A few years ago, Australian organisations treated the ASD Essential Eight as aspirational guidance — a sensible framework to work toward when budgets allowed. That era is over. In 2026, Essential Eight maturity has become a baseline expectation for government suppliers, critical infrastructure operators, and any organisation that handles sensitive data at scale. Boards are asking about it. Cyber insurers are pricing policies around it. Defence and federal procurement panels are gating tender eligibility on it. If your organisation cannot demonstrate at least Maturity Level 2 (ML2), you are not just behind on security — you are behind on competitiveness.
The good news is that the path from ML0 to ML3 is well-defined. This article walks through what each maturity level actually demands, why so many organisations are stuck at ML0 or ML1, and how to build a realistic, phased roadmap — including honest guidance on what it will cost and how automation changes the equation.
What the Essential Eight Actually Is
The Essential Eight is a set of eight prioritised mitigation strategies published by the Australian Signals Directorate (ASD) under the Australian Cyber Security Centre (ACSC). Originally derived from analysis of real-world attacks, the framework targets the most common techniques used by adversaries to compromise systems, escalate privilege, and persist undetected.
The eight strategies are:
- Application control — preventing unauthorised applications from executing
- Patch applications — keeping software up to date to close known vulnerabilities
- Configure Microsoft Office macro settings — restricting macros to prevent a common malware delivery vector
- User application hardening — blocking web advertisements, Java from the internet, and other risky browser features
- Restrict administrative privileges — limiting who holds admin rights and when
- Patch operating systems — keeping OS kernels and drivers current
- Multi-factor authentication (MFA) — requiring more than a password for authentication
- Regular backups — maintaining tested, offline or immutable copies of critical data
Alongside each strategy, ASD defines four maturity levels: ML0 (not implemented or inconsistently implemented), ML1 (partially implemented), ML2 (mostly implemented with some gaps), and ML3 (fully implemented with strong controls and evidence). The levels are cumulative — you cannot achieve ML2 without satisfying ML1 requirements, and ML3 requires everything beneath it plus additional controls targeting sophisticated, state-sponsored adversaries.
Why Maturity Level Is Now a Competitive Issue
The shift from "recommended" to "required" has happened faster than most organisations expected, driven by three converging forces.
Government procurement and tender eligibility
Federal procurement panels, particularly those connected to Defence, Home Affairs, and critical infrastructure agencies, now routinely reference Essential Eight compliance in tender requirements. Across federal government, ML2 has become the de facto baseline expectation for suppliers handling sensitive information. For organisations seeking access to Defence supply chain or DISP membership, the bar is higher: ML3 is the expectation for high-risk roles. Organisations that cannot demonstrate current maturity assessments — ideally conducted by an IRAP-qualified assessor — will find themselves excluded from shortlists before evaluation begins.
Cyber insurance underwriting
Australian cyber insurers have substantially tightened their underwriting criteria since 2023. Most tier-one carriers now ask directly about Essential Eight controls during the application process. Organisations at ML0 or ML1 face either coverage exclusions for specific attack vectors (ransomware in particular), significantly higher premiums, or outright declination. ML2 and above is increasingly a threshold for standard coverage terms.
Board and regulatory scrutiny
The Security of Critical Infrastructure (SOCI) Act and its associated Rules impose cyber security obligations on operators of critical infrastructure assets across 11 sectors. While the Rules do not mandate Essential Eight by name, ACSC strongly recommends it as the primary framework for meeting those obligations. Boards of SOCI-regulated entities are now expected to demonstrate informed oversight of cyber posture — and Essential Eight maturity level is the most legible metric available for that conversation.
Understanding ML0 to ML3: What Each Level Actually Demands
The maturity model was substantively updated in November 2023, and ASD continues to revise it to reflect observed attacker techniques. The following summarises what each level demands across the full framework, with particular focus on the three areas where progression is hardest: patching discipline, privileged access management, and system hardening (including cloud environments).
ML0 — Not implemented
At ML0, controls are absent or so inconsistently applied they provide no reliable protection. This is not necessarily a sign of negligence — many organisations reach ML0 simply because they have grown organically, inherited legacy environments, or never had a structured cyber programme. The problem is that ML0 offers almost no resistance to commodity threats, let alone targeted attacks. An organisation at ML0 is, from an adversary's perspective, essentially undefended.
ML1 — Mitigating opportunistic threats
ML1 is calibrated to defend against attackers who use commodity techniques — phishing kits, known exploits, and credential stuffing. At this level, organisations have begun to apply controls but with significant gaps in coverage and consistency:
- Patching: Critical vulnerabilities in internet-facing systems are patched within one month; other patches within two months. Driver and firmware patching is not yet required.
- Privileged access: Administrative accounts are used only for admin tasks; privileged users are not permitted to read email or browse the internet. However, jump hosts and privileged access workstations are not yet required.
- MFA: Required for remote access and for third parties, but any MFA method is acceptable at this level — including SMS OTP.
