
Incident Response and Ransomware Protocols
HB 96 requires local governments to have a formal incident response plan, including specific protocols for ransomware attacks. This includes:
- Immediate containment procedures
- Notification timelines
- Coordination with law enforcement and state agencies
Documentation and Audit Trail
Entities must maintain a detailed record of cybersecurity decisions, policies, and actions. This documentation will serve as proof of compliance and may be subject to audit or review.
Training and Awareness
Staff must receive regular cybersecurity training. This includes phishing awareness, password hygiene, and protocols for reporting suspicious activity.
Third-Party Risk Management
Vendors and contractors with access to public systems or data must meet minimum cybersecurity standards. Contracts should include clauses that enforce compliance and outline breach notification responsibilities.
Some Tips for Compliance and Readiness
1. Start with a Risk Assessment
Before you can fix vulnerabilities, you need to know where they are. Conduct a comprehensive risk assessment to identify gaps in your current cybersecurity posture. Consider hiring a certified third-party assessor if internal resources are limited.
2. Create a Cybersecurity Governance Team
Form a cross-functional team that includes IT, legal, finance, and operations. This group should oversee policy development, training, and compliance tracking.
3. Invest in Endpoint Protection and Monitoring
Many ransomware attacks begin with a compromised endpoint. Deploy antivirus software, enable multi-factor authentication (MFA), and use endpoint detection and response (EDR) tools to monitor activity.
4. Create a Clear Incident Response Plan
Your plan should outline roles, responsibilities, and communication protocols. Include contact information for law enforcement, state cybersecurity officials, and legal counsel.
5. Train Staff Early and Often
Human error is a leading cause of breaches. Provide regular training sessions and simulate phishing attacks to test employee readiness.
6. Review Vendor Contracts
Ensure that all third-party vendors meet your cybersecurity standards. Update contracts to include breach notification clauses and indemnification language.
Now’s the Time
Ohio HB 96 is a wake-up call for local governments. The days of treating cybersecurity as a back-office concern are over. With clear mandates and a firm deadline, political subdivisions must act swiftly to build resilient systems and safeguard public data.
If OH HB 96 has you feeling uncertain or overwhelmed, reach out to Emerge today. We can help you achieve compliance with the right people, processes, and technology.