Ohio House Bill 96 —
Is Your Organization Compliant?
Ohio’s new cybersecurity law requires every political subdivision to have a formal security program in place. Deadlines are here. Auditor of State reviews are coming. Let’s get you compliant.
Plain English
What is Ohio HB96?
Ohio House Bill 96 was signed into law on June 30, 2025 by Governor Mike DeWine. In plain English: every county, city, village, township, school district, and library in Ohio now must have a written cybersecurity program — or face consequences during their next Auditor of State review.
The law requires your organization to formally adopt a cybersecurity program aligned with either the NIST Cybersecurity Framework (CSF) or CIS Controls. These are nationally recognized security standards — but implementing them from scratch is complex work that most government entities simply don’t have internal expertise for.
The law also creates specific incident reporting requirements and mandates that any ransomware payment must receive formal board/council approval. This isn’t just about technology — it’s a governance and policy requirement.
Who Must Comply
Every political subdivision in Ohio.
- Counties
- Cities and municipalities
- Villages
- Townships
- School districts (K–12)
- Public libraries
- Special districts
- Other political subdivisions
If your entity receives public funding and is subject to Auditor of State oversight, you need a compliance program.
Compliance Deadlines
Time is not on your side.
January 1, 2026
Counties & Cities
PAST DUE. Many counties and cities are already operating without a required cybersecurity program. Every day increases audit risk.
July 1, 2026
All Other Entities
School districts, libraries, townships, villages. This deadline is approaching rapidly. Starting now allows time for proper program development and board adoption.
What’s Required
The specific requirements under HB96.
Written cybersecurity program aligned with NIST CSF or CIS Controls
Documented risk assessment identifying critical functions and potential impacts
Written incident response plan with state reporting procedures
Report cyber incidents to Ohio Dept. of Public Safety within 7 days
Report incidents to the Auditor of State within 30 days
Formal board/council resolution required before paying any ransomware demands
Annual cybersecurity awareness training for all staff
Designated point of contact for cybersecurity matters
Consequences
What happens if you don’t comply?
Non-compliance with HB96 is flagged during regular Auditor of State reviews. Every political subdivision in Ohio is subject to periodic audits — and the Auditor of State is actively reviewing cybersecurity program compliance as part of their standard process.
Beyond the audit finding, consider the compounding risk: if a ransomware attack or data breach occurs while your entity has no cybersecurity program in place, the legal, financial, and reputational consequences are dramatically worse. You can’t pay a ransom without board/council approval under this law — and you can’t get that approval if the required governance structures aren’t already in place.
The cost of compliance is a fraction of the cost of a breach. A ransomware incident affecting a township or school district can easily exceed $500,000 – $2M in recovery costs, legal fees, and notification requirements.
How We Help
Turnkey HB96 compliance in 4–8 weeks.
We handle every aspect of your compliance program — from initial assessment to final board-ready documentation. You get everything you need to satisfy the Auditor of State, delivered on time, written in plain English.
Pricing scaled to entity size. Small villages at lower range; large school districts at higher range.
What You Receive
Cybersecurity Program Document
Aligned with NIST CSF or CIS Controls as required by law
Risk Assessment Report
Identifies critical functions, data, and potential impacts
Incident Response Plan
Includes state reporting procedures for 7-day and 30-day requirements
Ransomware Response Policy
With required board/council resolution template
Security Awareness Training Outline
Ready-to-deliver annual training program
Board/Council Resolution Template
For formal adoption of the cybersecurity program
Auditor of State Readiness Checklist
Verify compliance before your next audit
FAQ
Common questions about HB96.
Don’t wait for the audit finding.
We work with municipalities, school districts, and townships throughout Northwest and Central Ohio to deliver HB96 compliance programs — on time, on budget, and audit-ready.
Serving municipalities, school districts, and townships throughout Northwest and Central Ohio