Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Dark navy graphic with a shield and eight fading dots, titled The ASD Is Retiring the Essential Eight

Author: Dan Briggs  |  Published: 16 July 2026  |  Reading time: 16 minutes

Executive summary

On 24 June 2026, the Australian Signals Directorate confirmed it will retire the Essential Eight and replace it with a broader framework called the Essentials series. Chris Horlyck, head of cyber security resilience at ASD’s Australian Cyber Security Centre, told iTnews that ASD expects to begin deprecating the Essential Eight at around the 12-month mark and to retire it entirely at around 24 months. Consultation on the first chapter, Essentials for Enterprise IT, ran through the ACSC Partner Portal and closed on 12 July 2026.

The Essential Eight was first published in 2017, built on ASD’s Top Four mandatory controls from 2012. It was designed for on-premises Windows networks at a point when cloud was a fringe consideration. Nearly a decade later, the average Australian small business runs Microsoft 365, a couple of SaaS platforms and a handful of laptops that never touch a domain controller. ASD’s own assessment is blunt: the controls do not translate cleanly to shared-responsibility models or SaaS environments.

For most Australian SMBs and mid-market organisations, this is good news dressed up as disruption. Nothing you have already bought becomes worthless. ASD has said explicitly that investment made under the Essential Eight remains relevant under the Essentials. What changes is the shape of the conversation: from “have you implemented these eight specific controls at maturity level two” to “can you demonstrate the security outcomes these controls were always meant to produce”. If your environment is cloud-first, that shift almost certainly works in your favour, because several Essential Eight controls have been scoring you badly for architecture decisions that were sensible in the first place.

The risk in the next 12 months is not technical. It is commercial. Essential Eight maturity levels are baked into tender questionnaires, cyber insurance proposal forms, supplier assurance packs and board reporting across the country, and none of those documents are going to update themselves the day ASD publishes a new chapter. There will be a period — roughly the next two years — where your insurer asks about maturity level two, your largest client asks about the Essentials, and your auditor asks about both.

This paper sets out what ASD announced, what it means for cost and compliance, what we are seeing in Australian client environments right now, and a practical 12-month plan for getting through the transition without wasting money or failing a tender.

What ASD actually announced

The announcement arrived quietly, in a video from ACSC head Stephanie Crowe and a consultation notice on the ASD Cyber Security Partnership Program portal, rather than a press conference. That is part of why it has not landed with most business owners yet.

The substance: ASD and the ACSC are introducing a new Essentials series. Rather than one list of eight controls applied to everything, the series splits security into domains and treats each on its own terms. Three chapters are planned to start — enterprise IT first, then operational technology, then cloud — with ASD flagging agentic AI as a likely future chapter.

Speaking to iTnews on 24 June 2026, Chris Horlyck described the transition in plain terms: “We anticipate that there will be a transition period where we will keep the Essential Eight a live document and the Essentials a live document. Then we will look to, probably in 12 months, start to deprecate the Essential Eight, and then in 24 months we’ll retire the Essential Eight as a whole.”

ASD technical expert Jayden Cooke described the new framework as built on four core principles: flexibility, threat-informed insights, prioritisation and risk management, and compatibility and future focus. The framework adopts principle-based guidance aimed at security outcomes rather than a fixed list of prescriptive technical controls drawn solely from the Information Security Manual.

Two statements from ASD matter more than anything else for a business owner reading this:

  • Your existing work is not wasted. Horlyck: “The investment you’ve made under the Essential Eight will still be relevant under the Essentials.” Crowe made the same point, noting the framework is “cost-conscious” and that organisations currently using the Essential Eight “will find many of their current tools and platforms naturally map into the new framework”.
  • The maturity ladder is being rethought. ASD acknowledged a complaint that has run for years — that maturity level requirements have shifted under organisations’ feet, making businesses look like they were going backwards on security when nothing about their actual posture had changed. Horlyck confirmed the phenomenon was real, attributing it to ASD absorbing new threat tradecraft into existing maturity levels. The Essentials series is designed to fix it by decoupling threat-informed controls from a fixed maturity ladder.

That second point is the one we would put in front of a board. If you have ever had to explain to directors why your Essential Eight score dropped despite spending more money on security, ASD has now effectively conceded the scoreboard was the problem.

Why the Essential Eight is being retired

The Essential Eight was excellent guidance for the environment it was written for. Its lineage runs back to ASD’s Top Four in 2012 — application control, patching applications, patching operating systems, restricting administrative privileges. At the time, the average Australian organisation had a server room, a domain, a fleet of Windows desktops and a perimeter firewall. Four controls, correctly applied, stopped the overwhelming majority of intrusions.

