January 09, 2026
By
TomTechToday
If
you run a business, manage a school district, or oversee a local government
agency in Ohio, the rules of engagement just changed.
Signed
into law in June 2025, Ohio House Bill 96 is technically the state's
operating budget for fiscal years 2026-2027. But buried within this massive
legislation are critical provisions that fundamentally alter how organizations
must handle cybersecurity compliance, ransomware attacks, and state
taxes.
For
Managed Service Providers (MSPs) and business leaders alike, HB 96 isn't just
about government spending—it's a wake-up call for IT governance. Here is
everything you need to know about the new law and how to prepare your
organization.
1. The New
Cybersecurity Mandate: A Standard for All?
The
most headline-grabbing portion of HB 96 for the IT world is the establishment
of strict cybersecurity requirements for political subdivisions. This
includes counties, townships, municipalities, and—crucially—school districts.
While
the law directly mandates these actions for government entities, it sets a "Duty
of Care" standard that private businesses should not ignore. If the
state says this is what "reasonable security" looks like,
private litigation often follows suit.
The "Must-Haves" for Local Governments &
Schools
Under
the new Ohio Revised Code § 9.64, all political subdivisions must now:
·
Adopt
a Formal Cybersecurity Program:
You can no longer just "have an IT guy." You must have a written
program that aligns with recognized frameworks, specifically NIST (National
Institute of Standards and Technology) or the CIS (Center for Internet
Security) Controls.
·
Mandatory
Incident Reporting:
If you suffer a cyber attack, the clock starts ticking immediately. You must
report the incident to the Ohio Cyber Integration Center (Homeland Security)
within 7 days and to the Auditor of State within 30 days.
·
The
Ransomware Payment Ban:
This is the game-changer. Local governments are now prohibited from
paying a ransom to cybercriminals unless their legislative authority (e.g.,
City Council or School Board) passes a formal, public resolution stating that
paying is in the public's best interest.
o The
Implication:
You can no longer quietly pay a ransom to make the problem go away. It will be
a matter of public record.
Why This Matters for Private Businesses
Even
if you aren't a government agency, HB 96 affects you if:
1.
You
are a Vendor/Contractor:
If you provide services to an Ohio school or city, you will likely be required
to prove you meet these same NIST/CIS standards to ensure you aren't the
security gap.
2.
Liability
Standards:
By codifying NIST/CIS as the standard for the public sector, Ohio is signaling
that these frameworks are the benchmark for "reasonable" security. If
your private business is breached and sued, failing to meet these standards
could be used against you in court.
2. Significant
Tax Changes for 2026
HB
96 isn't all about compliance; it also includes arguably the most significant
tax code shifts in years. For MSP clients, this is a mix of good news and new
costs.
The Good News: CAT Tax Relief
The
Commercial Activity Tax (CAT) exclusion has been raised significantly.
Effective January 1, 2025, the exclusion amount increased from $3
million to $6 million.
·
Impact: If your
business has taxable gross receipts of $6 million or less, you may no
longer owe any CAT. This is a massive win for small-to-mid-sized businesses
(SMBs) across Ohio.
The Bad News: Sales Tax Expansion & Credits Lost
To
pay for income tax cuts, the state has broadened what it taxes. Effective January
1, 2026, several exemptions are repealed:
·
Tech
Provider Costs:
The bill repeals the 25% sales tax refund that providers of
"electronic information services" previously enjoyed on computer
equipment purchases. This increases the operational costs for tech-heavy
companies in the state.
·
Vendor
Discount Cap:
If your business collects sales tax, the "prompt pay" discount you
get for filing on time is now capped at $750 per month (starting Jan 1,
2026). Larger retailers will feel this pinch immediately.
3. Action Plan:
What You Need to Do Now
The
"wait and see" approach is no longer an option, especially with
reporting requirements already live as of September 30, 2025.
For Schools & Local Governments:
·
Immediate
Audit:
Conduct a gap analysis against the NIST Cybersecurity Framework. If you
don't know where you stand, you are likely already non-compliant.
·
Update
Incident Response Plans:
Does your current plan include the specific phone numbers and email addresses
for the Ohio Cyber Integration Center? If not, update it today to meet the
7-day reporting rule.
·
Board
Education:
Ensure your Council or School Board understands they are now the final
decision-makers on ransomware payments.
For Private Businesses:
·
Review
Your CAT Status:
Talk to your CPA about the new $6 million exclusion. You might save thousands
this year.
·
Adopt
NIST/CIS Now:
Don't wait for a mandate. Aligning with these frameworks reduces your cyber
insurance premiums and positions you as a safe partner for government
contracts.
How TomTechToday
Can Help
Navigating
Ohio HB 96 is complex, but you don't have to do it alone. Whether you need a NIST-aligned
security assessment to satisfy the new state mandate or need to upgrade
your infrastructure before the tax laws change in 2026, we are here to help.
Contact
TomTechToday
to schedule your assessment and ensure your organization is secure, compliant,
and ready for the future.
