The Essential Eight Is Being Retired. Your Maturity Level 2 Benchmark Is About to Move.
Why every Australian board should start preparing now for the ASD’s new Essentials for enterprise IT
For the better part of a decade, the conversation about cyber security in Australian boardrooms has had a convenient anchor point. When a regulator, an insurer or a major customer asked “are we secure enough?”, the answer was increasingly framed in a single shorthand: Essential Eight Maturity Level 2. It became the de facto benchmark — the line that separated organisations taking cyber seriously from those that were not. That anchor is about to be pulled up.
On 24 June 2026, the Australian Signals Directorate confirmed it intends to retire the Essential Eight within two years, replacing it with a broader “Essentials” series. The first chapter, Essentials for enterprise IT, is open for consultation now, with feedback due by 12 July 2026. The Essential Eight will run as a live document alongside the new guidance, with the ASD signalling it will begin to deprecate the Essential Eight in around twelve months and retire it entirely at the two-year mark.
This is not a minor revision to a maturity ladder. It is a structural change to the framework that underpins how cyber risk is measured, insured and regulated in this country. Boards that treat it as a future IT problem will find themselves benchmarked against a standard that no longer exists.
Summary Table
| Issue | What Is Changing | Why It Matters | What Boards Should Do Now |
|---|---|---|---|
| Retirement of the Essential Eight | The ASD has confirmed the Essential Eight will be deprecated and then retired within two years, with Essentials for enterprise IT now open for consultation | Organisations that still rely on Essential Eight Maturity Level 2 as a benchmark may find themselves tied to a standard that is losing authority | Start planning now rather than treating this as a future IT issue |
| Maturity Level 2 benchmark | Maturity Level 2 has become embedded in contracts, insurance, procurement, and board risk reporting | As the framework is retired, organisations will need a new way to evidence cyber maturity and resilience | Identify where Level 2 is referenced across the business and assess exposure |
| Shift from prescriptive controls to outcomes | The new Essentials series moves away from fixed control checklists towards outcomes and intent | Boards will need to oversee judgement-based decisions rather than rely on a single maturity score | Reframe cyber reporting around resilience, risk, and business outcomes |
| Governance implications | Cyber governance can no longer sit only with IT or the CIO | The board will need clearer ownership of cyber risk appetite, assurance, and decision-making | Strengthen links between IT governance, enterprise risk, and board oversight |
| Existing Essential Eight investment | The ASD has stated that work already completed under the Essential Eight remains relevant | Organisations do not need to start again, but they do need to translate and realign existing controls | Protect prior investment by mapping current controls to the new framework intent |
| Risk of overreaction | Outcomes-based frameworks create more room for interpretation | Without independent challenge, businesses may over-spend or accept overly restrictive controls that are not proportionate to actual risk | Seek unbiased, vendor-neutral advice before budgets and controls are locked in |
| Capability implications | Teams experienced in evidencing Essential Eight maturity may need support interpreting the new model | The new framework requires stronger translation between business risk and technical control outcomes | Ensure management has access to independent guidance and broader governance capability |
| Immediate board priority | The change is already underway, not theoretical | Boards that delay may face contract, insurance, regulatory, or assurance gaps as expectations shift | Take stock, adjust governance, and begin transition planning now |
Why the goalposts are moving
The ASD has been candid about why. The Essential Eight was designed in 2017 — evolving from the older Top Four — for a world of on-premises enterprise IT, when cloud was still a novelty. Its controls simply do not translate cleanly to shared-responsibility models, SaaS platforms and the cloud-first architectures that almost every organisation now runs. As the ASD put it, an architecture with no cloud at all would today be a genuinely surprising one.
There is a second, more uncomfortable reason — one we have heard from clients for years. Organisations complained that the maturity requirements kept shifting beneath them. A business assessed at Maturity Level 2 one year could find itself slipping backwards the next, despite having changed nothing and despite no actual deterioration in its security posture. The ASD has now acknowledged this is real: it was absorbing new threat tradecraft into the existing maturity levels because the structure was not flexible enough to handle evolving controls separately. The new Essentials series is designed to fix that by decoupling threat-informed controls from a fixed maturity ladder.
From prescriptive controls to outcomes
The philosophical shift matters as much as the timing. The Essential Eight told you what to do — patch applications, patch operating systems, restrict administrative privileges, implement multi-factor authentication, control applications, restrict Office macros, harden user applications and back up regularly. The Essentials series shifts the emphasis towards outcomes and intent, giving organisations the flexibility to meet the guidance using whatever tools genuinely fit their environment.
