What You Need to Know About the Cybersecurity Requirements in Ohio House Bill 96

By September 30, 2025, all Ohio school districts and local governments must meet new state-mandated cybersecurity requirements.

What Is HB96?

House Bill 96 (HB96), enacted in mid-2025 as part of Ohio’s biennial budget for Fiscal Years 2026–2027, introduces mandatory cybersecurity requirements for all local government entities, including public school districts and libraries.

The first phase of the law goes into effect September 30, 2025, and is designed to strengthen public sector cyber readiness in response to the growing threat of ransomware, data breaches, and IT system disruptions.

What Is House Bill 96 (HB96)? New Law Passed: Part of Ohio’s 2025 biennial budget Who It Affects: All school districts All local governments Deadline: Compliance required by Sept 30, 2025 Focus Areas: Cybersecurity Programs Staff Training Incident Reporting Ransomware Protocols Non-Compliance Risks: Legal exposure Delayed recovery from cyber events Public trust issues HB96 is now law, and the requirements may be broader than you think. Keep reading to understand what’s required and how to prepare effectively!

Note: All dates shown above are tentatively set and subject to change.

What Does HB96 Require?

To comply with HB96, every local government and school district in Ohio must:

1. Adopt a Cybersecurity Program

You must establish a program that safeguards your organization’s data, IT systems, and IT resources. It must ensure the availability, confidentiality, and integrity of your information.

What Does a Cybersecurity Program Look Like? 1. Risk Assessment Evaluate your current cybersecurity posture to identify vulnerabilities and prioritize improvements. 2. Security Policies & Procedures Establish written protocols for data handling, access control, remote work, and incident response. 3. Ongoing Staff Training Provide annual training (and phishing awareness) to all staff to reduce human risk factors. 4. Endpoint Protection & Network Security Implement tools like antivirus, firewalls, and EDR (endpoint detection and response) across devices and networks. 5. Data Backup & Recovery Plan Ensure secure, offsite backups with tested recovery procedures to maintain availability during outages or attacks. 6. Incident Response Plan Define how you’ll detect, respond to, and recover from cybersecurity incidents—including reporting protocols.

2. Conduct Annual Cybersecurity Training

Your organization must provide annual cybersecurity training to relevant staff. The state may provide some training resources, but the responsibility to train still falls on your organization.

3. Report Cybersecurity Incidents Promptly

If your organization experiences a cybersecurity breach or ransomware attack, you are required to:

  • Notify the Division of Homeland Security within 7 days
  • Notify the Ohio Auditor of State’s Office within 30 days
4. Follow Strict Protocols for Ransomware Incidents

Organizations are prohibited from paying ransoms unless:

  • Your legislative authority (e.g., school board or city council) passes a formal resolution or ordinance
  • The resolution explicitly states why the payment or compliance is in the organization’s best interest

What’s at Stake?

Failing to comply with HB96 isn’t just a missed opportunity; it can have serious implications for your district, municipality, or library including:

  • Increased vulnerability to ransomware and data loss
  • Violations of state law
  • Delays in breach response and recovery
  • Reputational damage with your community and stakeholders

A Path Forward for Your District or Community

HB96 isn’t just another set of recommendations—it’s a legal requirement that reflects how critical cybersecurity has become for schools and local governments alike.

Whether you’re building a cybersecurity program from the ground up or refining existing efforts, it’s important to start early, stay informed, and build a plan that works for your team, your structure, and your community.

How DataServ Is Helping Ohio Organizations Prepare:

DataServ is already supporting Ohio school districts, municipalities, and libraries in assessing their cyber posture and developing actionable roadmaps in preparation for HB96.

We bring to the table:

  • Decades of experience assisting schools, municipalities, and libraries with cybersecurity
  • Alignment with generally accepted best practices for cybersecurity, such as those provided by the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) 
  • Knowledge of what cybersecurity compliance looks like in practice for increasingly common mandates and standards being put in place by state governments across the country

Navigating HB96’s requirements can feel overwhelming, but you don’t have to go through it alone! Fill out the form below and our team will reach out to help you take the next steps toward compliance with confidence.