ML1 is a meaningful improvement over ML0, but it leaves significant exposure to attackers who invest even modest effort in reconnaissance and lateral movement.
ML2 — Mitigating targeted threats
ML2 is increasingly described as the minimum acceptable baseline for organisations handling sensitive data or operating in regulated sectors. It addresses attackers who adapt their techniques to evade basic controls. The uplift from ML1 to ML2 is significant and requires genuine investment in tooling, process, and culture:
- Patching: Critical vulnerabilities in internet-facing systems must be patched within two weeks; all other critical patches within one month. Applications that interact with untrusted internet content — browsers, office productivity suites, PDF readers — are subject to tighter timelines.
- Privileged access: Privileged access to data repositories requires explicit justification and is time-limited. Just-in-time provisioning approaches become important here. Separate accounts are required for privileged and unprivileged activity.
- MFA: Phishing-resistant MFA (hardware security keys, Windows Hello for Business, or certificate-based authentication) is required for privileged users. Standard MFA is required for all other users accessing organisational systems.
- Application control: Extended to cover all user workstations, not just servers and high-risk systems.
The jump to ML2 is where most organisations discover that compliance is a people and process problem as much as a technology one. Patching within two weeks requires an automated, repeatable pipeline — manual processes simply cannot keep pace. Phishing-resistant MFA requires hardware procurement, enrolment workflows, and end-user training.
ML3 — Mitigating sophisticated adversaries
ML3 is designed to provide resilience against state-sponsored and highly sophisticated threat actors — the kind that conduct prolonged, targeted campaigns and actively evade detection. The November 2023 update added driver and firmware patching to ML3 requirements, reflecting observed attack techniques used by advanced persistent threat groups. Key ML3 requirements include:
- Patching: Critical vulnerabilities must be patched within 48 hours of a patch becoming available. This is not achievable through manual processes — it demands automated patch deployment with rapid validation capability. Driver and firmware patching is now an explicit requirement at this level.
- Privileged access: Privileged access workstations (PAWs) are required — dedicated, hardened devices used exclusively for administrative tasks. Privileged access to data repositories must be revalidated at least every 12 months and is automatically disabled if not revalidated. Session logging for all privileged activity is mandatory.
- MFA: Phishing-resistant MFA is required for all users on all systems, including workstation logon. Every authentication event — not just remote access — must be protected. FIDO2 hardware security keys, smart cards, and Windows Hello for Business with TPM-backed keys all qualify.
- Application control and hardening: Application control rules must be validated and tested regularly. Web advertising blocking and PowerShell execution restrictions are enforced broadly. Cloud service configurations must be hardened and reviewed; cloud-based identity and access management is explicitly in scope.
Why Most Organisations Are Stuck at ML0 or ML1
Despite years of ACSC promotion, independent assessments consistently find that the majority of Australian organisations remain at ML0 or ML1. The reasons are structural:
Legacy environments resist rapid patching
The 48-hour patching window at ML3 — and even the two-week window at ML2 — assumes that patching is automated, validated, and deployable without extended change management cycles. Most organisations still operate on monthly patching cycles governed by change advisory boards. Retrofitting automation into complex, mixed-environment estates is non-trivial and often requires significant investment in endpoint management tooling (Microsoft Intune, SCCM, or equivalent) before the patching timelines become achievable.
Privileged access is culturally entrenched
Restricting administrative privileges is technically straightforward but organisationally difficult. IT staff who have held broad admin rights for years resist giving them up. Break-glass procedures are often missing. Just-in-time provisioning requires identity governance tooling that many organisations do not have. And privileged access workstations, while conceptually simple, require dedicated hardware budgets and workflow changes that need executive support to implement.
MFA rollouts stall on exceptions
Rolling out phishing-resistant MFA to all users sounds like a well-understood project — until organisations encounter shared service accounts, kiosk workstations, legacy applications that cannot support modern authentication protocols, and users who simply refuse to carry a hardware token. Every exception becomes a gap in the control, and gaps at ML3 are not acceptable. Closing every exception requires both technical workarounds and sustained management attention.
Evidence and documentation are afterthoughts
Achieving a maturity level and demonstrating it to an IRAP assessor are different things. Organisations often implement controls without maintaining the timestamped, auditable evidence that assessors require. When an assessment is commissioned, the effort required to reconstruct evidence — or to discover that controls were applied inconsistently — can be as large as the original implementation effort.
A Realistic Multi-Year Roadmap
A structured uplift programme typically moves through four phases. The timeline varies significantly based on organisation size, environment complexity, and the maturity level you are starting from.
Phase 1 — Assess (4–8 weeks)
Commission an independent gap assessment against the current Essential Eight Maturity Model. The assessment should produce a scored baseline across all eight controls, a prioritised list of gaps, and a risk-rated remediation plan. Do not attempt to self-assess for this phase — the objectivity of an independent assessor, preferably IRAP-qualified, is essential both for accuracy and for the credibility of the output with boards and procurement panels.