Horlyck put the structural problem simply: “Essential Eight started before cloud was really a big thing in the sector. Now, if you don’t have cloud, that would be a really surprising architecture to have.”

Three specific fractures have opened up.

Shared responsibility breaks the control model

When your email lives in Exchange Online, “patch operating systems” is not a thing you do — it is a thing Microsoft does, and your obligation is to configure, monitor and control identity instead. The Essential Eight has no clean way to express that. Businesses end up either claiming credit for a control they do not operate, or being marked down for a control that does not apply to them. Neither reflects reality.

The controls skew towards on-premises Windows

Application control and Microsoft Office macro hardening are two of the eight. They are meaningful controls, and they are also the two that a 25-person accounting practice running Microsoft 365 Business Premium on laptops finds hardest to implement and least useful relative to effort. Meanwhile, the things that actually break these businesses — token theft, business email compromise, an unmanaged personal device with a saved password, a third-party SaaS breach — are represented thinly or not at all.

The maturity ladder moved

Because ASD folded new adversary tradecraft into existing maturity levels, an organisation could hold its posture perfectly steady and still report a lower maturity level year on year. Twelve months of good work, and the graph goes down. That is a governance problem as much as a security one, and it corroded trust in the number.

The replacement leans heavily on ASD’s Modern Defensible Architecture publication, first released in February 2025, which champions zero trust and secure-by-design as core approaches: never trust, always verify; assume breach; verify explicitly. The emphasis moves to defence in depth and protecting the crown jewels rather than maintaining a thin perimeter around the IT environment.

If you want the short version: the Essential Eight assumed you had a castle. The Essentials assumes you have staff, data and applications scattered across the internet, which is what you actually have.

The timeline, and what it means for your budget

Here are the dates that are confirmed as at July 2026, and what remains open.

When What happens What it means for you
2012 ASD publishes the Top Four mandatory controls Historical context — the lineage of the current model
2017 Essential Eight first published The framework most tenders and insurers still reference
February 2025 ACSC publishes Foundations for Modern Defensible Architecture The design thinking behind the Essentials series
24 June 2026 ASD confirms Essential Eight retirement and opens consultation on Essentials for Enterprise IT The clock starts. No action required yet
12 July 2026 Consultation on Essentials for Enterprise IT closes Industry feedback is in. Expect a published chapter in coming months
Approx. mid-2027 (12 months) ASD expects to begin deprecating the Essential Eight Start referencing the Essentials in new tender responses and board packs
Approx. mid-2028 (24 months) ASD expects to retire the Essential Eight entirely Essential Eight language should be gone from your contracts and reporting
Not yet announced Operational technology and cloud chapters; possible agentic AI chapter Relevant if you run plant, machinery, EFTPOS estates or AI agents

The practical read: you have roughly a financial year of genuine transition, and the second year is cleanup. If you are on a 1 July to 30 June budget cycle, the Essentials work belongs in FY27-28 planning, not in an emergency variation this quarter.

One caveat worth stating plainly, because we have already seen it misquoted: the 12- and 24-month markers are ASD’s expectations, not gazetted deadlines. Horlyck’s own phrasing was “probably in 12 months”. Treat them as planning assumptions and re-check when the first chapter is formally published.

What the Essentials series looks like

The full text of Essentials for Enterprise IT was in consultation until 12 July 2026, so nobody should be selling you a compliance product against it yet. What ASD has described publicly gives a clear enough shape.

Principle-based, not prescriptive

Cooke: “The framework adopts principle-based guidance to achieve cyber security outcomes. It also helps you make the most of what you already have while allowing modern and emerging technologies to be applied as your environments are upgraded.”

In practice, this means the question changes from “are you running an application control allowlist” to “can you demonstrate that untrusted code cannot execute on your endpoints, and show us how”. A business using Microsoft Defender Application Control gets there one way. A business using a properly configured Intune-managed fleet with a modern EDR gets there another way. Under the Essential Eight, one of those answers scored better than the other regardless of the actual outcome.

Domains rather than one list

Enterprise IT, operational technology and cloud are being treated as distinct chapters, because the controls that make sense in each are genuinely different. Horlyck noted that cloud in particular now offers controls that simply do not exist on-premises, and that separating it out lets ASD give organisations clearer guidance on what shared responsibility with a cloud provider actually looks like in practice.

