New Cybersecurity Rules in Ohio: What Local Leaders Need to Know

Why These Rules Are Happening

In recent years, cybercriminals have increasingly targeted municipal governments in Ohio, knowing many operate with limited IT resources. The attacks on Cleveland city systems and the Cleveland Municipal Court are reminders that no municipality—or even the Supreme Court or other major governance bodies—is “too small” or too secure to be a target.

This push mirrors larger efforts by state governments across the United States, as well as the national government, to set clear cybersecurity expectations for both general purpose local governments and special purpose local governments.

What’s Required Under the New Law

1. Cybersecurity Programs by September 30, 2025

Every city, township, county, and political subdivision must have a formal cybersecurity program in place, built around recognized frameworks like the NIST Cybersecurity Framework or CIS controls.

2. Annual Employee Training

Cybersecurity training is now mandatory for employees. This isn’t a “one-and-done”—ongoing training ensures staff can spot and respond to threats before they escalate into full-scale incidents.

3. Incident Reporting

• Report cybersecurity incidents to the Ohio Cyber Integration Center within 7 days.
• File a full report with the Auditor of State’s office within 30 days.

4. Public Approval for Ransomware Payments

Local governments can’t quietly pay off attackers anymore. If a ransom payment is being considered, it must be publicly approved by your legislative branches of government—whether that’s a city council, school board, or township trustees. The law requires that the governing body formally approves the decision at a public meeting.

5. Exemptions to Protect Sensitive Data

While transparency is emphasized, cybersecurity plans and incident reports won’t be considered public records—helping to keep detailed vulnerabilities out of attackers’ hands.

6. Compliance Deadlines

• Counties and cities must comply by January 1, 2026.
• Other entities—including independent school districts, libraries, townships, towns, boroughs, and special districts—have until July 1, 2026.

Why This Matters for Northeast Ohio Communities

For municipal leaders in Cleveland, Akron, Canton, and surrounding areas, this isn’t just about compliance—it’s about protecting residents, sensitive information, and your community’s reputation. These rules will:

• Safeguard sensitive government entity data and resident information.
• Strengthen public trust at a time when confidence in municipal governments is critical.
• Provide consistent standards so all general purpose local governments and special purpose local governments—from large cities to smaller towns and boroughs—can respond effectively to cyber threats.

Of course, challenges remain. Smaller communities may worry about cost or staffing, and publicly debating ransom decisions during an attack may feel risky. And because these provisions were tucked into the state government budget, many leaders feel they didn’t have enough input in shaping the legislation.

Still, the reality is clear: cyber threats are not slowing down. These requirements provide every community with a roadmap to improve local level cybersecurity compliance.

What You Can Do Now

If you’re a municipal leader in Northeast Ohio, here are some steps you can start on right away:

• Engage your IT team or partner to begin building out a cybersecurity program tailored to your municipality.
• Leverage free state resources like CyberOhio and the Ohio Cyber Range Institute for training opportunities.
• Educate staff—from administrative assistants to department heads—since employees are often the first line of defense.
• Discuss ransomware strategies with your city council, trustees, or mayors councils now, before you’re under pressure to make a quick decision.

Conclusion

Protecting public trust has always been central to municipal service. These new cybersecurity compliance rules for Ohio government entities may feel like another mandate, but they’re really about strengthening the trust your residents place in you—not just on the streets, but in the digital world too.

By preparing early and leaning on resources available to Cleveland-area municipalities, Northeast Ohio leaders can turn compliance into confidence. With the right security measures in place, your community won’t just meet House Bill requirements—it will be better equipped to face the growing cybersecurity threats of tomorrow.

AtNetPlus: Your Local Cybersecurity Partner

At AtNetPlus, we work with municipal governments across Northeast Ohio every day, helping leaders like you navigate compliance, strengthen defenses, and protect community data. Our team of experts understands the unique challenges that general purpose local governments, special purpose local governments, and independent school districts face—tight budgets, evolving regulations, and the pressure to keep critical services running without interruption.

If you’re unsure where to start or need a trusted partner to guide you through these new requirements, we’re here to help. Let’s work together to safeguard your municipality and the residents who count on you.