This bill establishes a statutory "standard of care" for operators of critical infrastructure technology systems in New Hampshire that serve populations exceeding 10,000 people or 3,300 households. It mandates that these operators exercise reasonable care to secure their systems against foreseeable risks, which include vulnerabilities related to public internet exposure, inadequate remote access security, and failure to maintain cybersecurity measures. The bill introduces a new chapter, Chapter 546-D, which defines "critical infrastructure operational technology" and outlines specific cybersecurity practices that must be adhered to. Operators who fail to meet this standard may be held liable for any resulting harms, with considerations for public health and safety risks factored into liability determinations.

The bill also includes a provision that the use of internet or cloud services solely for logging or archival functions does not count as "continued safe operation." It does not provide funding or authorize new positions, and while it may lead to indeterminable increases in local expenditures for municipalities to upgrade technology, the state itself is not expected to incur additional costs due to a shift to a self-insurance program for cybersecurity. The effective date for the bill is set for January 1, 2027.