For a hospitality group, that split matters more than it sounds. Your point-of-sale, your gaming systems, your access control and your kitchen display systems are closer to operational technology than to enterprise IT, and they have been badly served by a framework that assumed everything was a Windows laptop.

Threat-informed, and decoupled from a fixed ladder

ASD says the framework is built on its own insights from uplift activities and incident response work, and is designed to evolve — introducing new guidance in response to changes in the threat environment without requiring a redesign of the model or creating regulatory impacts. The maturity ladder problem gets addressed by separating threat-informed controls from the level structure, so new tradecraft can be absorbed without silently moving everyone’s score.

Still tied to the ISM, but not exclusively

Guidance stays closely linked to the Information Security Manual for consistency with government entities, while moving away from relying only on prescriptive technical controls drawn solely from the ISM. If you already run ISO 27001, SOC 2, NIST CSF or the CIS Controls, the new model should map more comfortably than the Essential Eight ever did.

What this costs you — and what it doesn’t

The first question every business owner asks when a framework changes is whether it is going to cost money. Three honest answers.

Your tooling spend is largely safe. ASD has been unusually explicit here, and Crowe’s “cost-conscious” framing is deliberate. Endpoint protection, MFA, patch management, privileged access management, backup — all of it maps forward. If a vendor tells you your stack is now obsolete under the Essentials, that is a sales pitch, not a fact.

Your documentation spend is real but small. Whatever you have written that says “Essential Eight maturity level 2” — supplier questionnaires, your ISMS, board reporting, your insurance renewal pack, the security page on your website — will need rewording over the next 18 months. For a typical 30 to 80 seat professional services firm, that is a few hours of work, not a project.

Your assessment spend may go up briefly. The uncomfortable bit. During the overlap period, some organisations will need to answer against both frameworks — Essential Eight for the insurer and the existing contract, Essentials for the new tender. Budget for one extra assessment cycle somewhere in FY27-28, and push back on anyone selling you two full uplift programmes.

Set that against what a security failure actually costs. ASD’s Annual Cyber Threat Report 2024–25, published October 2025, put the average self-reported cost of cybercrime for a small business at $56,600, up 14 per cent year on year, and for a medium-sized business at $97,200, up 55 per cent. ASD received over 84,700 cybercrime reports in that year — one report every six minutes. As we covered when the latest figures landed, ransomware hit one in three Australian organisations last year, and a quarter of staff would not report their own mistake. The framework changing is not the expensive event here.

Tenders, insurance and contracts: the awkward middle

This is where the transition will actually bite, and it is the part most of the coverage has skipped.

Essential Eight maturity levels have escaped the security team. They now live in:

  • Government and enterprise tender questionnaires. Many ask for a stated maturity level, sometimes with a target level attached as a condition of contract.
  • Cyber insurance proposal forms. Insurers have standardised on it as shorthand for “does this business have its act together”.
  • Supplier assurance packs. If you sell into a bank, a health service, a university or a critical infrastructure operator, someone sends you a spreadsheet annually.
  • Existing contracts. Some have Essential Eight maturity written into the schedules with review dates attached.
  • Board and audit committee reporting. Where the maturity score is often the only security number a director sees.

None of those instruments change when ASD publishes a chapter. Insurers move on their own renewal cycles. Procurement templates get updated when somebody remembers. Contracts change when they are renegotiated. Realistically, you will be answering Essential Eight questions well into 2028, possibly beyond, even after ASD has retired the framework.

Our advice on how to handle it in the meantime:

  • Do not stop your Essential Eight work mid-flight. If you are three-quarters through an uplift, finish it. The controls map forward, and the tender you are chasing next quarter will still ask about them.
  • Do not start a fresh, expensive, from-scratch Essential Eight maturity programme this quarter unless a contract requires it. If you are at the beginning, aim at the outcomes and describe them in both vocabularies.
  • Answer questionnaires in both languages. A workable form of words: “We maintain Essential Eight maturity level 2 across [scope]. We are tracking ASD’s Essentials series, with the Enterprise IT chapter having completed consultation on 12 July 2026, and will report against it once published.” That answers the question asked while showing procurement you are ahead of it. We have started using this phrasing in client tender responses already, and it has not drawn a single follow-up query.
  • Flag it at your next insurance renewal. Ask your broker directly how the insurer will treat the Essentials. Better to know now than at claim time.
  • Check your contract schedules. If a contract names “Essential Eight maturity level 2 as published by ASD”, and ASD retires the publication, you have an ambiguity worth resolving at the next variation rather than in a dispute.

