On 24 June 2026 the Australian Signals Directorate confirmed it is retiring the Essential Eight and replacing it with a broader set of guidance called the Essentials series. For most businesses that is an interesting development. If you hold DISP membership, or you are working towards it, it lands differently. Essential Eight Maturity Level 2 is not a recommendation for you. It is a mandated condition of doing business with Defence.
So the obvious question is whether the framework you are contractually bound to is about to be pulled out from under you. The short answer is no. Here is the longer one, and what the Essential Eight retirement actually means for your DISP obligations over the next two years.
Nothing about the announcement lowers the bar you are held to today. Essential Eight Maturity Level 2 remains the mandatory cyber baseline for every DISP membership level, from Entry Level upward, and it is still assessed exactly as it was last week. The Essential Eight and the new Essentials series will run side by side as live documents for roughly two years, so there is no cliff edge and no gap to fall into.
We wrote about the broader transition in our piece on the ASD retiring the Essential Eight. This post is the defence-industry version of that story, because the framework change raises louder questions for DISP members than for anyone else. If you want the full picture of what DISP involves, start with our complete guide to DISP accreditation.
The reason a framework rename does not disturb your DISP compliance comes down to what your compliance actually rests on. DISP does not invent its own technical controls. It references the Australian Government’s Information Security Manual (ISM) and points to the Essential Eight as the baseline. Your DISP cyber posture is measured through the Cyber Security Questionnaire, whose Part B carries 107 Essential Eight controls, and every one of those controls traces back to the ISM.
The Essentials series is grounded in the same ISM. The foundation your DISP membership sits on is the foundation the new framework is being built from. That is why the controls you are assessed on today, multi-factor authentication, patching, application control, restricting administrative privileges and backups, carry into the new guidance rather than being swapped for something unfamiliar.
It is worth remembering how recent the current bar is. Cyber assessments against the old Top Four controls concluded on 15 November 2025, and the full Essential Eight at ML2 is now the floor for all DISP members. If you have already done that work under our Essential Eight framework service or built towards it using our ML2 requirements guide, you are in the strongest possible position for whatever the Essentials asks for next. Defence’s own cyber and assurance guidance spells out how the questionnaire feeds into ongoing assurance.
ASD has set out a staged transition rather than a switch. Both frameworks stay live for now. ASD expects to begin deprecating the Essential Eight at around 12 months, and to retire it fully at around 24 months. Any Essential Eight references written into DISP standards and government supplier contracts will need to migrate to the Essentials series over that window, but sequencing that is Defence’s job, not yours. Your job is to keep meeting the standard you already meet.
Two of the changes coming actually work in a DISP member’s favour. The first is that cloud is being split into its own domain. The current Essential Eight was designed for on-premises IT in 2017 and maps poorly onto shared-responsibility and SaaS environments, which is a constant source of friction in DISP assessments. Clearer guidance on where your responsibility ends and your provider’s begins is a genuine improvement.
The second is that the Essentials series decouples threat-informed controls from a fixed maturity ladder. Under the old model, ASD folded new attacker tradecraft into existing maturity levels, so a business could hold exactly the same controls and appear to slip backwards. The federal numbers show how real that is: just 22 per cent of federal entities reached overall ML2 in 2025, up from 15 per cent the year before but still below the 25 per cent recorded in 2023, after ASD hardened the ML2 controls. For DISP members who invest heavily to reach and hold ML2, a framework that stops penalising a stable posture on paper is welcome.
Here is the part that matters more than any of the above. The thing that costs a DISP member a contract is not the framework changing its name. It is a control that quietly decayed between assessments.
DISP runs an active assurance and uplift program, and the Annual Security Review is designed to check that your controls are operating now, not that you passed a point-in-time snapshot months ago. If you cannot demonstrate full ML2 when assessed, you can be placed in the Uplift Program, and an application can be suspended until compliance is proven. That risk is present today and is entirely unaffected by the Essentials transition. Treating the announcement as a reason to pause is the one move that genuinely puts your membership at risk. Our DISP cyber security service exists precisely to keep that evidence current between reviews.
The most forward-looking part of ASD’s announcement is a flagged future chapter on agentic AI, treating autonomous AI agents as a security domain of their own with their own identity, access and prompt-injection problems. For DISP members this is not a distant concern. The December 2025 ISM update already added control ISM-2074, which recommends organisations develop and maintain a general-purpose AI usage policy. Because DISP traces to the ISM, a documented AI policy is effectively a named control for any defence business whose contracts reference it.
The live risk in the meantime is shadow AI. Staff pasting Defence-related information into public tools like ChatGPT or Copilot is a DISP breach in progress, because the data has left your controlled environment. We cover the practical architecture, self-hosted inference for classified work and technical controls to block unsanctioned tools, in our DISP guide, and the policy side in our AI governance practice. Getting ahead of this now means the agentic AI chapter, when it lands, is a formality rather than a scramble.
Keep going and get an honest baseline. Do not pause your Essential Eight work. The controls are the foundation of the Essentials series, so every one you stand up now carries forward. A gap analysis across all eight strategies tells you exactly where you stand, which is the best place to be when any framework transitions.
Document the why, not just the what. Outcome and risk-based records transition cleanly to the Essentials series, and they are also what the DISP assurance program wants to see. Keep evidence that controls are operating, not just that they were once configured.
Map your cloud and SaaS shared responsibilities now. The Essentials series will make this explicit, and most Essential Eight programs under-cover it. Sorting out where your responsibility ends and your provider’s begins pays off in both the current DISP assessment and the coming one.
Have your say, then talk to a defence-aware provider. Consultation on the first Essentials chapter is open through ASD’s Cyber Security Partnership Program until 12 July 2026, so contribute if your sector has a stake. Then talk to our Perth team for a free Essential Eight gap analysis and a clear view of what the move to the Essentials means for your DISP membership.
No. The Essential Eight retirement does not change what DISP requires of you today. Essential Eight Maturity Level 2 remains the mandatory cyber baseline for every DISP membership level, and it is still assessed through the Cyber Security Questionnaire and maintained through your Annual Security Review. Because DISP and the new Essentials series both trace back to the Information Security Manual, the controls you are assessed on carry forward rather than being replaced.
Yes. Cyber assessments against the old Top Four controls ended on 15 November 2025, and the full Essential Eight at Maturity Level 2 is now mandatory for all DISP members, from Entry Level upward. Nothing in the Essential Eight retirement announcement lowers that bar during the two-year transition.
Eventually the references will migrate, but on ASD’s timeline, not overnight. Both frameworks stay live for roughly two years, with deprecation of the Essential Eight expected at around 12 months and full retirement at around 24 months. Updating DISP standards and government contracts to the Essentials series is Defence’s responsibility to sequence. Your obligation is to keep meeting the current standard throughout.
No. Waiting is the one response that genuinely risks your membership. The controls behind Essential Eight ML2 are the foundation of the Essentials series, so any work you do now carries into the new framework. DISP also runs an active assurance and uplift program, and failing to demonstrate ML2 can land you in the Uplift Program with your application suspended until you comply.
Compliance drift, not the framework rename. DISP assessments check that controls are operating now, not that you passed once. A control that quietly decays between reviews is what costs a defence business its membership or a contract. Keeping evidence current through the Annual Security Review matters far more than the name on the framework.
The transition runs over roughly two years from mid-2026. ASD opened consultation on the first Essentials chapter, Essentials for enterprise IT, with feedback due through its Cyber Security Partnership Program portal by 12 July 2026. The Essential Eight remains the active, supported framework today and throughout the transition.