Essential 8 Maturity Level 2: the complete requirements and implementation guide for 2026

Essential Eight Maturity Level 2 is the standard required by most Australian government procurement contracts, and increasingly by enterprise clients and cyber insurers across the private sector. It sits between the baseline controls of ML1 and the deeply embedded programme of ML3, and it represents a meaningful step up in both the consistency and evidenceability of your security controls.

This guide explains what ML2 actually requires across all eight strategies, how it differs from ML1 and ML3, and what it takes to get there for an Australian SMB.

Essential Eight maturity levels — what each one means

What changes between ML1 and ML2?

The key difference between ML1 and ML2 is not what controls are in place — it is how consistently they are applied and whether you can prove it. ML1 allows for gaps and exceptions. ML2 does not. Every control must be implemented across every system in scope, with evidence that it is working and tested.

Here is what that means in practice across all eight strategies:

1. Application control

ML1: Approved application lists exist. Execution is controlled on workstations.
ML2: Application control enforced on all workstations and internet-facing servers. Allowlists reviewed and validated regularly. Controls applied to software libraries, scripts, and installers — not just executables. Logged and monitored.

2. Patch applications

ML1: Patches applied when convenient. Critical vulnerabilities patched within 30 days.
ML2: Critical vulnerabilities patched within 48 hours. Non-critical patches applied within two weeks. Automated patching tools deployed. Unsupported or end-of-life applications removed from the environment. Patch compliance reported regularly.

3. Configure Microsoft Office macro settings

ML1: Macros disabled for most users. Some exceptions exist.
ML2: Macros blocked from the internet on all systems. Only digitally signed macros from trusted publishers permitted. Users cannot enable macros themselves. Macro execution logged and reviewed.

4. User application hardening

ML1: Flash disabled. Some browser hardening in place.
ML2: Flash, Java browser plugins, and deprecated technologies fully removed. Web browsers configured to block ads and untrusted content. PDF viewers hardened. Internet Explorer disabled or removed. Controls applied consistently across all devices.

5. Restrict administrative privileges

ML1: Admin accounts exist but are not always separate from standard accounts.
ML2: Admin accounts used only for administrative tasks — separate from standard user accounts. Admins use a dedicated admin workstation or privileged access workstation. Admin access to the internet is blocked. All privileged account activity logged and reviewed regularly. Requests for new admin accounts are validated and approved.

6. Patch operating systems

ML1: Security patches applied when possible. Some end-of-life systems remain.
ML2: Critical OS vulnerabilities patched within 48 hours. Non-critical patches applied within two weeks. Only vendor-supported operating systems permitted. End-of-life systems removed or isolated. OS patch compliance tracked and reported.

7. Multi-factor authentication

ML1: MFA enabled for remote access and some cloud services.
ML2: MFA enforced for all remote access, all cloud services, all privileged accounts, and all third-party services storing sensitive data. Phishing-resistant MFA (e.g. hardware tokens, passkeys) required for privileged accounts and high-risk services. MFA cannot be bypassed by users.

8. Regular backups

ML1: Backups exist. Recovery is rarely tested.
ML2: Backups performed daily and stored offline or in a separate, protected environment. Backup copies are tested for restoration at least quarterly. Backup access is restricted. Business-critical data, software, and configuration settings are all included in the backup scope.

The most common gaps when moving from ML1 to ML2

Based on our Essential Eight assessments across Perth businesses, these are the controls that most frequently prevent organisations from reaching ML2:

• 48-hour patching windows — most businesses have automated patching but are not meeting the 48-hour deadline for critical vulnerabilities. This is often a monitoring and reporting gap rather than a technical one.
• Privileged access workstations — using a standard laptop for both admin tasks and daily work is extremely common and disqualifying at ML2.
• Phishing-resistant MFA — standard Microsoft Authenticator push notifications are not phishing-resistant. Hardware keys or passkeys are required for privileged accounts at ML2.
• Application control on servers — most businesses have application control on workstations but not on internet-facing servers.
• Quarterly backup restoration tests — backup jobs running successfully is not the same as a tested restore. Many businesses have never actually restored from backup.

How long does it take to reach ML2?

For a Perth business starting from ML1 with a managed IT provider, reaching ML2 typically takes six to twelve months. The timeline depends heavily on your current environment — a cloud-first Microsoft 365 business with Intune-managed devices will get there faster than a business with on-premises servers and unmanaged endpoints.

The cost of moving from ML1 to ML2 for a 20–50 person business typically runs $15,000 to $40,000 in implementation work, depending on how many gaps need to close. For businesses on a managed IT agreement with Epic IT, much of this is absorbed into the monthly service.

Does my business need ML2?

ML2 is required for most Australian government supplier contracts. If your organisation is on the Australian Government’s supply chain, or if you work with agencies that reference the Protective Security Policy Framework (PSPF), ML2 is the minimum you need. It is also increasingly specified by large enterprise clients and cyber insurers as a condition of engagement.

If your business is not supplying to government and has no formal Essential Eight contractual obligation, SMB1001 Gold is often a more practical and achievable starting point — it builds the same foundations while delivering a formal certification you can use commercially. Read our comparison of Essential Eight vs SMB1001 for guidance on which to prioritise.

How Epic IT can help

We conduct Essential Eight assessments and implementation for businesses across Perth as part of our managed security services. Our assessment gives you a clear ML rating across all eight strategies, identifies the specific gaps preventing ML2 attainment, and produces a prioritised remediation plan.

Contact us on 1300 EPIC IT for a free Essential Eight gap analysis.

Frequently Asked Questions

What is Essential Eight Maturity Level 2?

Essential Eight Maturity Level 2 means all eight ASD mitigation strategies are consistently applied and evidenced across your environment — not just partially implemented. Controls must work on every system in scope, gaps are not permitted, and evidence of testing and monitoring must be available. It is the standard required by most Australian government supplier contracts.

What are the Essential Eight ML2 requirements?

At ML2, critical vulnerabilities must be patched within 48 hours, application control extends to servers and scripts, macro controls prevent all internet-sourced macros, admin accounts are fully separated with dedicated access workstations, MFA is phishing-resistant for privileged accounts, and backups are tested quarterly with quarterly restoration tests verified. All controls must be applied consistently across all in-scope systems.

How is ML2 different from ML1?

ML1 allows for partial implementation and exceptions. ML2 requires controls to be consistently applied across all systems with no gaps, tested regularly, and monitored with logged evidence. The jump from ML1 to ML2 is typically the hardest part of the Essential Eight journey because it requires closing every exception and implementing monitoring and evidence collection for all controls.

How long does it take to achieve Essential Eight ML2?

For most Australian SMBs working with a managed IT provider, moving from ML1 to ML2 takes six to twelve months. A cloud-first Microsoft 365 environment with Intune-managed devices will get there faster than a business with on-premises servers and legacy systems. The cost typically runs $15,000 to $40,000 in implementation work for a 20–50 person business.

Do I need Essential Eight ML2 or is ML1 enough?

ML2 is required for most Australian government supplier contracts and is increasingly expected by enterprise clients and cyber insurers. ML1 provides basic protection against commodity-level attacks but is insufficient for targeted attacks or formal government procurement. If you do not have government contracts, SMB1001 Gold may be a more practical starting point while you build toward ML2.

How often should Essential Eight assessments be conducted?

At minimum every 12 months, and ideally every six months for businesses actively working toward a higher maturity level. An assessment gives you a current ML rating across all eight strategies and identifies specific gaps. Between formal assessments, continuous monitoring of control status is essential — controls that were ML2-compliant six months ago can degrade through configuration drift, new devices, or software changes.