What we’re seeing in Australian client environments

We manage IT for a lot of Australian SMBs — professional services firms, hospitality groups, not-for-profits — across Sydney, Brisbane, Melbourne and Central West NSW. A few patterns from that work are worth putting on the record, because they explain why we think this change lands well for businesses of this size.

Application control and macro hardening are where SMB Essential Eight scores go to die. Across the assessments we run, the same two controls account for most of the gap between where a client sits and where they would like to sit. Not because those clients are careless — because a 40-person firm on modern, cloud-managed laptops has no realistic path to a maintained application allowlist without hiring someone to maintain it. They spend the money, the allowlist rots within a year, and the score they bought does not reflect a safer business. An outcomes-based framework lets that same firm demonstrate the same protection through device management, EDR and identity controls it already pays for. That is not a loophole. It is the framework finally describing how these businesses actually run.

The controls that stop real incidents are not always the ones being scored. When we get called into an incident at an Australian SMB, the entry point is overwhelmingly identity — a phished session token, a mailbox rule quietly forwarding invoices, a login from an unmanaged device. The Essential Eight covers MFA, and ASD strongly advises it, but the framework’s centre of gravity sits on the endpoint. The threat’s centre of gravity moved to identity years ago. A framework built around outcomes and modern defensible architecture — assume breach, verify explicitly — is a better description of the fight we are actually in.

Nobody’s board understands the maturity level anyway. This is a slightly uncomfortable opinion, but it is ours: the maturity level has been a bad governance instrument for years. It is a number that goes down when ASD updates its threat modelling and up when you buy a product, and it tells a director almost nothing about whether the business survives Tuesday. We would rather report to a board on four questions — can we detect an intrusion, can we restore from backup, can an attacker use a stolen password, and do we know where our sensitive data is — than defend a score. The Essentials series looks like it will make that reporting easier, not harder.

The framework change is not your biggest risk this year. For most of our clients, the operationally significant deadlines in the next six months are elsewhere: Microsoft switching off basic auth for email in December, the automated decision-making transparency obligation landing on 10 December 2026, and the mandatory ransomware payment reporting regime moving into active enforcement. The Essentials transition is a two-year planning item. Sequence it accordingly.

A Central West and Northern Beaches view

Two of our markets feel this differently, and it is worth being specific rather than generic about geography.

Central West NSW — Orange, Bathurst and Dubbo

A large share of the businesses we support out west sell into government in some form: contractors and consultancies working with councils, NSW agencies with regional offices, health and education, agricultural bodies, Local Land Services. Government-adjacent procurement is exactly where Essential Eight maturity requirements are most deeply embedded, and it is also where the requirement is most likely to be applied by a procurement officer working from a template rather than a security specialist.

That produces a specific transition risk for regional firms: over the next 18 months you may face a tender that names a framework ASD has begun deprecating, evaluated by someone who has not read the announcement. Arguing that the Essential Eight is on its way out will not win you the tender. Answering the question as asked, then adding a sentence showing you are tracking the Essentials, will. Regional businesses are also more likely to be running genuinely hybrid environments — an on-premises server that has not been retired because the internet connection was never good enough to trust — which means the Essential Eight controls are still doing real work in those environments and should not be dismantled early.

Sydney’s Northern Beaches and wider Sydney

The Brookvale and Northern Beaches business base skews the other way: small professional services firms, agencies, allied health and hospitality, mostly cloud-first, often with no server at all. These are the businesses that have been quietly penalised by the Essential Eight for years, scoring poorly on on-premises controls they had the good sense not to need. They stand to benefit most from an outcomes-based framework, and they are the least likely to hear about it, because nobody sends a 15-person practice a memo from the Australian Signals Directorate.

If that is your business, the action is smaller than you fear. Do not buy anything. Make sure your identity controls, device management and backup are genuinely in place and genuinely tested, and you will be able to answer the Essentials chapter when it lands. Our plain-English explanation of the Essential Eight is still the right starting point for understanding what the controls are protecting against — the underlying threats have not changed, only the scoreboard.

Your 12-month action plan

Nothing here is urgent this week. All of it should be done before the Essential Eight begins deprecating around mid-2027.

