A new report from researchers at the Center for Long-Term Cybersecurity’s Public Interest Cybersecurity Program presents a first-of-its-kind empirical analysis of every cybersecurity-related bill enacted in all 50 states during the 2025 legislative sessions. The research identifies nationwide patterns in the cyber policy issues states addressed, the regulatory approaches they adopted, and the entities and sectors they chose to regulate.
“By analyzing all cybersecurity-related legislation enacted in 2025, this report provides lawmakers, practitioners, and researchers with a reliable snapshot of the current cybersecurity policy landscape in the U.S.,” explain the report’s authors, Shannon Pierson, Senior Fellow of Public Interest Cybersecurity at CLTC, and Sree Varsha Bhanoor, a graduate student at UC Berkeley.
The report, Tracking Cybersecurity Policy Developments Across State Legislatures: 2025 Enacted Legislation, marks an important contribution to understanding how states are tackling myriad cyber challenges, from defending schools against ransomware attacks to establishing backstops for cyber insurance. In the face of shrinking support from the federal government, states are increasingly establishing their own regulations to protect state-managed critical infrastructure such as electric utilities, water systems, school districts, and healthcare.
“State legislatures have become the primary engines of cybersecurity policymaking in the U.S.,” the authors write. “Legislatures propose hundreds of cybersecurity-related bills every year, and dozens are enacted, creating a fragmented patchwork of state cybersecurity laws governing cyber defense across the country.”
In parallel to their analysis, the researchers published a publicly accessible, searchable database of every cybersecurity-related bill enacted in 2025 across all 50 states. This database is meant to serve as a tool for researchers, practitioners, and lawmakers to quickly understand the current legislative landscape in any given state, identify which local lawmakers are actively passing cybersecurity policy, and contact their offices if needed.
To source the dataset, the researchers used LegiScan, a nonpartisan legislative tracking service that monitors bills introduced in statehouses across the nation. They analyzed all bills enacted in 2025 with the keywords “cybersecurity” or “cyber security,” manually reviewing each for inclusion and extracting and logging each cybersecurity-specific provision included. They found that, in total, lawmakers across 37 states passed 99 cybersecurity-related bills in 2025, establishing 393 new cybersecurity rules cumulatively. The researchers mapped each rule to one of the six functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0., and they categorized each by policy action type to describe the kinds of solutions state lawmakers pursued.
Trends in Legislation Across States
The researchers analyzed the bills to identify key trends across the cybersecurity laws passed by states in 2025, and to characterize the entities and sectors being regulated. According to their analysis, most legislation passed last year focused on improving cybersecurity for state government agencies, education entities (including K-12 schools), cyber insurance policyholders, and high-risk, resource-constrained critical infrastructure sectors. They found that state legislatures:
- Built out cybersecurity leadership and governance structures, particularly within state cybersecurity offices and agencies;
- Expanded requirements for public and private organizations to implement baseline cybersecurity controls;
- Increased obligations for organizations to routinely report to oversight bodies on cyber-security programs, projects, compliance, risks, and spending;
- Prioritized stronger cybersecurity incident preparedness and response across critical infrastructure sectors;
- Mandated the representation of cybersecurity experts within state decision-making and leadership; and
- Passed cybersecurity safe harbor laws to incentivize cybersecurity investment.
“Together, these patterns reveal emerging regulatory models, sectoral priorities, and practical lessons for other states,” the authors write.
Recommendations for Policymakers
The report also includes in-depth analysis of select states and state lawmakers driving cybersecurity policymaking, and provides five recommendations for lawmakers considering cybersecurity legislation in 2026. Specifically, the authors suggest that state legislatures:
- Continue working on a bipartisan basis to pass cybersecurity bills, particularly as cybersecurity is an issue with relatively high levels of consensus across party lines.
- Appropriate funding to accompany new cybersecurity mandates to ensure their successful implementation.
- Be more prescriptive about required cybersecurity controls in legislation, rather than relying on undefined terms like “reasonable security measures.”
- Explore ways to support the monitoring and detection of cyber incidents.
- Require follow-up actions to reporting to ensure it translates to action.