Three chapters will lead the new framework: enterprise IT first, followed by operational technology and cloud, with agentic AI flagged as a possible dedicated chapter of its own. The thinking draws heavily on the ASD’s Modern Defensible Architecture work — a stronger emphasis on defence in depth and protecting your “crown jewels”, rather than a thin perimeter wrapped around everything equally.
What this means for the Maturity Level 2 benchmark
Here is the practical problem for most organisations. Maturity Level 2 has quietly become embedded in contracts, cyber insurance questionnaires, supply-chain assurance programs and regulatory expectations. It is written into procurement requirements and board risk appetites. As the Essential Eight is deprecated, that benchmark will lose its authority — and the parties who rely on it will need a new yardstick. It is entirely reasonable to expect insurers, regulators and large customers to begin asking about alignment to the Essentials for enterprise IT well before the Essential Eight is formally retired.
The good news — and this is important — is that the work is not wasted. The ASD has been explicit that investment made under the Essential Eight will remain relevant under the Essentials. The controls do not disappear; they are reframed. Multi-factor authentication, privileged access management, patching discipline and reliable backups are no less essential than they were last week. What changes is how that effort is structured, evidenced and assessed.
This is a management change, not just a control change
The most important shift the Essentials brings is not technical — it is managerial. The Essential Eight suited a compliance mindset: a finite checklist, an auditable maturity score, a number you could report and defend. That model let many organisations manage cyber as a periodic assessment exercise, often delegated wholesale to the IT department. An outcomes-based framework breaks that comfortable arrangement. You cannot tick your way to resilience. You have to make judgements — about what matters most, what risk you are willing to carry, and whether your defences actually hold — and those are business judgements, not just IT ones.
This reverses the direction of the conversation. The prescriptive controls of the Essential Eight effectively tell IT what to do — apply this control, reach this level, evidence it. Under an outcomes-based framework, IT will instead need to learn to ask the business what outcomes are required, and then design and confirm the controls that actually achieve them. That is a genuinely different skill: facilitation and translation between business risk and technical control, not just implementation.
It also introduces a risk that boards should watch closely. Where a framework requires interpretation, the natural instinct of a technical team — particularly one trained to chase a maturity score — is to err on the side of caution. Left unchecked, that can lead to controls that are more expensive and more restrictive than the organisation’s actual risk justifies, and, because the rationale now rests on professional judgement rather than a published checklist, it becomes far harder for the business to challenge the approach or test whether the cost and friction are warranted. Closing that gap is exactly why the outcome must be owned by the business and the interpretation tested independently.
That means the governance links between IT and the business will need adjusting. Risk appetite statements, board reporting, audit committee agendas and management assurance processes have all been built around a maturity number that is about to disappear. When the benchmark becomes “are we resilient against the threats that matter to us?” rather than “are we at Level 2?”, the conversation has to move up — from a technical metric reported to the board, to a risk position owned by the board. Technical governance frameworks that currently terminate at the CIO’s desk will need to connect more directly to enterprise risk, strategy and the appetite the board has actually set.
It also has real implications for capability. Many IT teams have spent years building deep, specific expertise in achieving and evidencing Essential Eight maturity. That skill set — valuable as it is — is calibrated to a prescriptive standard that is being retired. Understanding what an outcomes-and-intent framework means for your organisation, your architecture and your risk profile is a different discipline. There is also a structural reason to look beyond the existing team: the people who have been optimising for the old benchmark are rarely best placed to judge, objectively, what the new one demands of the business. This is precisely the point at which organisations should seek unbiased, vendor-neutral advice and external assistance — not to replace the IT department, but to give it, and the board, an independent reading of the implications before decisions and budgets are locked in.
What boards should do now
This is not a moment for panic, but it is a moment for deliberate planning. In our advisory work we are recommending five practical steps.
- Take stock of where Maturity Level 2 lives. Identify every contract, insurance policy, regulatory obligation and supplier commitment that references Essential Eight maturity, so you understand your real exposure to the change.
- Protect your existing investment. Map your current Essential Eight controls to the outcomes the Essentials framework is pursuing. Most of your effort carries forward — the task is translation, not replacement.
- Adjust the governance links to the business. Revisit how cyber risk is reported, owned and assured. Move the conversation from a compliance checklist to genuine resilience — what matters most, what would hurt most if lost, whether your architecture defends it in depth — and make sure that conversation reaches the board, not just the CIO.
