Berea City Council Implements New Cybersecurity Program in Compliance with Ohio Law

What happened

The City of Berea, Ohio, has formally adopted a cybersecurity policy designed to address potential cyber threats to its digital infrastructure and information systems. The Berea City Council approved the plan on December 14, 2025, ahead of the January 1, 2026 state compliance deadline. This adoption aligns with new cybersecurity requirements set forth under Ohio law, which mandates that all local governments establish formal cybersecurity programs. Local authorities must also report any cyber incidents to Ohio Homeland Security and the State Auditor, and any decision to pay a ransomware demand must be formally approved by the legislative body.

Who is affected

The policy applies to the City of Berea as a local government entity and will impact all city departments and employees that interact with the city’s IT systems and data. It also affects residents and businesses that rely on city digital services, as their data and service continuity are covered under the new program. The plan was approved by the Berea City Council, including council members and city leadership responsible for governance and oversight.

Why CISOs should care

This development underscores the growing trend of state-level regulatory action on cybersecurity, particularly with Ohio’s House Bill 96 requiring political subdivisions to adopt formal cybersecurity programs consistent with recognized best practices such as the NIST Cybersecurity Framework or the Center for Internet Security (CIS) controls.

CISOs should be aware that similar mandates are spreading across jurisdictions, increasing compliance pressure on public sector and quasi-public entities and setting benchmarks for program expectations, incident reporting, and ransomware governance. These regulatory expectations may also influence contracts, risk assessments, and community trust in digital services.

3 Practical Actions for CISOs

1. Review and Align with Best Practices: Ensure your organization’s cybersecurity program maps to established frameworks such as NIST CSF or CIS Controls, as required by many emerging regulations, including Ohio’s.
2. Formalize Incident Reporting and Ransomware Policies: Establish documented procedures for cyber incident detection, reporting, and decision authority around ransomware payments, including escalation paths and legislative or board approval processes where applicable.
3. Educate Stakeholders and Governance Bodies: Brief your executive leadership and board or council on regulatory trends, compliance requirements, and the rationale behind cybersecurity investments to secure support and funding for robust programs.