Ohio’s Cybersecurity Mandate Sets a New Standard for Public Sector Resilience—Op-Ed
By Spencer Gross
Ohio has taken a significant and timely step toward improving cybersecurity across the state. Following a wave of cyberattacks on local governments, including major incidents in Cleveland, Columbus, and Washington Court House, the state has enacted new rules requiring all local governments to implement cybersecurity policies and publicly approve any ransomware payments. These measures, included in the state’s latest operating budget (House Bill 96), reflect a growing understanding that cyber threats are no longer isolated events but systemic risks that demand coordinated, preventive action.
Under the new law, all local entities such as counties, municipalities, townships, libraries, and school districts must adopt formal cybersecurity programs by late September. These programs must align with generally accepted cybersecurity best practices and include staff training, incident response planning, and system safeguards. The policy is designed not only to reduce vulnerabilities but also to ensure that government services can continue operating even under the threat of digital disruption.
The regulations also introduce a transparency requirement for ransomware response. If a local government intends to pay a ransom or comply with related demands, that decision must be formally approved in a public vote by the legislative body, along with a resolution explaining why the payment serves the public interest. This process ensures that decisions involving taxpayer dollars are made openly and deliberately and discourages secretive or panicked responses that could create long-term harm.
These reforms come at a time when cyberattacks are increasingly common and costly. In the past year alone, more than 20 local governments in Ohio were successfully targeted by scammers, resulting in the theft of hundreds of thousands of dollars in public funds. In May 2025, a ransomware gang disabled key services in Washington Court House and leaked sensitive city data. While some larger cities like Cleveland and Columbus already have sophisticated cybersecurity plans in place, many smaller or rural jurisdictions remain unprepared and vulnerable. The new requirements aim to close this gap.
The state’s approach reflects input from key stakeholders, including the County Commissioners’ Association of Ohio, the Ohio Library Council, and the State Auditor’s Office. The law avoids one-size-fits-all mandates and allows each jurisdiction to tailor its cybersecurity plan to its resources and infrastructure. It also promotes a decentralized but coordinated defense posture, with the Ohio Department of Public Safety and the State Auditor now formally involved in incident response and reporting.
From a technology and governance standpoint, the policy represents a pragmatic and forward-looking solution. It elevates cybersecurity to a core public-sector function, on par with physical infrastructure and emergency preparedness. By mandating readiness and transparency, the law empowers local governments to act quickly during cyber incidents while preserving public accountability.
Twelve other states have adopted laws addressing ransomware, but few combine mandatory planning with public oversight as Ohio now does. This positions Ohio as a national leader in developing a flexible, transparent, and enforceable model for local government cybersecurity.
As digital threats continue to grow in scale and sophistication, proactive measures like these are no longer optional. They are essential. Ohio’s new rules represent a critical step toward building a unified, statewide cyber defense strategy that protects residents’ data, preserves essential services, and fosters public trust in the digital age.
