Das am 30. Juni 2025 in Kraft getretene Gesetz HB 96 des Repräsentantenhauses von Ohio legt den Staatshaushalt für das Finanzjahr 2026/27 fest. Obwohl es sich primär um ein Haushaltsgesetz handelt, enthält HB 96 neue gesetzliche Vorgaben, die sich unmittelbar auf öffentliche Schulen der Primar- und Sekundarstufe auswirken.
Specifically, the law requires districts to:
- Adopt a board-approved cybersecurity program
- Follow defined cyber incident reporting timelines
- Adopt a district artificial intelligence (AI) policy by July 1, 2026
The bill also appropriates funding for school safety initiatives through state-administered grant programs.
Here’s what district leaders need to know.
What Is Ohio HB 96?
HB 96 is Ohio’s biennial operating budget for fiscal years 2026 and 2027. In addition to appropriations, it creates or amends sections of the Ohio Revised Code that establish governance requirements for political subdivisions — including school districts.
The two key sections affecting K–12 are:
- ORC §9.64 — Political Subdivision Cybersecurity Programs
- ORC §3301.24 — Artificial Intelligence Policy for Schools
Cybersecurity Requirements (ORC §9.64)
HB 96 requires:
“The legislative authority of a political subdivision shall adopt a cybersecurity program that safeguards the political subdivision’s data, information technology, and information technology resources to ensure availability, confidentiality, and integrity.”
For school districts, this means the board of education must formally adopt a cybersecurity program — not simply maintain IT practices.
Incident Reporting Mandates
If a cybersecurity incident occurs, districts must:
- Notify the Division of Homeland Security within 7 days
- Notify the Auditor of State within 30 days
This creates defined statutory reporting timelines and documentation expectations.
Ransomware Governance
The law also states:
“A political subdivision experiencing a ransomware incident shall not pay or otherwise comply with a ransom demand unless the political subdivision’s legislative authority formally approves the payment…”
This elevates ransomware decisions to the board level.
Compliance Deadline
The cybersecurity provisions become effective September 30, 2025, with districts expected to have adopted programs by July 1, 2026.
Artificial Intelligence Policy Requirement (ORC §3301.24)
HB 96 also establishes a new AI governance requirement.
The statute states:
“Not later than December 31, 2025, the department of education and workforce shall develop a model policy on the use of artificial intelligence in schools.”
And:
“Not later than July 1, 2026, each school district… shall adopt a policy on the use of artificial intelligence.”
This is a formal policy adoption requirement.
Districts may adopt the state model policy or develop their own. The law does not prescribe specific technologies, but it does require formal board action.
School Safety Grant Funding Under HB 96
In addition to compliance mandates, HB 96 appropriates funding for school safety initiatives.
According to official state grant announcements, potential uses include:
- Silent panic alarms
- Alert systems warning of dangerous individuals
- Systems allowing immediate camera access to responding law enforcement
- Active-shooter response training or equipment
- School resource officer training
- Training to identify and assist students with mental-health issues
- School supplies or equipment related to safety or implementing a school-safety plan
Grant Structure
- Formula-based grant: $2,500 or $4.50 per student (whichever is greater)
- Program-based grant: Up to $40,000
- Application deadline: May 29, 2026
These grants are funding opportunities (not mandates) and eligibility is determined by the administering agency.
What Happens If Districts Don’t Comply?
HB 96 creates statutory obligations. Failure to comply may result in:
- Auditor findings related to incident reporting
- Governance scrutiny during cyber incidents
- Public accountability if required notifications are not made
- Exposure related to board approval requirements in ransomware scenarios
The AI policy adoption requirement also carries board-level governance expectations.
What Compliance Looks Like in Practice
By July 1, 2026, compliant districts should have:
- A board-approved cybersecurity program
- Defined cyber incident reporting procedures
- A designated cybersecurity coordinator
- A board-adopted AI policy
- Documented processes for safeguarding district systems
- An understanding of available school safety grant funding
The statute does not mandate specific vendors or technologies. It mandates governance and documented programs.
How Lightspeed Supports District Readiness
Lightspeed Systems supports districts operationalizing these requirements by providing tools that help districts:
- Enforce web access and policy controls (Lightspeed Filter™)
- Manage devices and configurations (Lightspeed MDM™)
- Monitor app usage and AI tool visibility (Lightspeed Insight™)
- Detect and document potential cybersecurity incidents (Lichtgeschwindigkeitsalarm™)
- Support emergency notification workflows (Lightspeed Notify™)
These tools support districts in meeting governance and documentation expectations, but formal policy adoption remains a board responsibility.
HB 96 Compliance & Funding Map
What Districts Should Do Now
- Review current cybersecurity policies and determine whether formal board adoption has occurred.
- Develop or update incident reporting workflows aligned to 7-day and 30-day statutory deadlines.
- Monitor for the ODEW AI model policy release (due December 31, 2025).
- Begin drafting a district AI policy ahead of the July 1, 2026 deadline.
- Evaluate eligibility for HB 96 school safety grant funding before the May 29, 2026 application deadline.
