Home » Tech Translated — IT Blog for Australian Businesses | All IT Services » ASD Is Retiring the Essential Eight: What the New Essentials Framework Means for Australian Businesses
Shield emblem on dark navy background with headline The Essential Eight Is Being Retired, All IT Services
By — Head of Relationships |

Author: Dan Briggs  |  Published: 29 June 2026  |  Reading time: 15 minutes

Executive summary

On 24 June 2026, the Australian Signals Directorate (ASD) confirmed it will retire the Essential Eight, the cyber security baseline most Australian organisations have spent years working towards, and replace it with a broader framework called Essentials. The change is not immediate. ASD expects to keep both documents live through a transition, begin deprecating the Essential Eight at around 12 months, and retire it in full at around 24 months.

The first chapter, Essentials for enterprise IT, is open for industry consultation until 12 July 2026 through the ACSC Partner Portal. Two more chapters are confirmed to follow, covering operational technology and cloud, with a possible fourth on agentic AI.

The headline for business owners is simpler than the news coverage suggests: do not stop your current cyber work. ASD has said plainly that the money and effort you have already put into the Essential Eight will still count under Essentials. What changes is the shape of the guidance, moving from a prescriptive checklist of eight controls towards outcomes and threat-informed priorities that fit cloud and software-as-a-service environments. This paper explains what was announced, why it is happening, what it means for professional services firms, hospitality groups, not-for-profits and financial services businesses, and the practical steps we recommend taking between now and the changeover.

What ASD actually announced

The Australian Signals Directorate, through the Australian Cyber Security Centre (ACSC), has put the Essential Eight on a path to retirement. In its place comes a series called Essentials. The current Essential Eight guidance becomes the first chapter, titled Essentials for enterprise IT, and further chapters will be published over time for other technology environments.

Chris Horlyck, head of cyber security resilience at the ACSC, told iTnews on 24 June 2026 that the agency will run both documents in parallel for a period, then wind the older one down. In his words, ASD expects to “probably in 12 months, start to deprecate the Essential Eight, and then in 24 months we’ll retire the Essential Eight as a whole.” That gives Australian organisations a roughly two-year runway, not an overnight switch.

Three chapters are confirmed to start the Essentials series: enterprise IT first, then operational technology, then cloud. Horlyck also flagged that agentic AI, meaning autonomous AI agents acting on your systems, may earn its own chapter because the identity, access and prompt-injection risks attached to non-human accounts are different enough from conventional controls to warrant separate treatment.

ACSC head Stephanie Crowe framed the reasoning briefly: “to defend against modern threats with modern tools, our guidance must evolve as well.” ASD describes the new approach as offering “prioritised, threat-informed mitigations for contemporary technology environments, supported by practical tools and clear implementation guidance.” The agency has named four design attributes for Essentials: flexibility, a threat-informed design, compatibility with existing Essential Eight programs, and a future-focused structure that lets ASD add new guidance without rewriting everything each time.

The single most important sentence for any business that has spent money on this came from Horlyck: “The investment you’ve made under the Essential Eight will still be relevant under the Essentials.” If you have rolled out multi-factor authentication, tightened admin rights, got your patching under control and tested your backups, none of that is wasted.

Why the Essential Eight is being retired

The Essential Eight was first published in 2017, growing out of ASD’s Top Four mandatory controls from 2012. It was built for a world of on-premises Windows networks, where the organisation owned the servers, the domain controller sat in a comms room, and the main job was keeping that perimeter patched and locked down. That world is largely gone. Security leaders have started describing the Essential Eight as showing its age against a 2026 threat environment.

Horlyck was direct about the core limitation: the Essential Eight was designed for on-premises enterprise IT at a time when cloud adoption was still nascent, and its controls do not translate cleanly to shared-responsibility models or SaaS. “Essential Eight started before cloud was really a big thing in the sector,” he said. “Now, if you don’t have cloud, that would be a really surprising architecture to have.”

That is the nub of it. When your email, files, line-of-business apps and identity all live in Microsoft 365, Google Workspace or a vendor’s platform, several of the eight controls become awkward. “Patch operating systems” means less when the operating system is someone else’s cloud service. “Application control” was written for executables on a Windows desktop, not for OAuth apps connecting to your tenant. The guidance still has plenty to say, but the model underneath it assumes you control infrastructure you increasingly do not.

