Essential Eight Maturity Model: Why the Essential Eight Maturity Model Matters More in 2026

The Essential Eight Maturity Model is the ASD's definitive framework for measuring how well Australian organisations prevent, limit, and recover from cyber incidents. It has never demanded more than it does right now. The November 2023 update, the most significant revision in the framework's history, set a clear trajectory: higher baselines, faster patching windows, and an unambiguous shift toward phishing-resistant authentication. PSPF 2025, released July 2025, continues that hardening with new requirements for Zero Trust, AI security, and post-quantum cryptography preparedness.

Why the Essential Eight Maturity Model Matters More in 2026

The Essential Eight began as a prioritised list of mitigation strategies from the Australian Signals Directorate, representing the controls statistically most effective at stopping the intrusion methods ASD sees most frequently across Australian networks. Since its first publication in June 2017, the framework has evolved from a practitioner checklist into a regulatory cornerstone. Under PSPF Policy 14, Maturity Level 2 is now the mandated minimum for non-corporate Commonwealth entities. That mandate, combined with the Australian Cyber Security Strategy 2023 to 2030's ambition to make Australia one of the world's most cyber-secure nations, means the Essential Eight is increasingly the yardstick against which every organisation in the government supply chain is measured.

What makes the 2025 context particularly important is the gap between mandate and reality. The 2025 Commonwealth Cyber Security Posture Report, published by the ASD in February 2026, confirmed that only 22% of entities achieved Maturity Level 2 when compensating controls were considered. That figure represents an improvement on the 15% reported in 2024, but it remains below the 25% recorded in 2023, before the November 2023 update raised the bar. The lesson is clear: the framework is hardening faster than most organisations are moving.

The Four Maturity Levels Explained

The Essential Eight Maturity Model defines four levels for each of the eight strategies. Maturity Level 0 means an organisation has not met even the basic intent of a control, with exploitable gaps and a high likelihood of compromise from automated tooling. Level 1 is partly aligned: basic protections exist but coverage is inconsistent, not fully documented, or not enforced across all systems. Level 2 is the critical threshold, mostly aligned, with controls actively monitored and enforced against adversaries willing to invest time and resources. Level 3 is fully aligned, designed to withstand sophisticated, targeted attacks from well-resourced adversaries.

ASD guidance suggests that Maturity Level 1 may suit smaller organisations, Level 2 suits large enterprises, and Level 3 suits critical infrastructure providers and high-threat environments. In practice, we advise mid-market organisations with Microsoft 365 environments to target Level 2 as a baseline and layer supplementary controls (SIEM, EDR, and managed SOC coverage) to address the residual risk that even a fully compliant Essential Eight programme does not eliminate. The Essential Eight represents a minimum preventative baseline, not a complete security posture.

The Eight Strategies: What Each Control Demands

The framework groups its eight controls across three objectives: preventing attacks, limiting attack impact, and maintaining data availability. Understanding what each control actually requires, not just its label, is where most self-assessments go wrong.

What the November 2023 Update and PSPF 2025 Changed

Two developments have fundamentally shifted what compliance looks like. The November 2023 update was the most significant revision in the framework's history, and many organisations still have not fully absorbed its implications. PSPF 2025, released July 2025, did not revise the Essential Eight Maturity Model itself but extended compliance expectations by embedding Zero Trust, AI security, and post-quantum cryptography requirements into the broader policy framework.

On patching, ASD's analysis of real-world intrusion timelines drove the introduction of a 48-hour remediation window for critical vulnerabilities across all maturity levels. This applies specifically to vulnerabilities that enable authentication bypasses granting privileged access, or remote code execution without user interaction. The two-week window for other high-severity vulnerabilities in internet-facing applications remains, but the critical category has removed any operational flexibility organisations previously assumed they had.

On MFA, the update accelerated phishing-resistant requirements. Authenticator app push notifications, the standard for most Microsoft 365 deployments, are no longer sufficient at Maturity Level 2. FIDO2 security keys, smart cards, or Windows Hello for Business are now the required standard at Level 2 for internet-facing services. The requirement for phishing-resistant MFA at workstation logon also applies at Level 2 and Level 3. This is the single control change with the widest practical impact across the mid-market organisations we work with.

On privileged access, the November 2023 update introduced two new governance requirements that are consistently missed: privileged access to data repositories must be validated when first requested, and that access must be disabled after 12 months unless explicitly revalidated. These requirements extend the privileged access management discipline most organisations apply to administrative accounts into data-layer access, a gap in almost every environment we assess.

The Five Risks Organisations Consistently Underestimate

1. 01

   Treating self-assessment as equivalent to independent assessment

   Self-assessments against the Essential Eight Maturity Model are subject to interpretation gaps, scope exclusions, and confirmation bias. ASD provides the Essential Eight Maturity Verification Tool (E8MVT) and Application Control Verification Tool (ACVT) to assist, but these are point-in-time tools, not ongoing assurance mechanisms. Organisations under contractual or regulatory obligations increasingly need independent assessors to validate their claimed maturity level.
2. 02

   Scoping legacy systems out rather than managing them

   The Essential Eight is designed for internet-connected IT systems. Legacy systems that cannot support full implementation are a known challenge, but the ASD's guidance is unambiguous: upgrade legacy systems as a priority. Scoping them out of an assessment without compensating controls is not a defensible posture, particularly for entities subject to PSPF reporting.
3. 03

   Achieving Level 2 in some strategies but not all

   An organisation's overall maturity level is determined by its lowest-performing strategy. Reaching Level 2 in application control while remaining at Level 1 in backup recovery means the organisation is at Level 1 overall. This is the most common trap in the mid-market, with investment concentrated in visible controls like MFA while logging, backup testing, and application hardening remain under-resourced.
4. 04

