At 3 PM on a Tuesday, your information technology person discovers suspicious network activity. Under House Bill 96, you have 7 days to report this to the state. Do you know who to call first? Can you distinguish between a reportable incident and routine IT maintenance? Most importantly, do you have the documentation ready to prove compliance?
If these questions make you pause, you’re not alone. In our work with Ohio public entities, we’ve seen seasoned administrators caught off-guard by the breadth of Ohio’s new cybersecurity requirements. Governor DeWine signed HB 96 on June 30, 2025, creating comprehensive mandates for every political subdivision in the state. The good news? There’s still time to get this right if you start now.
Understanding Your Three Core Obligations
Ohio Revised Code Section 9.64 creates three distinct requirements that affect every county, township, municipal corporation, school district, and governmental body in Ohio:
- Implement comprehensive cybersecurity programs that safeguard data and information technology systems using established frameworks
- Report cybersecurity incidents to state authorities within strict timeframes
- Restrict ransomware payments unless formally approved through legislative action
The challenge we’ve observed? Many entities don’t know where to start or only focus on the program development deadlines (January 2026 for counties/cities, July 2026 for others) while overlooking the immediate September 30, 2025 reporting requirements. This creates a dangerous gap.
If you’re reading this in September: Your priority is incident response planning and contact designation. Program development comes later.
If you’re a smaller organization with limited IT resources: You may want to focus on the free state resources and partnership opportunities rather than trying to build everything in-house. While Ohio HB 96 applies to all political subdivisions regardless of size, the frameworks are designed to be scalable to your organization’s capacity.
If you’ve never experienced a cyber incident: Don’t assume you won’t need to report. HB 96’s incident definition is broader than many expect.
Building Your Cybersecurity Program
The law requires alignment with established frameworks like the NIST Cybersecurity Framework or Center for Internet Security controls. In our experience helping Ohio entities with compliance, many don’t know where to begin this process or are unsure of how to align with a framework. Partnering with private sector IT and cybersecurity professionals is key to helping with implementation.
Essential program components include:
- Identifying critical functions and cybersecurity risks specific to your political subdivision
- Assessing potential impacts of security breaches on your actual operations and services
- Implementing threat detection mechanisms for potential threats and cyber events
- Establishing communication channels and incident response procedures that work around the clock
- Creating plans for infrastructure repair and post-incident security maintenance
- Implement a security awareness training program
Here’s what we’ve learned works: Start with an assessment of your existing IT environment. Many entities already have security tools, internal controls, and processes that can meet framework requirements with proper documentation and staff training but there are likely gaps. Assessing those gaps and determining how to close them is important.
Incident Reporting: Where Entities Struggle Most
Entities may struggle most with the reporting timeline because HB 96 defines cybersecurity incidents more broadly than many anticipate. Beyond obvious ransomware attacks, reportable incidents include substantial loss of data confidentiality, operational disruptions, business continuity failures, and unauthorized access through third-party compromises. When the incident is identified, the clock starts ticking.
Your reporting obligations: Contact the Ohio Cyber Integration Center (OCIC) at 614-387-1089 within seven days. They’ll coordinate with other law enforcement when appropriate. Separately, notify the Ohio Auditor of State within 30 days using procedures they’ll release soon.
What To Do About Ransomware?
Cyber-attacks, including ransomware attacks, can be incredibly damaging. While implementing a cybersecurity program will not prevent a cyber-attack from occurring, it is imperative to have a program in place to reduce the risk of an attack.
If a cyber-attack is in the form of ransomware where encryption or theft of data happens, the new cyber requirements restrict local governments from paying or complying with ransom demands unless the legislative authority passes a formal resolution stating why payment serves your best interests.
Implementation Timeline That Actually Works
Before September 30, 2025:
- Implement an Incident Response Plan that includes key contact information for primary and backup incident response contacts
- Create a simple incident decision tree: “Is this reportable? Who calls OCIC? What information do we need?”
- Test your Incident Response Plan before you need to use it
- Review cyber insurance coverage and ensure carriers understand new state requirements
By your program deadline (January or July 2026):
- Partner with cybersecurity experts to ensure you have a cybersecurity program in place that aligns with National Institute of Standards and Technology (NIST) or Center for Internet Security (CIS) frameworks
- Implement detection capabilities that match your staffing reality
- Establish backup procedures and test restoration quarterly, not annually
- Implement a security awareness training program focusing on role-specific training using CyberOhio’s free resources or other security awareness training platforms
Determining Your Next Steps
We wrote this guide because we’ve walked several Ohio public entities through similar compliance challenges. The patterns are clear: entities that start with practical cybersecurity programs build outward success. Those that don’t start or delay implementation often find themselves scrambling when deadlines arrive.
Here’s how to determine if you need additional support: If you can’t confidently answer “yes” to whether your current team has bandwidth to document, implement, and maintain these requirements while handling your regular responsibilities, it’s time for outside help.
Rea’s government professionals and cybersecurity specialists have guided Ohio public entities through complex compliance requirements for decades. We understand the budget realities, staffing constraints, and other dynamics that make cybersecurity compliance challenging for public sector organizations.
Contact Rea to discuss how our proven approach to government compliance and cybersecurity can help you meet HB 96 requirements without overwhelming your team or budget.
