Ohio Mandates Tough Cybersecurity Rules for Local Governments to Combat Growing Threats, With Strict Deadlines and Ransom Restrictions
COLUMBUS, Ohio — Ohio Auditor of State Keith Faber has issued a directive requiring all political subdivisions to adopt formal cybersecurity programs by 2026, citing growing threats from ransomware and digital attacks.
In Bulletin 2025-007, released August 27, Faber outlined the requirements under Ohio Revised Code § 9.64, enacted through House Bill 96. The law mandates that counties, cities, townships, and other local government entities implement cybersecurity policies that protect data and infrastructure from malicious activity.
“Local governments, typically defined as ‘political subdivisions,’ have increasingly become targets for cybercriminals,” Faber wrote. “They are vulnerable to cyber-attack schemes because of limited cybersecurity budgets, outdated systems and a range of accessible electronic and digital services.”
The bulletin defines a “cybersecurity program” as one that ensures the availability, confidentiality, and integrity of an entity’s information systems. Programs must include threat detection, incident response protocols, infrastructure repair procedures, and annual employee training—satisfied through the Ohio Persistent Cyber Initiative.
Deadlines for compliance are set for January 1, 2026, for counties and cities, and July 1, 2026, for all other entities.
In the event of a cybersecurity or ransomware incident, political subdivisions must notify both the Ohio Homeland Security Executive Director within seven days and the Auditor of State within thirty days. Ransom payments are prohibited unless formally approved by a public vote of the legislative authority, with justification documented in a resolution.
Records related to cybersecurity programs and incidents are exempt from public records laws under the new statute.
Additional guidance and training resources are available on the Auditor of State’s cybersecurity portal.