- Get an independent reading before you commit. The skills your IT team built around Essential Eight maturity are valuable but were calibrated to the old standard. Seek unbiased, external advice to interpret what the new framework means for your specific organisation — and to test that the controls being proposed are proportionate to the risk, before decisions and budgets are set.
- Have a voice in the consultation, and watch cloud and OT. The enterprise IT chapter is open for feedback until 12 July 2026 via the ASD Cyber Security Partnership Program. If your risk sits in cloud platforms or operational technology, the dedicated chapters that follow may matter even more.
The independent view
Framework transitions are exactly the moments when vendors reach for their product catalogues. As an independent advisory firm, our counsel is simpler: the Essentials series rewards organisations that understand their own risk, not those that buy the most tooling. The shift from prescriptive controls to outcomes gives you flexibility — but flexibility without clear judgement becomes ambiguity, and ambiguity is easily resolved by over-spending. The organisations that navigate this well will be those that treat the next two years as a structured transition, governed at board level and informed by independent advice, rather than a last-minute scramble as the use of the Essential Eight lapses.
The benchmark is moving. The smart response is to start moving with it — deliberately, and on your own terms.
FAQs Answered
1. How should boards prepare for the retirement of the Essential Eight?
Boards should start by understanding where Essential Eight Maturity Level 2 is currently embedded across the organisation. In many cases, it appears in supplier contracts, cyber insurance requirements, procurement standards, and risk reporting. The key issue is not just technical compliance. It is whether the organisation is prepared for a benchmark that is about to lose its authority.
At Beyond Technology, we recommend treating this as a governance transition rather than a last-minute control update. Boards should seek a clear view of contractual exposure, reporting impacts, and how current cyber investments map to the outcomes the new Essentials framework is pursuing.
2. What does the new Essentials for enterprise IT framework mean for our organisation?
The new framework signals a shift away from a fixed maturity benchmark and towards an outcomes-and-intent model. For organisations, that means the focus moves from simply evidencing a prescribed level to demonstrating that controls are proportionate, effective, and aligned to the risks that matter most.
This has practical implications for governance, assurance, and board reporting. It means organisations will need to translate existing Essential Eight investments into a broader resilience conversation and ensure the business, not just IT, is involved in defining what good looks like.
3. Do we need to replace our Essential Eight program immediately?
No. For most organisations, the work already completed under the Essential Eight remains valuable. The challenge is not starting again from scratch. It is understanding how that effort carries forward into the new Essentials framework and where interpretation, governance, and evidence will need to change.
Beyond Technology helps organisations protect their existing investment while building a practical transition path. That includes identifying what still aligns, where new expectations are likely to emerge, and how to avoid unnecessary rework or overspending during the transition.
4. How can we assess our exposure if Essential Eight Maturity Level 2 is written into contracts, insurance, or procurement requirements?
The first step is to identify every place where Maturity Level 2 has been used as a formal benchmark. This often includes customer commitments, supplier agreements, cyber insurance questionnaires, internal standards, and procurement documentation. Once that exposure is mapped, the organisation can assess where those references may need to be updated, reframed, or replaced over time.
This is an area where independent advice is especially useful. The issue is not simply whether the wording changes. It is whether the organisation can still demonstrate a defensible cyber position as external stakeholders begin shifting to the new Essentials model.
5. When should an organisation seek independent advice on the move from Essential Eight to Essentials?
Organisations should seek independent advice before major decisions are locked in. That includes budget planning, cyber program redesign, contract renewal, procurement changes, and board-level reporting updates. The teams that built capability around Essential Eight maturity bring valuable experience, but they are not always best placed to independently interpret what the new framework means for the business.
At Beyond Technology, we see this as a critical moment for objective, vendor-neutral guidance. Independent advice helps boards and executives understand the implications of the change, challenge assumptions, and make proportionate decisions before cost, control, and governance positions are set.
Sources
iTnews — ASD to retire Essential Eight cyber security framework within next two years (24 June 2026)
Cyber.gov.au — Consultation on evolution of Essential Eight
Latest Advisories
Government #2Jun 11 , 2026APRA’s AI Directive
Home / Latest Advisories / AI Governance AI Governance Board Advisory APRA's AI Letter: A..
Read more
IT AuditApr 22 , 2026Cloud Cost Leakage: Using IT Audits to Fix Zombie Infrastructure
Cloud platforms promised flexibility, scalability, and faster delivery. For many organisations, they delivered exactly that...
Read more
