State Cybersecurity Legislation Is Gaining Momentum—What This Means for Municipalities

Ransomware attacks and other cyberattacks continue to pummel municipalities. In 2025 alone, we’ve seen attacks on a wide range of cities and towns—from larger cities such as St. Paul, Minnesota to smaller cities such as Middletown, Ohio.   The impacts of these ransomware attacks are far-reaching:

• Cyberattacks affect the ability to govern and serve residents.
• Data breaches threaten to release sensitive and confidential information into the public sphere—and also expose residents to identity theft, credit fraud, and tax refund scams.
• Cyberattacks increase borrowing costs for municipalities and negatively impact the municipal bond market.
• Cyberattacks result in litigation, remediation, and insurance costs, diverting funds from public services.

Despite these dire effects, existing data breach notification and cybersecurity laws have had little impact on urging municipalities to enhance their security posture. Alternative approaches such as safe harbor provisions, federal and state grant funding, and financial incentives have also not had much impact on changing mindsets at many municipalities to invest more in cybersecurity best practices.

As a result, some states have begun passing laws that mandate cybersecurity requirements. From incident reporting to ransomware payment bans, states are sending a message to local governments that they must take cybersecurity seriously.

This article explores this growing legislative momentum, what it means for municipalities, and how local governments can prepare.

Why are municipal cybersecurity laws likely to spread?

Florida and Ohio have led the way with comprehensive cyber bills:

• Florida: On June 29, 2022, the Florida State Senate passed HB 7055, known as the Local Government Cybersecurity Act. A local government must “adopt cybersecurity standards that safeguard its data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.” These must align with “generally accepted best practices” such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
• Ohio: On June 30, 2025, the Ohio Legislature passed new cybersecurity requirements for municipalities as part of Sub. House Bill 96. A municipality must “adopt a cybersecurity program that safeguards the political subdivision's data, information technology, and information technology resources to ensure availability, confidentiality, and integrity. The program shall be consistent with generally accepted best practices for cybersecurity, such as the National Institute of Standards and Technology [NIST] cybersecurity framework, and the Center for Internet Security [CIS] cybersecurity best practices.”

Florida’s and Ohio’s cyber bills share striking similarities—even sharing the exact same language in places. This kind of legislative mirroring is common. For example, if you look at the history of data breach notification laws, California passed the first in 2002. By 2018, all 50 states had followed suit.

Given this common pattern with state legislation, it’s reasonable to expect that more states will adopt similar cybersecurity laws in the coming years. Municipalities should prepare now, rather than wait for mandates.

What are some other examples of state-level cyber legislation?

While the Florida and Ohio laws are very comprehensive, other states have also tightened cybersecurity requirements for local governments in narrower but still impactful ways:

• Texas: In June 2019, Texas passed a law that requires municipal employees and officials who use computers for at least 25% of their duties to complete certified cybersecurity training annually.
• Georgia: In 2021, Georgia passed a law (HB 156) that requires local governments to report cyberattacks to the Georgia Technology Authority within two hours.
• North Carolina: In 2022, North Carolina passed a ransomware payment ban for municipalities. This law prohibits North Carolina towns and cities from paying ransoms or communicating with cybercriminals during a ransomware attack.
• New York: In June 2025, New York State passed a law that requires municipalities to report cyber incidents within 72 hours and ransom payments within 24 hours.
• Indiana: Effective December 31, 2027, municipalities must report incidents such as ransomware, denial-of-service attacks, and vulnerability exploits within 48 hours.
• Massachusetts: Pending legislation (H56) would require municipalities to report cyber incidents within 24 hours.

What are some common themes across state cyber bills?

Despite differences in scope and enforcement, many state laws share similar requirements:

• Mandatory cybersecurity plans for municipalities: Local governments must develop formal strategies outlining how they protect their digital systems and sensitive data. These plans often include risk assessments, incident response protocols, and long-term goals for improving security.
• Auditor oversight and compliance checks: State auditors or designated agencies will regularly review municipal cybersecurity practices to ensure they meet legal and technical standards. These checks also help identify vulnerabilities and enforce accountability.
• Alignment with national frameworks like NIST or CIS: Municipalities are encouraged—or, in some cases, required—to follow established cybersecurity frameworks such as the NIST CSF or CIS Controls, which provide commonly accepted and industry validated best practices for managing cyber risks.
• Cybersecurity training for staff and elected officials: Employees and officials who use computers must complete annual training to recognize threats like phishing, understand data protection policies, and respond appropriately to incidents.
• Vendor and procurement standards to ensure secure technology: When cities buy software, hardware, or any other IT solution, they must ensure vendors meet cybersecurity requirements. This helps prevent security vulnerabilities from being introduced through third-party systems.
• Incident reporting and breach notification within strict timeframes: If a cyberattack or data breach occurs, municipalities must report it to state authorities—often within hours. Quick reporting helps coordinate responses and limit damage.
• Limited funding mechanisms, often left out of final bills: While laws may mandate cybersecurity improvements, they often don’t include dedicated funding. This leaves municipalities responsible for finding the resources to comply, which can be a challenge for smaller municipalities.

How can municipalities prepare for a state cybersecurity law?

You might think, “My state hasn’t enacted any law yet, so I’m safe for now.” However, whether your state has enacted a cybersecurity law or not, it’s still very important to shore up your cybersecurity gaps sooner rather than later. Otherwise, when the inevitable cybersecurity law comes to your state, you may find yourself scrambling to comply.

Acting now better positions you to protect your systems, data, and residents. Law or not, implementing baseline cybersecurity best practices is just good sense.

Here are some practical steps that you can take today:

• Conduct a cybersecurity assessment to identify gaps: Evaluate your current cybersecurity posture by reviewing your network infrastructure, data protection measures, access controls, and incident response capabilities to pinpoint vulnerabilities and areas for improvement.
• Update your incident response plan: Updating this plan ensures that roles are clearly defined, communication protocols are in place, and your team can act quickly during a breach.
• Align with frameworks like NIST CSF or CIS Controls: These frameworks provide structured, best-practice guidelines for managing cybersecurity risks. Aligning with them not only improves your security posture but also positions your municipality to comply with future regulations.
• Establish reporting protocols for cyber incidents: Create clear internal procedures for how and when to report cyber incidents—both within your municipality and to external agencies. This ensures timely response and compliance with potential future laws requiring rapid notification.
• Review vendor contracts for security standards and compliance: Ensure that third-party vendors meet your cybersecurity expectations. Contracts should include clauses about data protection, breach notification, and compliance with recognized standards to reduce supply chain risks.

---

Cybersecurity legislation is evolving quickly, and municipalities are squarely in the spotlight. By understanding the above trends and taking proactive steps, your municipality can stay ahead of the legislation curve and better protect your residents from the impacts of growing cyber threats.