Ohio's local governments have a new cybersecurity mandate, and it carries real deadlines. Ohio House Bill 96, the state operating budget for fiscal years 2026 and 2027, quietly added cybersecurity duties for every political subdivision in the state. Those duties now live in Ohio Revised Code Section 9.64. If you run a city, village, township, court, or police department, this law applies to you.
The rules took effect September 30, 2025. The work is not optional, and the auditor of state is paying attention. Here is what HB 96 expects, why it matters for your community, and the practical steps that get you compliant without draining your budget.
Who does HB 96 cover
The law reaches broadly. Under ORC 9.64, a political subdivision means a county, township, municipal corporation, or other local body responsible for governmental activities. That covers cities and villages of every size, along with the police departments, courts, and fiscal offices that run on the same networks. A village with one part-time IT contractor faces the same statute as a county with a full department.
The practical takeaway is simple. If your office stores resident data, runs payroll, processes payments, or keeps records on a computer, you are in scope.
What does the law actually require
HB 96 asks each subdivision's legislative authority to adopt a written cybersecurity program. The statute points to widely accepted frameworks as the model, naming the NIST Cybersecurity Framework and the Center for Internet Security guidelines. Your program should identify your critical systems, judge the impact of a breach, detect threats, lay out how you respond to an incident, plan how you recover, and train your people.
Notice the word adopt. This is a formal action by council or the board, not an informal IT memo. The program has to be approved and on the record.
The law also sets reporting duties when something goes wrong. If you suffer a cybersecurity incident or ransomware attack, you must notify the executive director of the Ohio Division of Homeland Security as soon as possible and no later than seven days after discovery. You must also notify the auditor of state as soon as possible and no later than thirty days after discovery. Mark those numbers down now, because the clock starts the moment you discover an incident, not the moment you finish cleaning it up.
What are the deadlines
The statute itself sets a September 30, 2025 effective date for the program requirements. Guidance from legal and state sources points to a staggered adoption schedule after that: counties and municipal corporations were expected to adopt a program by January 1, 2026, with other subdivisions such as townships following by July 1, 2026. Because these dates come from interpretive guidance rather than a single line in the statute, confirm your exact deadline with your law director or solicitor and with current auditor of state bulletins before you rely on it.
If your village or township has not adopted a program yet, treat it as overdue and move quickly.
Why this matters beyond the statute
Local governments have become favorite targets. They hold sensitive resident records, they run essential services, and many operate on tight budgets with aging systems. Attackers know this. A ransomware hit can lock up court dockets, freeze utility billing, or take a police department's records offline for weeks.
There is also the audit angle. The auditor of state already pushed cybersecurity guidance to local governments before HB 96, and now there is a statute behind it. A program that exists only on paper, or not at all, is the kind of finding that follows an entity for years.
What practical steps get you compliant
Start with the written program, because the law requires it and because it forces the right conversations. Map your critical systems and the data you cannot afford to lose. Then build the controls that protect them.
Turn on multifactor authentication everywhere it will work, starting with email, remote access, and any system that touches financial or resident data. Stolen passwords drive a large share of breaches, and MFA blocks most of those attempts on its own.
Train your staff, and document that you did. HB 96 expects training matched to each employee's role, and the state offers a path that satisfies it. Annual training provided by the state, or the Ohio Persistent Cyber Improvement program delivered through the Ohio Cyber Range Institute, counts toward the requirement. Phishing remains the most common way in, so the clerk who opens vendor email needs this as much as your IT lead.
Protect your backups as if your recovery depends on them, because it does. Keep at least one copy offline or otherwise isolated so ransomware cannot reach it, and test a restore on a real schedule. A backup you have never restored is a guess, not a plan.
Write your incident response plan before you need it. Name who calls Homeland Security within seven days and who notifies the auditor within thirty. Keep those contacts somewhere you can reach them even if your network is down.
Think through ransomware payment now, while you are calm. Under ORC 9.64, a subdivision may not pay a ransom unless its legislative authority formally approves the payment by resolution or ordinance that explains why payment serves the community's best interest. That is a deliberate brake. Decide your stance in advance so a 2 a.m. crisis does not become an improvised vote under pressure.
How a local MSP helps
Most Ohio villages and townships do not have a security team, and they do not need to build one from scratch. A managed services provider can stand up the written program, deploy MFA, run the training the state recognizes, harden and test your backups, and put a real incident response plan in your hands. Just as important, a provider who works with municipalities can help you document everything so the auditor sees a program that is genuine, not a binder gathering dust.
Delta IT Advisors works with Cleveland-area local governments on exactly this. If HB 96 has you unsure where your village or department stands, our municipal IT services page is a good place to start, and a short conversation with our team can turn the statute into a clear, prioritized plan. Better to get ahead of the next audit, and the next attacker, now.
This post is general information, not legal advice. Confirm your specific obligations and deadlines with your solicitor and current state guidance.