The Essential Eight is being retired: what the new Essentials framework means for you
The Australian Signals Directorate has confirmed the biggest change to the Essential Eight since it was introduced: it intends to retire the framework within about two years and replace it with a broader, outcome-based Essentials series. If you have invested in Essential Eight maturity, the first thing to know is that the work is not wasted. The fundamentals carry over. What changes is how the guidance is structured, and why.
A quick refresher
The Essential Eight is the ASD's set of eight mitigation strategies that prevent attacks, limit their spread, and help you recover: application control, patch applications, configure Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Each is measured across four maturity levels, from Level Zero to Level Three.
The principle people most often miss is uniform maturity: your overall level is set by your weakest control, not your strongest. Being excellent at backups while macros are unmanaged still leaves you at the lower level, because attackers target the gap, not the strength.
What ASD has announced
The Essential Eight will not disappear overnight. ASD has described a transition: the Essential Eight and the new Essentials will run side by side as live guidance, with the Essential Eight beginning to be deprecated after around twelve months and fully retired at about the two-year mark. The first chapter of the replacement, Essentials for enterprise IT, is already open for industry consultation, with feedback due in mid-July 2026.
The Essentials is structured as a series rather than a single list, treating enterprise IT, operational technology and cloud as distinct security domains, with agentic AI flagged as a likely chapter of its own. The order of release starts with enterprise IT, then operational technology, then cloud.
Why it is being replaced
The honest reason is age. The Essential Eight was written in 2017 for on-premises enterprise IT, before cloud was the default. Its controls do not map cleanly onto shared-responsibility and SaaS environments, where the provider owns part of the stack and you own the rest. Pulling cloud out into its own chapter lets the guidance say something useful about what your responsibility actually is.
The new approach also shifts from prescriptive controls tied to specific technologies towards outcomes and intent, so you have more freedom to meet the guidance with whatever tools fit your environment. It leans on ASD's Modern Defensible Architecture thinking: defence in depth and protecting your crown jewels, rather than a thin perimeter around everything. And it sets out to fix a long-running frustration, the sense that maturity goalposts kept moving as new threats were absorbed into existing levels, leaving organisations looking like they had gone backwards without any real change in posture. The Essentials decouples threat-informed controls from a fixed maturity ladder so that stops happening.
What it means while both frameworks run
Retirement is two years away, and during the transition the Essential Eight is not going soft. If anything the scrutiny is tightening: assessors and insurers increasingly want evidence-backed maturity, not a self-scored number. That same emphasis carries into the Essentials, so the work is not wasted. It lands in four places:
- Maturity has to be evidenced. "We patch within 48 hours" is no longer a claim, it is something you must show: patch cycle records, change logs, documented exceptions and approvals, and data on patch success rates. Self-scoring without documentation is now the thing that gets picked apart in an assessment or after an incident.
- Privileged access is under the microscope. Standing admin accounts, MFA exceptions left in place for "temporary" reasons, break-glass accounts that bypass policy, and lateral-movement potential are all getting closer attention, because so many Australian breaches start with a compromised privileged account.
- Application control has to be real, not partial. Allowlisting on a handful of user laptops while servers and critical workloads sit uncovered no longer counts as maturity. The expectation is enforced control on the systems that matter, with documented justification for any gaps and a plan for the legacy environments.
- Incident response has to map to the controls. Can you detect, isolate and respond? How quickly can you assess blast radius? Do your logs, alerts and automation actually support recovery? IR readiness is becoming the proof that your Essential Eight implementation works when it is tested, not just when it is described.
None of this is busywork. Evidence, privileged-access discipline, real application control and tested response are exactly the outcomes the Essentials will ask for, just expressed as intent rather than a fixed checklist. Build them now and you are ready for both.
What is not changing
The protective behaviours behind the framework are as durable as ever, and they are where most of the risk reduction still comes from:
- Patching reduces risk the fastest. Unpatched systems remain the easiest way in, and no amount of tooling changes that. Timely patching is still the single most impactful control.
- Least privilege is the backbone. Almost every breach relies on privilege escalation at some point. Least privilege, separation of duties and MFA stay non-negotiable.
- Backups are the last line. Against fast-moving ransomware, immutable, tested, off-site backups remain the only reliable fallback.
- User hardening still matters. Macros off by default, application control and MFA are the same pillars; the ask now is simply better proof they are applied consistently.
This is why ASD has been clear that the investment you have made in the Essential Eight stays relevant under the Essentials. The fundamentals are not being thrown out; they are being reorganised around outcomes, cloud and modern architecture. Attackers have not changed strategy, they have automated it, and the controls that blunt them endure.
How we approach an uplift that holds
We treat the Essential Eight as engineering, not paperwork, and we build it on tooling our clients already own or can adopt cleanly:
- Application control with Airlock Digital, and patching with Patch My PC and Intune for both applications and operating systems.
- Phishing-resistant MFA, Conditional Access and privileged access tightening across Microsoft Entra, with identity governance behind it.
- Macro hardening and user application hardening through Intune policy, and resilient, tested backups with Veeam.
Because it is built on a managed platform, the posture can be monitored and maintained, so when the model moves again you are adjusting settings rather than starting over.
Where to start
Begin with an honest read of where you actually sit, control by control, against the current model, not the version you last assessed. Our Essential Eight page walks through our reference architecture for all three levels, and the self-assessment gives you an indicative maturity picture in a few minutes. When you want a verified result, a cyber health check turns it into a costed plan. We are tracking the Essentials consultation closely, and because we build for outcomes and cloud-first environments already, we can make sure your roadmap lands the right side of the change rather than being redone when the new guidance arrives.