Two other pressures pushed the change along. The first is the threat environment. AI-enabled attacks are shortening the time between a vulnerability appearing and being exploited, and security agencies across the Five Eyes have been urging businesses to update their defences. A static checklist refreshed every few years struggles to keep pace. The second is compliance fatigue. Years of audits by the Australian National Audit Office found that even government agencies obliged to reach the Essential Eight were falling short, with several departments rated only “partly effective” against controls they were mandated to meet. When the people forced to comply still cannot, the framework itself deserves a look.

The timeline: what happens between now and 2028

Nothing about your obligations changes this week. The Essential Eight remains the live, recommended baseline today, and ASD has been clear it will stay that way during the transition. Here is the sequence ASD has described.

  • Now to 12 July 2026: consultation on the first chapter, Essentials for enterprise IT, is open through the ACSC Partner Portal. Both the Essential Eight and the draft Essentials guidance are live.
  • The next 12 months: ASD publishes the finalised enterprise IT chapter and begins work on the operational technology and cloud chapters. The Essential Eight stays active and continues to be referenced in contracts and audits.
  • Around 12 months in: ASD expects to start deprecating the Essential Eight, meaning it signals the older guidance is on the way out while the Essentials chapters become the primary reference.
  • Around 24 months in: ASD expects to retire the Essential Eight as a whole, leaving Essentials as the standing framework.

For planning purposes, treat this as a two-year migration that you do not have to rush, but should not ignore either. The businesses that handle it well will be the ones that keep improving their actual security posture through the changeover, rather than freezing because the goalposts are moving. If your organisation references the Essential Eight in tender responses, grant applications, cyber insurance forms or client security questionnaires, you will want a plan for how you describe your posture once the language starts to shift.

What this means for your business

The practical impact depends on your sector and how far down the Essential Eight road you already are. Below is how we read it for the kinds of organisations we work with across Sydney, Brisbane, Melbourne and Central West New South Wales.

Professional services firms

Accountants, law firms, engineering consultancies and advisory businesses tend to hold concentrated, sensitive client data and to face client-driven security questionnaires. If you have been asked “do you meet the Essential Eight?” in a tender or by an enterprise client, expect that question to start changing wording over the next year. The good news is that the underlying expectations, multi-factor authentication, controlled admin access, current patching and tested backups, are not going anywhere. Keep your evidence current and be ready to map it to the Essentials language when clients adopt it.

Hospitality groups

Venues, hotels and multi-site hospitality operators run a sprawl of point-of-sale systems, booking platforms, payment terminals and guest Wi-Fi, much of it cloud-connected and managed by third parties. This is exactly the shared-responsibility, SaaS-heavy environment the old Essential Eight handled poorly. The forthcoming cloud chapter should give clearer guidance on what you are responsible for versus what your platform vendor covers, which is a real gap today. In the meantime, the basics still apply: MFA on every admin and email account, supplier security you can actually verify, and segregated networks so a compromised booking kiosk cannot reach your back office.

Not-for-profits and charities

For NFPs, cyber resilience often collides with tight budgets and volunteer-run boards. The shift towards outcomes and prioritisation is genuinely helpful here, because the prescriptive Essential Eight asked smaller organisations to implement enterprise-grade controls they could not staff. A threat-informed approach lets you spend your limited dollars where they reduce the most risk. If your organisation handles donor data, health information or works with vulnerable people, those are your crown jewels, and protecting them should drive your spending. Our guide to the Essential Eight for not-for-profits still holds up as a starting point, and the work you do now carries straight into Essentials.

Financial services and wealth firms

Financial advice practices, accounting and wealth firms sit under multiple overlapping expectations: the Essential Eight, their licensee’s requirements, and for some, APRA-aligned obligations flowing down from larger institutions. These firms have the most to gain from a framework that maps cleanly to cloud and software-as-a-service, because that is where their advice software, CRM and document storage already live. What we see when financial services firms let us in is that the gap is rarely awareness, it is consistency: MFA enabled on most accounts but not all, admin rights handed out years ago and never reviewed, backups running but never tested. Essentials will reward firms that close those gaps, not the ones with the longest policy document.

