The ASD is retiring the Essential Eight. Here’s what it means for your business

Avatar photo
By Chris Arceo / Jun 25, 2026 / Cybersecurity & Compliance

On 24 June 2026, the Australian Signals Directorate confirmed something that reshapes the cyber security framework most Australian businesses have been working towards: the Essential Eight is being retired. Not scrapped overnight, and not because it failed, but replaced by a broader, more modern set of guidance called the Essentials series. If your business has invested in Essential Eight compliance, or is partway up the maturity ladder, this is the piece to read before you change anything. The short version: keep going. Here is what is actually happening, why, and what it means for you over the next two years.

What ASD actually announced

Speaking to iTnews, the head of cyber security resilience at the Australian Cyber Security Centre (ACSC) set out a deliberate, staged transition rather than a sudden switch. The Essential Eight and the new Essentials series will run side by side as live documents during a transition period. After roughly 12 months, ASD expects to begin deprecating the Essential Eight. At around 24 months, it will retire the Essential Eight entirely.

The replacement is not another eight-control checklist. The Essentials series breaks security into distinct domains, each treated on its own terms. Three chapters are planned to begin with: enterprise IT first, then operational technology, then cloud. Agentic AI is flagged as a likely future chapter of its own, on the basis that autonomous AI agents on a network raise identity, access, and prompt-injection problems that conventional controls were never designed to handle.

Consultation is already open. ASD is taking feedback on the first chapter, Essentials for enterprise IT, through its Cyber Security Partnership Program portal at partners.cyber.gov.au, with submissions closing on 12 July 2026. The new guidance is grounded in ASD’s Information Security Manual, and the agency describes it as prioritised, threat-informed mitigations for modern technology environments. If you have strong views on what the next framework should look like, this is the window to be heard rather than to react later.

Why the Essential Eight is being replaced

The reasoning ASD gave is structural, and it is hard to argue with. The Essential Eight was first published in 2017, built on the older Top Four mandatory controls from 2012. It was designed for on-premises enterprise IT at a time when cloud adoption was still early. Today, a business running no cloud at all would be the surprising exception, and the Essential Eight’s controls do not map cleanly onto shared-responsibility models or SaaS environments. Splitting cloud into its own domain lets ASD give clearer guidance on where your responsibility ends and your provider’s begins, which the current framework blurs.

The second reason will resonate with anyone who has worked through an assessment. For years, organisations complained that the maturity goalposts kept moving. A business could maintain exactly the same controls and still appear to slip backwards, because ASD folded new attacker tradecraft into the existing maturity levels rather than tracking it separately. The numbers show how real this is. ASD found just 22 per cent of federal entities reached overall Maturity Level 2 in 2025. That was up from 15 per cent the year before, yet still below the 25 per cent recorded in 2023, a decline ASD attributes to its own hardening of the ML2 controls that November. Agencies went backwards on paper without their actual security getting any worse. ASD has now acknowledged this directly, and the Essentials series is designed to decouple threat-informed controls from a fixed maturity ladder, so evolving threats no longer make a stable security posture look like it is regressing.

There is a philosophical shift underneath all of this. The Essential Eight is prescriptive: do these specific things to these specific technologies. The Essentials series leans towards outcomes and intent, giving organisations more flexibility to meet the guidance with whatever tools genuinely fit their environment. ASD frames the new approach around four attributes: flexibility, a threat-informed design, compatibility with existing Essential Eight programs, and a future-focused design that lets the agency add new guidance as technology changes. It draws heavily on ASD’s Modern Defensible Architecture work, with more emphasis on defence in depth and protecting your most valuable assets than on hardening a thin perimeter.

The industry response has been broadly positive, which is worth noting given how entrenched the Essential Eight is. Fortinet’s ANZ chief information security officer, Cornelius Mare, called the Essentials a welcome update and said the older framework was showing its age and no longer the optimal fit for a 2026 environment of SaaS, cloud, bring-your-own-device, and AI agents. He made one point that matters especially for smaller organisations: many of the original Essential Eight controls were aimed at large businesses with IT capabilities that small businesses simply cannot match. A more flexible, outcomes-based model may suit Australian SMBs better than the one-size-fits-all ladder it replaces.

The most important sentence for your business

If you take one thing from this, take this: ASD has been explicit that work done under the Essential Eight stays relevant under the Essentials. The investment is not wasted. The controls that make up the Essential Eight, multi-factor authentication, patching, application control, restricting administrative privileges, backups, are not going away. They are being reorganised and modernised, not deleted.

That matters because the natural reaction to “the framework is being retired” is to pause. Pausing is the wrong move. An organisation sitting at Maturity Level 1 today is protected against the commodity attacks that make up the overwhelming majority of real-world incidents, and that protection does not expire because the framework is being renamed. The same is true for businesses working towards ML2 or operating at ML3. Every control you stand up now carries forward.

What this means if you have a compliance obligation

For most businesses the Essential Eight has been a strong recommendation. For some it is contractual, and those are the cases to think through carefully during the transition.

Government suppliers. ML2 is the mandated baseline for federal entities under the Protective Security Policy Framework, and it is referenced across government supplier contracts. Those contractual references will need to migrate to the Essentials series over the two-year window, but that is ASD’s and the contracting agencies’ problem to sequence. Your job is to keep meeting the standard you are already held to. Nothing about the announcement lowers the current bar.

