New Ohio Cybersecurity Law: What Local Governments Need to Know
On June 30, 2025, Governor Mike DeWine signed legislation introducing new cybersecurity requirements for local governments, underscoring the increasing risk landscape faced by public entities and the state’s push for stronger digital defenses.
This legislation marks a significant shift for public sector organizations. It establishes baseline cybersecurity standards and requires local agencies to take a more proactive and structured approach to protecting public data and critical infrastructure.
What the New Law Requires
The bill sets clear expectations that cybersecurity isn’t voluntary or reactive. While the full implementation details are still evolving, the law includes several key components:
Annual Cybersecurity Risk Assessments
Local governments must regularly assess their exposure to cyber threats and vulnerabilities, particularly around sensitive systems and data access points.
Cybersecurity Awareness Training
Staff at all levels, including leadership, must be trained to recognize phishing, social engineering, and common threat tactics that can open the door to breaches.
Incident Response Plans
Agencies must have documented and tested plans for responding to a cyberattack with clear roles, escalation paths, and communication strategies.
Internal Control Reviews
Local governments are expected to evaluate the controls protecting their systems and data, including access permissions, backup protocols, and logging.
These standards are modeled after best practices and align with the Ohio Cyber Reserve’s broader mission to enhance cyber resiliency across the state.
Who Is Impacted by the New Cybersecurity Requirements?
This legislation applies to all local government entities in Ohio, including:
Counties and municipalities
Townships and villages
School districts and Boards of Education
Public libraries and utilities
Transit authorities
Health departments and other administrative agencies
Even smaller jurisdictions, which often have limited IT resources, are expected to meet these baseline requirements.
Why Action Is Needed Now
Local governments have become prime targets for cybercriminals. Ransomware, phishing, and data theft can disrupt services, expose residents’ personal information, and cost agencies both money and public trust.
The passage of this legislation emphasizes that compliance is no longer a best practice as it's a legal and operational obligation.
By acting now, your agency can:
Reduce exposure to breaches and operational downtime
Demonstrate compliance to state officials and regulators
Protect residents' trust and sensitive data
Qualify for future cybersecurity funding and resources
Build institutional resilience amid growing digital threats
Cybersecurity isn’t just an IT issue; it’s a governance issue. Ohio’s new law raises the bar, and local governments must now act with urgency and intention.
The good news? You don’t have to tackle it alone.
Clark Schaefer Consulting has deep experience guiding public sector organizations toward compliance and resilience. From risk assessments and training to internal controls and response planning, we can help you navigate these changes, avoid compliance risks, and strengthen your defenses, so your community stays protected.
