For the better part of a decade, the hardest question in an Australian boardroom had a convenient answer. When a regulator, an insurer or a major customer asked “are we secure enough?”, the reply was increasingly a single shorthand: Essential Eight, Maturity Level Two. It became the line that separated the organisations taking cyber seriously from the ones that were not. That line is about to be pulled up — and the audits show most organisations never actually stood on it.
On 24 June 2026, the Australian Signals Directorate confirmed it intends to retire the Essential Eight within two years and replace it with a broader “Essentials” series. The first chapter, Essentials for enterprise IT, is open for consultation now through the ASD Cyber Security Partnership Program, with feedback due 12 July 2026. Further chapters are expected to address cloud and operational technology, with agentic AI under active consideration. This is not a tweak to the maturity ladder. It is the deliberate retirement of the framework that has anchored Australian cyber governance since 2017.
Why they are pulling it up
The stated reason will be familiar to anyone who has lived through an assessment cycle. ASD has acknowledged a problem organisations complained about for years: the maturity requirements kept shifting beneath them. A business assessed at Maturity Level Two one year could find itself slipping backwards the next — having changed nothing, with no actual deterioration in its posture — because ASD was absorbing new threat tradecraft into the existing levels, and the fixed maturity ladder was not flexible enough to carry it.
The Essentials series is designed to fix that by decoupling threat-informed controls from a rigid maturity ladder, and by shifting the emphasis from a prescriptive checklist to security outcomes. ASD frames it as “prioritised, threat-informed mitigations” with more flexibility in how organisations implement them. The philosophical change matters as much as the timing: the Essential Eight told you what to do — patch applications, patch operating systems, restrict administrative privileges, implement MFA, control applications, restrict Office macros, harden user applications, back up regularly. The Essentials will increasingly ask what you have actually achieved.
Most never reached Level Two
The uncomfortable backdrop to this transition is that the benchmark everyone leaned on was rarely met where it was actually mandated. Non-corporate Commonwealth entities have been obliged to implement all eight strategies to at least Maturity Level Two under the Protective Security Policy Framework since 1 July 2022. The audits tell the story of how that went.
What the auditors found, despite years-long obligations
- The Australian National Audit Office found the Department of Parliamentary Services only “partly effective”, with seven of eight key controls falling short — despite a standing obligation to reach Maturity Level Two.
- A 2024 Auditor-General report assessed Services Australia and AUSTRAC as having only “partly effective” controls that would not protect against a major incident.
- ASD’s own posture reporting has repeatedly shown most entities still fall short of Maturity Level Two across all eight strategies at once — which is the hard part, because it is the weakest strategy, not the average, that sets your level.
Read that against the framework’s own logic. ASD’s position has always been that the eight reinforce each other, so a strong seven with one weak strategy still leaves exactly the gap an attacker looks for. A maturity score that rounds up the average is not a posture. It is a number that hides the open door.
The deeper lesson: self-assessment drifts from reality
Strip away the framework names and one problem sits underneath all of it — the same problem that drove this retirement. Self-assessed maturity drifts from external reality. An organisation that documents a 48-hour patching policy can sit at Maturity Level Two on paper while an unpatched, internet-facing server quietly answers requests it should refuse. A policy is a statement of intent. It is not evidence of implementation, and it is certainly not evidence of what an attacker can currently see.
That is why a framework transition is exactly the moment to be careful. These are the moments vendors reach for their product catalogues, and the shift from prescriptive controls to outcomes — while welcome — introduces ambiguity that is easily resolved by overspending. Flexibility without independent judgement becomes guesswork. The organisations that navigate this well will be the ones that understand their own risk from the outside in, not the ones that buy the most tooling.
What survives the transition
Whatever the Essentials series finally prescribes, one input does not go out of date: an independent, evidence-based view of what your organisation actually exposes to the public internet. Outcomes-based assurance needs outcome evidence. A passive external assessment provides exactly that — the attacker’s-eye view, built only from public sources, that tells you whether the controls you have documented are holding in the place it matters most.
What a passive assessment gives you through the change
- Confirmation, from public certificate and DNS records, of the internet-facing estate you are actually defending — including the systems your own team has forgotten.
- Evidence of whether your patching, hardening and access controls hold up externally, rather than only on the policy page.
- Where your credentials already sit in public breach and infostealer data — the identity exposure no maturity score captures.
- A finding set expressed as risk and mapped to your obligations, ready to carry forward into the Essentials series, the ISM, the PSPF or your own internal framework.
What to do in the next fortnight
Two things, before the noise starts. First, have a voice in the consultation: the enterprise IT chapter is open for feedback until 12 July 2026, and the organisations that shape the standard are better placed than the ones that merely react to it. Second, stop treating your maturity score as the answer and start establishing what you actually expose. The framework is changing; the open door is not. Find yours from the outside before the new baseline — or an attacker — finds it for you.