Berea adopts cybersecurity policy plan to meet Ohio’s new local-government digital security requirements by 2026

A city-level response to a new statewide mandate

The City of Berea has moved to formalize how it protects public data and computer systems by adopting a cybersecurity policy plan, a step that aligns with Ohio’s new requirements for local governments. The policy is the type of measure now expected of municipalities as the state increases baseline standards for protecting government networks and responding to cyber incidents.

Ohio law now requires the legislative authority of each political subdivision—cities, counties, townships and similar entities—to adopt a cybersecurity program designed to protect the availability, confidentiality and integrity of the jurisdiction’s information technology. The statute took effect Sept. 30, 2025, and directs local governments to build programs consistent with widely used cybersecurity best practices, including the National Institute of Standards and Technology (NIST) framework and Center for Internet Security (CIS) practices.

What the state requires local governments to do

Under the new Ohio standard, local cybersecurity programs are expected to cover core functions of cyber risk management, from identifying critical services and vulnerabilities to responding and recovering when an incident occurs. The law also establishes incident-reporting requirements and limits the public release of certain cybersecurity-related records.

• Define critical functions and assess cybersecurity risks.
• Assess potential impacts of cyber breaches on operations and services.
• Specify mechanisms for detecting threats and cybersecurity events.
• Set procedures to communicate internally, analyze incidents and contain attacks.
• Establish recovery steps and measures to maintain security after an incident.
• Provide cybersecurity training for employees, tailored to job duties.

Incident reporting and public-record limits

The law also requires local governments, after discovering a cybersecurity incident or ransomware incident, to notify the state within set timelines: the state homeland security office generally within seven days and the state auditor generally within 30 days. It also places many records connected to the cybersecurity program and incident reports outside public-record access, reflecting state concerns that detailed disclosures could create additional security risks.

The statute defines “cybersecurity incident” broadly, including substantial losses to confidentiality, integrity or availability of systems, serious impacts to operational resilience, or unauthorized access involving third-party providers or supply-chain compromises.

Why Berea’s action matters locally

Municipal networks support day-to-day government operations that residents rely on—billing systems, public-safety communications, payroll and internal records management. A written policy does not prevent every attack, but it sets expectations for training, detection and response, and it can clarify who is responsible for actions during an incident, including coordination and recovery steps that affect continuity of services.

For cities, the new requirements also connect cybersecurity preparedness to the routine oversight environment: the state auditor has issued guidance indicating that counties and cities are expected to have a cybersecurity program or policy in place by Jan. 1, 2026. Berea’s adoption places the city within that compliance window and formalizes an approach to managing cyber risk as state reporting and auditing expectations expand.