Timing Action Owner Effort
This month Confirm whether any current contract, tender or insurance policy names Essential Eight maturity as a condition Business owner / contracts 1–2 hours
This month Stop any new from-scratch Essential Eight uplift that is not contractually required; finish anything already underway IT provider Decision only
This quarter Update your standard tender and questionnaire response to reference both frameworks Bid / marketing 1 hour
This quarter Test a restore from backup end to end, not just confirm the backup ran IT provider Half a day
This quarter Verify MFA is enforced on every account, including service accounts, shared mailboxes and admins IT provider Half a day
Next 6 months Document what you actually run against outcomes, not control names — what stops untrusted code, what stops a stolen password, what detects an intrusion IT provider 1 day
Next 6 months Ask your insurance broker in writing how the insurer will treat the Essentials series at renewal Business owner 15 minutes
At publication of Essentials for Enterprise IT Run a gap review against the published chapter IT provider 1–2 days
FY27–28 budget Allow for one assessment cycle covering both frameworks Finance Budget line
Before mid-2028 Remove Essential Eight language from contracts, ISMS and board reporting Business owner A few hours

The five-minute board checklist

If you have one agenda slot and no appetite for a framework discussion, these are the questions worth asking instead.

  1. If someone steals a staff member’s password today, what stops them getting in?
  2. When did we last restore real data from a backup, and how long did it take?
  3. Who would notice an intrusion, how, and how quickly?
  4. Which contracts or insurance policies name a security framework by name, and what do they say?
  5. Are we mid-way through any security programme that is now at risk of being wasted?

Four mistakes to avoid

Ripping out controls early. The Essential Eight remains live guidance and ASD has said the investment carries forward. Application control, patching discipline and privileged access restriction stop real attacks regardless of which document describes them. Turning things off because a framework is being retired would be a genuinely bad outcome from a good announcement.

Buying an “Essentials-ready” product. The first chapter completed consultation on 12 July 2026 and has not been finalised. Any vendor claiming certified compliance with a framework that is not published yet is ahead of ASD, which should tell you something.

Treating ASD’s timeline as a legislated deadline. Twelve and 24 months are expectations expressed in an interview, not dates in an instrument. Plan around them; do not build a compliance calendar on them.

Assuming this replaces your other obligations. The Essentials series is guidance, not law. It does not touch your Privacy Act obligations, the mandatory ransomware payment reporting regime under the Cyber Security Act 2024, APRA CPS 230 if you are regulated, or your contractual commitments. Those run on their own clocks — see our note on what CPS 230 means for financial firms and their suppliers if you sell into that sector.

Frequently asked questions

Is the Essential Eight dead right now?

No. As at July 2026 the Essential Eight is still live, current ASD guidance. ASD expects to begin deprecating it around 12 months from its 24 June 2026 announcement and to retire it entirely at around 24 months. Until then it remains the framework most tenders, insurers and contracts reference, and you should keep meeting it.

Do we have to redo our Essential Eight work?

No. ASD has stated that the investment made under the Essential Eight will still be relevant under the Essentials, and that organisations using the Essential Eight will find many of their current tools and platforms naturally map into the new framework. Finish what you have started. The documentation wording will change; the controls largely will not.

What happens if a tender asks for Essential Eight maturity level 2 next year?

Answer it. State your maturity level against the current framework, then add a short line noting that you are tracking ASD’s Essentials series and will report against it once the Enterprise IT chapter is published. Procurement templates will lag the announcement by a year or more, and refusing to answer the question as asked will cost you the bid.

We’re a small cloud-only business. Does any of this help us?

Probably more than it helps anyone else. Several Essential Eight controls assume on-premises Windows infrastructure, which is why cloud-first small businesses have historically scored poorly on controls they had good reason not to implement. A principle-based framework that asks whether you achieve the security outcome, rather than whether you run a specific control, should let you demonstrate protection using the Microsoft 365, Intune and Defender tooling you already pay for.

When will the Essentials chapters actually be published?

ASD has not committed to publication dates. Consultation on the first chapter, Essentials for Enterprise IT, closed on 12 July 2026 via the ASD Cyber Security Partnership Program portal. Chapters covering operational technology and cloud are planned to follow, with agentic AI flagged as a possible future chapter. We would expect the enterprise IT chapter within months rather than years, but that is our read, not an ASD commitment.

Talk to All IT Services

If you are unsure whether to keep spending on Essential Eight maturity, whether your tender responses need rewording, or whether your security actually holds up regardless of which framework is describing it, we are happy to have that conversation without a proposal attached.

All IT Services supports businesses across Sydney, the Northern Beaches, Brisbane, Melbourne and Central West NSW. Call 1300 425 548 or get in touch here.

Sources: iTnews, 24 June 2026; techpartner.news, 23 June 2026; ASD Annual Cyber Threat Report 2024–25; ASD Essential Eight; ASD Modern Defensible Architecture.