What is Ohio Bill 96, and what are the key deadlines, requirements, and action steps needed for compliance?
Recently, there’s been significant discussion regarding Ohio Bill 96 and the new cybersecurity requirements outlined in Section 9.64. The bill was signed by Governor DeWine on June 30th, 2025, and goes into effect on September 30th, 2025.
Ohio Bill 96: Compliance Deadlines
The compliance deadline for counties and cities is January 1st, 2026. School districts are required to comply by July 1st, 2026. The reporting and ransomware payment requirements outlined in Ohio Bill 96 will be effective beginning September 30th, 2025.
Ohio Bill 96: Cybersecurity Incident and Ransomware Reporting Requirements
The new cybersecurity incident and ransomware incident reporting requirements involve the legislative authority, the executive director of the division of homeland security within the department of public safety, and the auditor of the state.
The legislative authority of a political subdivision must alert the executive director of the division of homeland security within the department of public safety as soon as possible and no later than seven days after the incident is discovered. The legislative authority must also notify the auditor of the state as soon as possible, but no later than thirty days after the discovery of the incident.
Ohio Bill 96: Ransomware Payment Requirements
The new requirements state that the political subdivision is prohibited from paying or complying with ransom demands without first receiving approval. The approval process requires the legislative authority of a political subdivision to formally approve the ransom demand within a resolution or ordinance. The resolution or ordinance must specifically state the reasons for complying with the ransom demands and how that compliance is the best course of action for the political subdivision.
Ohio Bill 96: Cybersecurity Program Requirements
Entities covered by Ohio Bill 96 are required to implement a cybersecurity program that aligns with best practices established by bodies like the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). The goal is to create a cybersecurity program that protects the “…data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.” Specific call-outs for the cybersecurity program include risk and impact identification, threat detection mechanisms, incident response plans, post-incident security measures, and employee cybersecurity training.
The final portion of the new cybersecurity requirements states that cybersecurity programs, reporting of and any files associated with a cybersecurity incident or ransomware incident are not considered public records. This could prevent threat actors from obtaining such records and developing additional attack plans.
What’s the Bottom Line for Ohio Bill 96 Compliance?
Entities are now required to move from a “nice to have” to a “required to have” cybersecurity posture. Ransomware demands can no longer be met without a vote in most instances. There are now fast reporting requirements, which will hopefully contribute to faster remediations and recoveries. These requirements are forged by real-world incidents that occurred within the state (Cleveland, Columbus, Union County, and others).
How Can Schneider Downs Help?
We highly recommend that you read Ohio Bill 96 for yourself and reach out with any questions. We are happy to speak to anyone who might have cybersecurity questions related to Ohio Bill 96.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
