The Essential Eight Explained: What Australian Businesses Need to Implement

The Australian Signals Directorate published the Essential Eight in 2017 with a simple premise: implementing these eight mitigation strategies would prevent the vast majority of cyber incidents affecting Australian organisations. The controls weren't invented for the occasion — they were derived from ASD's operational experience responding to real breaches, conducting penetration tests, and analysing the tradecraft of the threat actors actually targeting Australian networks.

Nearly a decade on, the Essential Eight remains the most widely referenced cyber security framework in Australia. It is mandatory for Commonwealth government entities, referenced in the Protective Security Policy Framework (PSPF), required for Defence Industry Security Program (DISP) members, and increasingly expected by organisations seeking government contracts, cyber insurance, or compliance with industry regulations that reference ASD guidance.

Despite this, implementation remains surprisingly low. ASD's own reporting shows that in 2025, only 22% of Commonwealth entities — the organisations legally required to comply — had achieved the mandated Maturity Level 2 across all eight strategies. For the private sector, which has no legal compulsion but significant practical incentive, meaningful implementation is rarer still.

This guide explains what the Essential Eight actually requires, what maturity levels mean, and how to assess where your organisation stands.

The Eight Strategies

The Essential Eight is not a checklist you can tick once and forget. Each strategy is a control domain with specific technical requirements that vary by maturity level. Here is what each one covers:

What Maturity Levels Actually Mean

The Essential Eight Maturity Model defines four levels — zero through three — each representing a progressively more robust implementation of the eight strategies.

Level	What It Reflects	Typical Organisation
ML 0	Controls not implemented or so incomplete they provide little meaningful protection	Organisations yet to begin structured cyber security implementation
ML 1	Basic protection against opportunistic attacks using commodity tools and automated techniques	ASD guidance suggests this is appropriate for small to medium enterprises
ML 2	Protection against moderately sophisticated adversaries — including those using spear phishing, credential harvesting, and lateral movement	Mandatory for Commonwealth entities; appropriate for large enterprises and government suppliers
ML 3	Resilience against highly targeted attacks by advanced adversaries, including state-sponsored actors	Critical infrastructure operators and organisations in high-threat environments

The jump from ML1 to ML2 is substantial. ASD hardened the ML2 requirements significantly in November 2023 — the update that caused measured compliance to drop from 25% of Commonwealth entities in 2023 to 15% in 2024, before recovering to 22% in 2025 as agencies adjusted. The key changes raised the bar on MFA (phishing-resistant authentication is now required at ML2 for some use cases) and application control (Microsoft's recommended application block-list must now be implemented at ML2, not just ML3).

Who Must Comply — and Who Should

Mandatory: Commonwealth government entities

Since 1 July 2022, PSPF Policy 14 requires all non-corporate Commonwealth entities to implement all eight Essential Eight strategies to Maturity Level 2, and to consider whether their threat environment warrants Maturity Level 3. This is a legal obligation, not a recommendation.

Mandatory: Defence industry suppliers

Members of the Defence Industry Security Program (DISP) are required to meet ML2 across all eight strategies on their corporate ICT systems. Defence is one of the largest procurement programmes in Australia; DISP membership is often a prerequisite for involvement in major contracts.

Strongly expected: Government contractors and suppliers

Organisations seeking government contracts across federal, state, and territory agencies are increasingly assessed against the Essential Eight through the Protective Security Policy Framework and IRAP assessment processes. While not always a hard legal requirement for private sector contractors, failure to demonstrate alignment is a practical disqualifier for significant government work.

Best practice: Private sector

For private sector organisations with no government contractual obligations, the Essential Eight is not legally mandated. However, ASD strongly recommends all Australian organisations — particularly those handling sensitive information — implement it as a security baseline. Cyber insurers increasingly reference the Essential Eight in underwriting criteria; boards and regulators in financial services and critical infrastructure also treat it as a recognised standard against which reasonable security practice can be measured. To understand concretely what the controls are protecting against, see what actually happens when a small business is hacked — the sequence of events makes the value of each mitigation tangible.

The Most Commonly Missed Controls

ASD's annual reporting consistently identifies certain strategies as harder to achieve than others. Understanding where organisations typically struggle helps prioritise assessment effort.

Restrict administrative privileges

Historically one of the lowest-performing strategies across Commonwealth entities. The challenge is cultural as much as technical: reducing admin rights creates friction for IT staff and power users who have grown accustomed to elevated access. At ML2, privileged users must use separate accounts for privileged and unprivileged tasks, and privileged accounts cannot access the internet or email. This is a significant operational change for most organisations.

User application hardening

Blocking web advertisements, disabling Java from the internet, and restricting PowerShell execution require careful tuning to avoid breaking legitimate business workflows. Many organisations apply these controls partially, which is insufficient — the maturity model requires complete implementation at each level, not partial credit.

Multi-factor authentication

The 2023 update to the maturity model raised the standard significantly. MFA using SMS one-time passwords or standard authenticator apps no longer meets ML2 requirements in all contexts. Phishing-resistant MFA — hardware security keys, passkeys, or certificate-based authentication — is increasingly required. This is a meaningful investment for organisations with large workforces or complex identity environments.

Application control

Application whitelisting remains difficult to implement comprehensively, particularly on endpoints where users run diverse software. The November 2023 update added a requirement to implement Microsoft's recommended application block-list — which targets living-off-the-land techniques — at ML2 rather than ML3, increasing the implementation burden for agencies and suppliers working toward that level.

Why Even "Voluntary" Organisations Should Take This Seriously

The gap between legal obligation and practical expectation is narrowing. Consider the vectors through which the Essential Eight becomes relevant for private sector organisations that have no direct government mandate:

• Cyber insurance: Insurers increasingly use Essential Eight maturity as an underwriting criterion. Poor MFA or patching discipline can result in exclusions, sub-limits, or declined cover for ransomware events.
• Customer due diligence: Enterprise customers — particularly in financial services, government, and critical infrastructure — increasingly require suppliers to demonstrate cyber security maturity. An Essential Eight assessment report is a recognised, defensible form of evidence.
• Regulatory expectations: Even where Essential Eight compliance is not formally mandated, regulators may reference it when assessing whether an organisation took "reasonable steps" to protect information. Under the Privacy Act, the test for reasonable security is objective — what a reasonable organisation in your position would do — and ASD's own guidance sets that benchmark.
• Post-incident scrutiny: After a breach, the first question is what controls were in place. An organisation that can demonstrate ML1 or ML2 compliance across the Essential Eight is in a materially stronger position than one with no structured framework at all.

Starting Your Assessment

Before you can improve your maturity level, you need an accurate baseline. This means evaluating each of the eight strategies against the specific technical requirements at your target maturity level — not a general impression of whether controls "exist", but whether they are implemented consistently, enforced, and evidenced.

A structured assessment should cover:

• Which controls exist versus which are assumed to exist — these are often different
• Whether controls cover all in-scope systems or only some
• Whether controls are technically enforced or rely on policy and user compliance
• The current maturity level for each strategy, not just the lowest
• The gap between current state and your target maturity level, prioritised by risk
• Documentary evidence for each control that would satisfy internal audit or external review

For most organisations targeting ML1, the immediate priorities are MFA on externally facing services and email, patching internet-facing applications within two weeks of release, removing unnecessary admin rights, and testing that backups can actually be restored. These four actions address the most common initial attack vectors and are achievable without significant infrastructure investment.

The path to ML2 — the level required for Commonwealth entities and increasingly expected by the market — involves more significant technical uplift, particularly around phishing-resistant MFA, application control coverage, and the specific patching timeframes (48 hours for critical OS vulnerabilities).