   Not reporting incidents to ASD as required

   The November 2023 update added a mandatory requirement that cyber security incidents be reported to both the organisation's CISO and ASD. At Level 2 and above, organisations must also have enacted incident response plans in place, not just documented ones. In the environments we assess, incident response plans exist far more frequently than incident reporting workflows that actually route notifications to ASD.
5. 05

   Assuming Microsoft 365 Copilot inherits existing Essential Eight posture automatically

   Microsoft's guidance confirms that Copilot for Microsoft 365 operates within existing Office application security contexts and inherits your Essential Eight controls. However, this inheritance is only as strong as the underlying controls. Organisations deploying Copilot without first validating their Maturity Level 2 posture are extending their attack surface into an AI layer without the baseline security controls in place to protect it.

Essential Eight Maturity Level 2: 40-Point Readiness Checklist

Use this checklist to perform a structured self-assessment against the Maturity Level 2 controls across all eight strategies. Any unchecked item represents a gap that must be remediated before you can claim Level 2 compliance. This checklist reflects the post-November 2023 framework requirements.

• ✓
  Application control is implemented on workstations to prevent execution of unapproved executables, software libraries, scripts, and installers.
• ✓
  Application control rulesets are validated and reviewed at least annually.
• ✓
  Microsoft's recommended application blocklist is implemented across the environment.
• ✓
  Application control events are logged to a centralised system and protected from unauthorised modification or deletion.
• ✓
  Internet-facing servers are monitored for signs of compromise using application control event data.

• ✓
  Critical vulnerabilities in internet-facing applications are patched, updated, or mitigated within 48 hours of vendor disclosure.
• ✓
  High-severity vulnerabilities in office productivity suites, browsers, email clients, PDF software, and security tools are patched within two weeks.
• ✓
  Applications that are no longer supported by vendors are removed or replaced.
• ✓
  Patching coverage extends to all endpoints, including remote and hybrid workers, not just office-connected devices.

• ✓
  Macros are blocked by default and can only execute if signed by a trusted publisher or originating from a trusted location.
• ✓
  Macro antivirus scanning is enabled and cannot be disabled by end users.
• ✓
  Users cannot change macro security settings without administrative approval.
• ✓
  Macro execution events are logged to a centralised system.

• ✓
  Web browsers are hardened using both ASD and vendor hardening guidance, applying the more stringent requirements where guidance conflicts.
• ✓
  Internet Explorer 11 is disabled or uninstalled across all devices.
• ✓
  Web advertising and untrusted Java content are blocked in browsers.
• ✓
  Office productivity suite hardening guidance from ASD and the vendor has been applied, with the stricter standard taking precedence.
• ✓
  PowerShell logging leverages native PowerShell logging functionality, and command line process creation events are logged.

• ✓
  Privileged access requests to data repositories are validated at the point of first request.
• ✓
  Privileged access to data repositories is disabled after 12 months unless explicitly revalidated.
• ✓
  All privileged user accounts authorised to access the internet are strictly limited to what is required for their role.
• ✓
  Break glass account credentials are long, unique, unpredictable, and securely managed.
• ✓
  Privileged access events are logged to a centralised, tamper-protected system.

• ✓
  Critical operating system vulnerabilities on internet-facing systems are patched or mitigated within 48 hours.
• ✓
  No unsupported operating systems exist in the environment, including end-of-life Windows Server versions.
• ✓
  Operating system patch status is actively monitored, with automated alerting on non-compliance.

• ✓
  Phishing-resistant MFA (FIDO2 security keys, smart cards, or Windows Hello for Business) is enforced for all users accessing internet-facing services.
• ✓
  Users authenticate to workstations using phishing-resistant MFA. Standard push notifications do not meet this requirement at ML2.
• ✓
  Phishing-resistant MFA is applied to all privileged actions including payment approvals, configuration changes, and data repository access.
• ✓
  MFA bypass mechanisms are documented, restricted, and subject to compensating controls.

• ✓
  Business-critical data is identified and prioritised for backup based on business criticality, Recovery Time Objective (RTO), and Recovery Point Objective (RPO).
• ✓
  Backups of important data, software, and configuration settings are performed and retained for at least three months.
• ✓
  Backup restoration is tested to verify the process works. Note: immutable backups and annual restoration testing are ML3 requirements; at ML2 the focus is on reliable, protected backup coverage.
• ✓
  Backup systems are protected so that privileged accounts cannot delete or modify other users' backups, a deliberate control against ransomware operators targeting backup infrastructure.

• ✓
  Cyber security incidents are reported to the organisation's CISO and to ASD as required, and the incident response plan is enacted, not merely documented, in response to incidents.

Who Needs to Act Now

The Essential Eight Maturity Model is mandatory for all non-corporate Commonwealth entities, the 102 NCEs subject to the PGPA Act, and Maturity Level 2 has been the mandated requirement under PSPF Policy 14 since 1 July 2022. PSPF 2025, released in July 2025, extended this further by embedding Zero Trust principles, requiring Technology Asset Stocktakes for all internet-facing systems, and introducing new material on AI security and post-quantum cryptography preparedness.

Beyond government entities, private sector organisations in the government supply chain are increasingly subject to Essential Eight expectations through contract conditions and procurement requirements. DISP participants, organisations handling classified information, and businesses providing managed services to Commonwealth entities should treat Maturity Level 2 as a baseline requirement rather than a stretch target. We are seeing this expectation flow through into commercial contracts with increasing frequency, particularly in financial services, healthcare, and professional services.