10 min read

What Ohio House Bill 96 Means for Local Governments

Sep 16, 2025 3:58:08 PM

Industry Related News Cybersecurity Legislation ohio

On June 30, 2025, Governor Mike DeWine signed House Bill 96 (HB 96). And every county, municipality, and township will need to comply starting September 30, 2025.

HB 96 lays out a statewide framework for cybersecurity preparedness, modeled on national best practices. There are two main frameworks that HB 96 has adopted:

The NIST Cybersecurity Framework (CSF): This is a 5-step structure for cybersecurity best practices: Identify, Protect, Detect, Respond, and Recover. It’s how you can spot weaknesses, put up defenses, catch threats, fight back, and bounce back.
The CIS Controls: Eighteen very specific “best practices,” starting with the basics (patch your software, control access, stop reusing the same password everywhere) and climbing to advanced moves like penetration testing and incident response drills.

In this article, we will go over who HB 96 applies to, what the new requirements are, and how we can help.

What Ohio House Bill 96 Means for Local Governments

8:47

Who Does HB 96 Apply To?

HB 96’s text specifically zeroes in on counties, municipalities, and townships. However, other agencies (transit authorities, park districts, fire districts, etc.) are still tied into the same networks, share the same data, or rely on the same IT staff. So, HB 96 should be considered, at minimum, a best practice for agencies not specifically named in the law.

What Are the Core Cybersecurity Requirements Under HB 96?

Here’s what HB 96 says you need to do:

1. Risk Identification

Start by figuring out what you actually have. Your systems, your software, your data, and where the weak spots are. (Spoiler: there will be weak spots.) Risk assessments aren’t a one-time box to check; they’ll need to be updated as your environment changes.

2. Threat Detection

It’s not enough to hope you’ll spot an attack when it happens. You need tools and processes in place to actively detect intrusions, phishing attempts, and other sketchy activity.

3. Employee Training

Your employees could click on the wrong link. HB 96 makes annual cybersecurity training mandatory. The idea is to turn your people from “the biggest vulnerability” into “the first line of defense.”

4. Response & Recovery

If an incident does happen, you need a written plan. Who gets called first? How do you contain the breach? When do you notify the state? HB 96 requires an incident response playbook, not a scramble.

5. Ongoing Audits & Reporting

Cybersecurity isn’t a “set it and forget it” kind of thing. The law requires audits (either through the Auditor of State or an approved third party) to test your defenses. And if problems show up, you’re expected to document them and fix them.

You don’t have to guess what this all looks like. The NIST framework gives you the cycle (Identify, Protect, Detect, Respond, Recover), and the CIS Controls hand you 18 prioritized actions to follow.

What Are the New Cybersecurity Incident Reporting Rules?

If your local government experiences a cybersecurity incident, you now have to report it to the state. Transparency is the new rule of the game.

So, who do you tell?

The Ohio Cyber Reserve and the Ohio Persistent Cyber Improvement (O-PCI) program. These groups are designed to jump in and help local governments recover.
The Ohio Cybersecurity and Infrastructure Committee (OCIC). They’re the central hub for coordinating statewide cyber defense.

And how much time do you have?

7 Days: If it’s a confirmed ransomware attack or a major breach affecting critical systems. Basically, if operations are down or sensitive data is exposed, the clock starts ticking.
30 Days: For other cybersecurity incidents that might not cripple your systems but still count as a compromise. Think suspicious activity, smaller breaches, or attempted attacks that require follow-up.

Why the two timelines?

The state wants to separate emergencies (where they can send in backup fast) from lower-level issues (where you still need to report, but it’s not all-hands-on-deck).

But you can’t just report whenever it’s convenient.

If you miss the 7- or 30-day window for a ransomware attack, you will not be in compliance.

How Should Local Governments Start Preparing Now?

HB 96 takes effect September 30, 2025. That might sound like plenty of time, but in government time, it’s basically tomorrow. So the smartest move is to start laying the groundwork now.

Step one: Appoint a cybersecurity coordinator.

This doesn’t need to be a brand-new hire. In many smaller governments, it might be your finance director, IT lead, or even someone who wears multiple hats already. But you need a point person—someone who “owns” cybersecurity and keeps the ball moving.

Step two: Run a risk assessment.

Think of it like a health checkup for your systems. What data do you store? Where are the weak spots? Which systems are outdated or unpatched? You can’t protect what you haven’t identified.

Step three: Update your policies.

This is where you turn findings into rules. Password standards, device management, vendor access—all the unglamorous but essential stuff that keeps doors locked and data safe.

Step four: Practice with tabletop exercises.

No, not Monopoly (though that would be fun). Do mock drills where staff walk through how they’d respond to a cyber incident. The goal isn’t perfection—it’s muscle memory. Because when the pressure’s on, you need to be able to fall on your training.

Step five: Train your people.

Regular training sessions turn your staff from easy targets into your first line of defense. Your employees are your biggest defense—or your weakest link. Phishing emails, bad passwords, oversharing…that’s how most breaches start.

And here’s where VIP Cloud comes into play. By moving critical systems into a secure, compliant hosting environment, you remove a huge chunk of the risk.

How Can VIP Cloud Help Local Governments Comply With HB 96?

HB 96 will change things around your office. But we know you’ve got limited staff, budget crunches, and a hundred other responsibilities competing for attention. That’s where VIP Cloud can step in.

HB 96 is about having cybersecurity and being able to prove it. You need secure hosting, built-in safeguards, and systems that can stand up to scrutiny. That’s exactly what VIP Cloud was designed for.

So, what does VIP Cloud actually do for you?

Secure hosting for public sector data. Your financial records, payroll info, and utility billing data live in an environment built for compliance and resilience.
Safeguards baked in. Availability, confidentiality, and integrity are a part of the package.
Lighten the IT workload. Instead of IT having to constantly patch, monitor, and troubleshoot, your VIP software gets automatic updates and daily backups.
Aligns with HB 96. The law asks for proactive cybersecurity, and VIP Cloud has layers of security control powered by AWS, includes built-in firewalls and encryption, and requires Two-Factor Authentication (2FA). VIP Cloud’s security controls are mapped to NIST and CIS frameworks, with demonstrated compliance and supporting documentation in place. These security measures align with HB 96.

Learn how VIP Cloud can help you

HB 96 and the Future of Local Government Security

According to StateTech, the average cost per day of ransomware-induced downtime is $83,600 for government entities. A single ransomware attack can drain millions, shut down public services for weeks, and tank public confidence overnight.

No one needs that. And Ohio recognized this.

The future of local government security lies in best practices, mandated or not. And HB 96 sets up mandated best practices that follow well-established cybersecurity frameworks.

HB 92 might require time, money, and attention. But when a cybersecurity incident happens—and it will—you'll be glad you prepared for it.

Yes, following HB 96 is compliance. But it’s also resilience and leadership.

Learn more about VIP Cloud

Or check out our cybersecurity partner for more robust options...