The moved goalposts problem, and why it mattered

One of the most honest admissions in ASD’s announcement concerns a complaint organisations have made for years: the Essential Eight maturity requirements kept shifting underneath them. A business could hold its security steady, or even improve it, and still find itself rated lower at the next assessment because ASD had quietly raised the bar within a maturity level.

Horlyck confirmed the phenomenon is real. It happened because ASD absorbed new attacker tradecraft into the existing maturity levels rather than having a structure flexible enough to handle evolving controls separately. The result was the appearance of organisations going backwards on cyber security, without any actual deterioration in their posture. For boards and owners trying to show progress to insurers, clients or auditors, that was maddening and demoralising.

Essentials is designed to fix this by decoupling threat-informed controls from a fixed maturity ladder. In plain terms, the guidance can be updated to reflect new threats without making your last assessment look like a failure. For any organisation that has been frustrated by a maturity score that fell despite genuine effort, this is one of the more meaningful improvements in the whole change, and a reason to engage with it rather than resent it.

The framework also leans on ASD’s Modern Defensible Architecture work, which puts the emphasis on defence in depth and protecting your most important systems and data, the crown jewels, rather than maintaining a thin perimeter around everything equally. That is a sensible reframing for businesses that cannot protect every asset to the same standard and need to make deliberate choices about where to concentrate effort.

What we actually see in Australian client environments

We manage IT and security for organisations across very different settings, from professional services firms around Brookvale and the wider Northern Beaches, to councils, clinics and not-for-profits across Central West NSW in Orange, Bathurst and Dubbo, to hospitality and mid-market businesses in Brisbane and Melbourne. That spread gives us a fairly clear picture of where the Essential Eight has worked in the real world and where it has not, and it shapes how we read this change.

A few patterns stand out. First, the controls businesses adopt easily are multi-factor authentication and backups, because the value is obvious and the tooling is built into platforms most firms already pay for. The controls that consistently lag are application control and restricting administrative privileges. Application control in particular was written for a Windows desktop fleet and is genuinely hard for a small business to run without dedicated effort, which is one reason a more flexible, outcomes-based approach is welcome.

Second, most small and mid-sized organisations we assess sit somewhere around Maturity Level One on paper and assume that is “enough.” It often is not, particularly for firms handling client money or sensitive personal data, where Maturity Level Two has effectively become the practical expectation in tenders and insurance forms. The Essentials shift to prioritisation gives us a better way to have that conversation, because we can point to the specific threats a business faces rather than arguing about a number.

Third, and this is our considered opinion rather than ASD’s position: a principles-based framework is better for SMBs, but only if someone translates it. The risk of moving away from a prescriptive checklist is that “use your judgement about outcomes” becomes an excuse to do nothing, or to buy a product that ticks a marketing box without reducing real risk. The Essential Eight’s great strength was that it was concrete enough for a non-specialist to act on. Essentials will need an experienced hand to turn intent into a configured, tested control. For most owner-managed businesses that is the difference between a framework on paper and protection in practice. If you want the plain-English version of the fundamentals while the guidance settles, our note on cyber security essentials for business owners is a good place to start.

Your action checklist and control-by-control table

Here is what we are advising clients to do during the transition. None of it is wasted effort, because every item carries forward into Essentials.

  1. Keep going. Do not pause any Essential Eight work in progress. The framework is live today and your investment carries forward.
  2. Get an honest baseline. Have your current posture assessed against the Essential Eight now, so you have a clear before-picture as the language changes.
  3. Fix the two laggards. Prioritise application control and a review of who holds administrative privileges, as these are the controls most organisations are weakest on.
  4. Test your backups. A backup you have never restored from is a guess, not a control. Run a real restore.
  5. Map your cloud responsibilities. List your major SaaS platforms and note who is responsible for what. The Essentials cloud chapter will build on exactly this.
  6. Move towards phishing-resistant MFA. Where you can, shift high-risk accounts from SMS codes to app-based or hardware-backed authentication.
  7. Update your evidence pack. Keep tender, insurance and client-questionnaire answers current, and flag internally that the framework name will change.
  8. Decide if you will respond to the consultation. If the Essential Eight features in your contracts, your view is worth submitting before 12 July 2026.

