Ohio’s Cyber Law For Local Governments: 5 Steps Over 75 Days to Meet the September 29 Deadline

In its FY 2026 budget, Ohio quietly folded in a sweeping cybersecurity mandate that will require every “political subdivision” to have a cybersecurity program that aligns with recognized industry frameworks and adopt strict new rules around ransomware response by September 29, 2025. Below is a practical roadmap for municipal counsel, administrators, and IT leads who must come into compliance by the September 29, 2025 deadline.

Scope: Who Is Covered?

In Ohio, a “political subdivision” means any county, township, city, municipal corporation, village, or other body corporate and politic responsible for government activities in a geographic area smaller than that of the state chartered by state law. This applies to any taxing authority or entity that provides government services inside the State of Ohio.

Core Obligation: Build a Defensible Cybersecurity Program

The new law requires political subdivisions to create a written program “consistent with best practices,” which includes the NIST Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) Controls.

At minimum, the program must be able to:

• Identify, identify, and prioritize critical systems and data and the risks that threaten the political subdivision.
• Gauge potential breach impacts on public safety, continuity of services, and constituent data privacy.
• Specify mechanisms to detect threats and cybersecurity events.
• Respond and communicate, including contain incidents, coordinate with law enforcement, and keep constituents informed.
• Recover and harden infrastructure after an event and document lessons learned.
• Establish cybersecurity training requirements for all employees of the political subdivision; the frequency, duration, and detail of which must correspond to the duties of each employee.

Required Employee Training

Cybersecurity is never just an IT problem. The law compels subdivisions to train all employees and it must be role‑based and recurring. In other words, those employees who deal more directly with constituent data should be required to attend more frequent refreshers than, for example, a maintenance or seasonal parks employee.

Incident and Ransomware Response Rules

The law distinguishes between a cybersecurity incident and a ransomware incident. Specifically, a “Cybersecurity Incident” is a loss of confidentiality, integrity, or availability; disruption of operations; or unauthorized access (including upstream cloud or supply‑chain compromise). To the contrary, a “Ransomware Incident” is when malicious software encrypts or blocks access to systems, and a ransom demand follows.

Mandatory Reporting

The law mandates a reporting deadline that requires those covered to report an incident as follows:

• Report to the Ohio Dept. of Public Safety / Homeland Security as soon as practicable, but in no event later than 7 days after discovery of the incident.
• State Auditor as soon as practicable, but in no event later than 3 days after discovery.

Paying a Ransom? Pass a Resolution First

Notably, the law expressly prohibits a political subdivision from paying a ransom unless its legislative authority, i.e., council, commission, or board, adopts a formal resolution or ordinance spelling out why payment serves the community’s best interests.

Public Records

The law specifies that any records, documents, or reports related to the cybersecurity program and framework, and the reports of a cybersecurity incident or ransomware incident, are not public and are not subject to disclosure under the Ohio Public Records law. However, this prohibition does not prohibit disclosure in discovery in the event of a lawsuit or investigation. As such, to ensure proper protection, it is best practice to work with legal counsel to ensure privilege extends to any such event, including communications with forensic advisors.

Five Things to Do Before the Deadline and When to Do it (A 75-Day Map)

1. Between Now and August 8^th - Data Classification & Mapping. It is impossible to protect what you cannot find. Political subdivisions should inventory sensitive data stores and label them according to risk level.
2. Now through September 29^th – Technical Integration. The technical requirements of the law are specific and will take time to implement. It is best to start this process now, including to find a vendor to assist with the technical implementation of the cybersecurity standards.
3. Now through August 31^st - Enterprise‑Wide Security Policy. It is imperative to develop a thorough Security Policy that addresses the specific data, storage and handling functions of the political subdivision and to ensure the policy addresses not only day-to-day data handling, but also incident responses, business continuity, and data storage/deletion balanced against the newly-required technical standards and the specific requirements of the Ohio Public Records Law. 
4. September 1^st through September 29^th - Targeted Training & Awareness. Work with data privacy counsel to develop and implement data privacy-compliant training and awareness communications that align with the actual needs and policies of the political subdivision. This should include a guided tour and explanation of the Security Policy, simulated phishing campaigns, and scenario-based tabletop exercises to help employees recognize threats and understand legal reporting duties.
5. September 1^st through September 29^th - Tested Incident Response Plan. A shelf-ready playbook with call trees, checklists, and pre-drafted notifications pays for itself the first time you have to use it.

Consult Counsel Early

Standing up a compliant program in roughly 75 days is ambitious, but data privacy counsel can:

• interpret the laws’ gray areas, including the technical, policy, incident response, training, and other needs and work with internal teams to streamline drafting and rollout and all required materials;
• coordinate with technical vendors to work through the technical requirements;
• coordinate privilege over cybersecurity events, including forensic investigations; and
• align vendor contracts, cyber‑insurance, and records‑retention rules with the new mandate.

Key Takeaways:

Effective September 29, 2025, the State of Ohio will expect political subdivisions to demonstrate compliance with cybersecurity requirements, technical and policy-based. This will demand far more than just paper policies and lip service. It is imperative that Ohio political subdivisions start now to ensure compliance by the effective day, starting with documenting every decision, and building a record that demonstrates reasonable security under the circumstances.

Feel free to reach out to any of Dickinson Wright’s data privacy and cybersecurity attorneys, who are more than happy to assist you.