EncryptedTechnology: Texas Cyber Command (TXCC) FY 2026-27 Certification Pending Learn more →

Texas Compliance Hub

Texas Cybersecurity Compliance

Everything Texas municipalities and government entities need to understand their cybersecurity obligations under current state law.

Texas House Bill 150

89th Legislature · 2025

Mandates annual security awareness training for employees of state agencies and political subdivisions, with mandatory completion tracking and Texas Cyber Command (TXCC)-certified curriculum.

Annual TrainingCertificationLocal Government

Key Requirements

  • Annual training requirement for all covered employees
  • Training must use TXCC-certified curriculum
  • Completion records must be maintained
  • Applicable to state agencies and political subdivisions

Texas Senate Bill 2610

89th Legislature · 2025

Establishes a legal safe harbor for Texas businesses with fewer than 250 employees that implement and maintain a recognized cybersecurity program. Businesses that adopt qualifying frameworks (NIST, ISO, CIS) may be shielded from punitive damages in data breach lawsuits.

Cybersecurity Safe HarborSmall BusinessData Breach

Key Requirements

  • Legal safe harbor from punitive damages
  • Applies to businesses with fewer than 250 employees
  • Requires a recognized cybersecurity program (NIST, ISO, CIS)
  • Protects against punitive damages in data breach lawsuits

Texas Senate Bill 271

88th Legislature · 2023

Requires local government entities — including counties, cities, special districts, and K-12 schools — to report cybersecurity incidents and ransomware attacks to DIR within 48 hours of discovery. Incident details and analysis are due within 10 days of eradication or closure.

Incident Reporting48-Hour DeadlineLocal Government

Key Requirements

  • 48-hour incident reporting deadline to DIR
  • Applies to counties, cities, special districts, and K-12 schools
  • Covers cybersecurity incidents and ransomware attacks
  • Incident analysis due within 10 days of eradication or closure

The Texas Cybersecurity Act

Texas Gov't Code § 2054

Establishes the comprehensive cybersecurity governance framework for Texas, requiring mandatory security awareness training programs, DIR oversight, and proof-of-completion records.

Security FrameworkMandatory ComplianceProof of Completion

Key Requirements

  • Comprehensive statewide cybersecurity framework
  • Mandatory security awareness training programs
  • DIR oversight and enforcement powers
  • Proof-of-completion records required for audits

Frequently Asked Questions

Compliance answers

Which organizations must comply with Texas cybersecurity training requirements?

Under Texas Government Code § 2063.103, enacted by House Bill 150 (effective September 1, 2025), all elected and appointed officials and employees of governmental entities who have access to the entity's information resources must annually complete a cybersecurity training program certified by the Texas Cyber Command (TXCC). This applies to state agencies, cities, counties, ISDs, water districts, and all political subdivisions. Contractors with access to government computer systems or databases are also required to complete training.

What counts as certified training?

Training must use a curriculum explicitly certified by the Texas Cyber Command (which assumed DIR's cybersecurity training certification function under HB 150). Certified programs are listed on the Texas Cyber Command website. Generic online security training is not certified unless specifically approved. Certifications are valid for one fiscal year (September 1 through August 31) and must be renewed annually.

What records do I need to maintain?

You must maintain proof-of-completion records for all covered employees and officials, including name, completion date, and course or module completed. Records should be retained for a minimum of five years past employee termination and made available for audit upon request. You do not submit individual records to the state — you certify compliance through the state reporting portal by August 31 each year.

What if we miss the August 31 deadline?

Missing the August 31 certification deadline puts your organization out of compliance with Texas Government Code § 2063.103. Consequences may include designation as non-compliant in the state security report and loss of eligibility for state grants or required repayment of awarded funds. Consult your agency's legal counsel or the Texas Cyber Command for guidance on current enforcement policy.

Do contractors and vendors need to complete training?

Yes — contractors and vendors with access to a government computer system or database are required to complete TXCC-certified cybersecurity training under Texas Government Code § 2063.103. If a contractor works with multiple state agencies, they must complete the training program specified by each agency.

Ready to achieve full compliance?

Our platform delivers the required annual training with completion tracking and audit documentation handled automatically.