The table below shows how each of the eight current controls maps into the new world. The short version: every one of them still matters.

Essential Eight control Still matters under Essentials? What to do now
Application control Yes, reframed for modern environments Start with high-risk devices; expect outcome-based guidance rather than a strict whitelist
Patch applications Yes Automate where possible; shorten your patch window for internet-facing software
Configure Microsoft Office macro settings Yes Block macros from the internet by default; allow only what the business genuinely needs
User application hardening Yes Disable unneeded browser and Office features; this extends naturally to SaaS settings
Restrict administrative privileges Yes, and arguably more important Review every admin account; remove standing access; log and alert on privileged use
Patch operating systems Yes Keep current; in cloud, confirm which patching is yours versus the provider’s
Multi-factor authentication Yes, with a push to stronger factors Cover every account; move high-risk users to phishing-resistant MFA
Regular backups Yes Test restores; keep an offline or immutable copy; check your SaaS data is actually backed up

Should you respond to the consultation?

Consultation on the first chapter, Essentials for enterprise IT, closes on 12 July 2026 and runs through the ACSC Partner Portal. Most small businesses will not submit feedback directly, and that is fine. But if the Essential Eight is written into your contracts, your grant conditions, your cyber insurance, or the security questionnaires you send to suppliers, your perspective carries weight, and ASD has said community feedback will shape how the series develops.

Sectors that lived the prescriptive version hardest, including government suppliers, healthcare, financial services and managed service providers like us, are exactly the audience ASD wants to hear from. If you would like your real-world experience represented but do not have the time or the portal access to do it yourself, this is one of the things an MSP can carry on your behalf. We deal with the practical edges of these controls every day and we intend to engage with the consultation. Patching discipline, in particular, is a place where the gap between guidance and reality keeps biting; we wrote about that when the US cut patch deadlines to 72 hours, and the same tension will run through Essentials.

Frequently asked questions

Is the Essential Eight gone now?

No. The Essential Eight is still the live, recommended cyber security baseline in Australia. ASD expects to begin deprecating it at around 12 months and retire it in full at around 24 months, so you have a transition period of roughly two years, not an immediate cut-off.

Was our investment in the Essential Eight wasted?

No. ASD has stated that the investment you have made under the Essential Eight will still be relevant under Essentials. Controls like multi-factor authentication, patching, restricting admin rights and tested backups all carry forward, so the work you have already done continues to count.

What is replacing the Essential Eight?

A broader framework called Essentials. The current guidance becomes the first chapter, Essentials for enterprise IT, with further chapters confirmed for operational technology and cloud, and a possible chapter on agentic AI. The approach shifts from a fixed checklist of eight controls towards prioritised, threat-informed outcomes that suit cloud and software-as-a-service environments.

Do we need to change anything this month?

Not because of this announcement. Keep running your current Essential Eight program, and use the transition as a prompt to get an honest assessment, close the controls you are weakest on, and map who is responsible for security across your cloud platforms. Those steps improve your posture today and line you up for Essentials.

When does the consultation close?

Consultation on the first chapter, Essentials for enterprise IT, closes on 12 July 2026 through the ACSC Partner Portal. If the Essential Eight features in your contracts, insurance or client questionnaires, your feedback is worth submitting, and an MSP can do this on your behalf.

Where to from here

The retirement of the Essential Eight is good news wrapped in an unsettling headline. The framework that has guided Australian cyber security for nearly a decade is being rebuilt for the way businesses actually operate now, with cloud, SaaS and AI at the centre rather than bolted on the side. The transition is gradual, your existing work counts, and the new direction towards prioritisation and outcomes suits smaller organisations better than the one-size-fits-all checklist ever did.

The businesses that come through this well will be the ones that keep improving during the changeover and have someone in their corner translating principles into configured, tested controls. If you would like a clear read on where your organisation stands today against the Essential Eight, and a plan to carry that straight into Essentials, the team at All IT Services can help. Call us on 1300 425 548 or get in touch through our contact page for a straightforward conversation about your cyber posture.

Posted in All Resources Security Whitepapers

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US