Defence industry. This is where the framework change raises the loudest questions, so it is worth being precise. If you are in or pursuing the Defence Industry Security Program, the cyber requirement is the full Essential Eight at Maturity Level 2. Assessments against the old Top Four ended in November 2025, and full ML2 is now mandatory for all DISP members, measured through the Cyber Security Questionnaire and maintained through your Annual Security Report. The natural worry is that retiring the Essential Eight pulls the rug out from under that obligation. It does not. The DISP questionnaire has always traced its controls back to the Information Security Manual, and the new Essentials series is grounded in exactly the same manual. The foundation your DISP compliance rests on is the foundation the new framework is built from, so the controls you are assessed on today are the ones that carry forward. The thing actually worth watching is not the framework name but compliance drift: Defence wants evidence that controls are operating now, not a point-in-time pass that quietly decays. Our DISP cyber security page covers how we keep that evidence current, and our guide to what the Essential Eight retirement means for DISP members works through the transition in detail. For defence businesses, the message is continuity, not a reason to wait.

Insurers and enterprise clients. Cyber insurers increasingly treat Essential Eight maturity as shorthand for adequate controls, and enterprise procurement teams ask for it directly. Underwriters and buyers move slower than regulators, so expect Essential Eight language to persist in questionnaires and policies well into the transition and beyond. Again, the controls are the point, and the controls are not changing.

Where AI fits into the new framework

The most forward-looking part of ASD’s announcement is the prospect of a dedicated agentic AI chapter. This is a clear signal that autonomous AI agents are now considered a distinct security domain, with their own identity and access requirements for non-human entities on a network, and their own threat in the form of prompt injection. It is the same direction we have been writing about in our work on AI governance, and it dovetails with the recent Five Eyes warning that AI-driven cyber attacks are months, not years, away. The framework is being rebuilt partly because the threats it was designed for have changed beyond recognition.

What you should do now

Keep going. If you are working towards an Essential Eight maturity level, continue. Our Essential 8 compliance guide walks through every control and maturity level as they are assessed today. The controls are the foundation of the Essentials series, and stopping now only widens the gap you will have to close later under a new name.

Get an honest baseline. The best position to be in when any framework transitions is knowing exactly where you stand. An Essential Eight assessment gives you a clear rating across all eight strategies and a prioritised plan, and that baseline translates directly into whatever the Essentials series asks for.

Have your say, if it affects you. Consultation on the first Essentials chapter closes on 12 July 2026 through ASD’s Cyber Security Partnership Program portal at partners.cyber.gov.au. If your business or sector has a stake in how enterprise IT security guidance is written, this is the moment to contribute.

Talk to someone who is tracking the change. The transition will run for two years, with both frameworks live for much of it. Working with a provider who is following the Essentials series as it is published means you adopt the new guidance smoothly rather than scrambling at the end. Talk to our Perth team for a free Essential Eight gap analysis and a view on what the move to the Essentials will mean for your environment.

Frequently asked questions

Is the Essential Eight being scrapped?

Not immediately, and not abruptly. The ASD has announced it intends to retire the Essential Eight over roughly two years, replacing it with a broader set of guidance called the Essentials series. Both frameworks will remain live during a transition period, with the Essential Eight expected to begin deprecating at around 12 months and retiring fully at around 24 months. The underlying controls are being modernised and reorganised, not deleted.

What is replacing the Essential Eight?

A new framework called the Essentials series. Instead of a single eight-control checklist, it treats security domains separately, starting with enterprise IT, then operational technology, then cloud, with a dedicated agentic AI chapter flagged as likely. It shifts emphasis from prescriptive controls towards outcomes and intent, giving organisations more flexibility in how they meet the guidance.

Will my Essential Eight work be wasted?

No. ASD has stated explicitly that investment made under the Essential Eight will still be relevant under the Essentials. The core controls, including multi-factor authentication, patching, application control, restricting administrative privileges, and backups, carry forward. If anything, organisations that have already done the work will be best placed to adopt the new framework.

Should we stop working towards an Essential Eight maturity level?

No. Stopping is the wrong response. The controls behind each maturity level are the foundation of the Essentials series, so any work you do now carries into the new framework. Pausing only widens the gap you will need to close later. Businesses at ML1 remain protected against commodity attacks, and those building towards ML2 or ML3 should continue.

Does this change DISP or government contract requirements?

Not right now, and the change is less disruptive for defence businesses than it first sounds. Essential Eight Maturity Level 2 remains the mandated baseline for DISP membership, measured through the Cyber Security Questionnaire and maintained via your Annual Security Report. The questionnaire’s controls trace back to the Information Security Manual, and the new Essentials series is grounded in the same manual, so the controls you are assessed on carry into the new framework rather than being replaced by something unfamiliar. The current standard still applies today. The priority for DISP members is keeping controls operating and evidence current, not waiting on the framework change.

When does the change take effect and can we have input?

The transition runs over roughly two years from mid-2026. ASD has opened consultation on the first chapter, Essentials for enterprise IT, with feedback due through its Cyber Security Partnership Program portal at partners.cyber.gov.au by 12 July 2026. Organisations with a stake in how the guidance is written should contribute during this window.

Not sure where the framework change leaves your business?

Our Perth-based team will assess where you stand against the Essential Eight today and what the move to the Essentials series means for you. Book a free gap analysis.

Book a Free Assessment

About the Author
Written by Chris Arceo, Cyber Security Officer at Epic IT, a CRN Fast50-recognised managed IT services provider in Perth. Chris holds a Bachelor of Science in Information Technology (Network Administration) and over a dozen active certifications including CompTIA Security+, Cisco CCNA, and specialist qualifications across Datto, Sophos, Kaseya, and ConnectWise platforms.

Further Reading

Previous

Five Eyes warns Australian businesses: AI cyber attacks are months away

Return to News
Back to News
Next

Azure vs AWS vs Google Cloud for AI in Australia (2026)