Phase 2 — Quick wins and ML1 closure (60–90 days)
Target the gaps that deliver disproportionate risk reduction for relatively low effort: enabling MFA for all remote access, restricting macros to signed content, deploying web content filtering, and ensuring backups are tested and offline copies are verified. For many organisations, this phase moves them from ML0 to a credible ML1 baseline. Budget guidance: for an organisation of 50–150 people, expect AUD $15,000–$50,000 for assessment plus initial remediation, depending on existing tooling.
Phase 3 — Structural uplift to ML2 (3–9 months)
ML2 requires investment in automation and tooling that Phase 2 alone cannot deliver. This phase focuses on: deploying or extending endpoint management to automate patching within ML2 timelines; implementing an identity governance platform to support privileged access controls; rolling out phishing-resistant MFA to all privileged users; and hardening application control rules across the fleet. For a mid-sized organisation (100–500 people), this phase typically costs AUD $80,000–$250,000, depending heavily on the state of existing identity and endpoint infrastructure.
Phase 4 — ML3 maturity and continuous evidence (6–18 months)
ML3 is a sustained programme, not a project. Reaching and maintaining ML3 requires automated patch deployment with 48-hour SLAs, privileged access workstations, phishing-resistant MFA everywhere, continuous configuration monitoring, and regular testing of controls. Crucially, it requires an evidence management process that produces clean, timestamped artefacts for assessors without manual effort. This is where GRC platforms and security automation tooling pay for themselves — they reduce the ongoing compliance labour burden significantly. Organisations at this phase should budget for ongoing managed assessment retainers and annual IRAP assessments to maintain credibility.
How Automation Changes the Economics
The single biggest shift in Essential Eight compliance economics in 2025–2026 has been the maturation of automation tooling. Controls that previously required manual checking — vulnerability scanning, patch compliance reporting, privileged access reviews, backup validation — can now be automated with commercially available platforms that also produce assessment-ready evidence.
This matters for two reasons. First, it reduces the ongoing operational cost of maintaining maturity. A programme that requires ten hours of manual compliance checking per week at ML2 can often be reduced to two hours with appropriate tooling — freeing security staff for higher-value work. Second, it reduces the cost and friction of formal assessments. Assessors increasingly expect to see continuous monitoring data and automated evidence rather than point-in-time screenshots, and organisations that can produce this are assessed faster and with fewer findings.
Automation does not eliminate the need for skilled human judgement — it handles the repeatable, evidence-gathering tasks so that analysts can focus on the exceptions, the edge cases, and the strategic decisions that require experience.
Connecting Maturity to Competitive Advantage
The organisations that will benefit most from the Essential Eight's shift from guidance to expectation are those that treat the framework as a capability-building exercise rather than a compliance checkbox. An ML2 or ML3 certification — particularly one backed by an IRAP assessment — is a credible, auditable signal of operational security maturity. It shortens due diligence cycles with government agencies. It strengthens cyber insurance positions. It gives boards a defensible basis for asserting that reasonable cyber care has been taken.
For organisations competing in government markets, this is not abstract. A supplier that can demonstrate current IRAP-assessed ML2 compliance in a tender response has a structural advantage over a competitor who cannot. As ML2 becomes the floor and ML3 becomes the differentiator for high-value work, the gap between organisations that have invested in maturity uplift and those that have not will widen.
Key Takeaways
- ML2 is the new floor. For federal government suppliers and regulated sector operators, Maturity Level 2 is increasingly the minimum expectation — not an aspiration. ML3 is required for Defence supply chain and critical infrastructure roles.
- The three hardest uplift areas are patching speed, privileged access discipline, and MFA everywhere. These require automation and process change, not just policy updates.
- The November 2023 update added driver and firmware patching at ML3 and tightened MFA requirements to phishing-resistant methods. Organisations whose gap assessments pre-date this update should commission a refresh.
- Most organisations are at ML0 or ML1 — meaning there is a significant, achievable window to differentiate by reaching ML2 while competitors remain behind.
- Automation reduces the ongoing cost. GRC platforms and endpoint management tooling pay for themselves through reduced manual compliance effort and cleaner assessment evidence.
- Assessment credibility matters. IRAP-assessed maturity carries more weight in procurement and insurance contexts than self-assessed maturity. Build towards formal assessment from the outset.
- Budget realistically. A credible ML2 programme for a mid-sized Australian organisation typically requires AUD $80,000–$250,000 in year one, with ongoing investment in tooling and annual assessments thereafter.
The Essential Eight is no longer a framework for the security-conscious few — it is the baseline for operating credibly in Australian regulated markets. Organisations that invest in structured maturity uplift now will find themselves better positioned for tenders, better covered by insurers, and better equipped to withstand the threats that are already targeting their sector. If you are ready to understand where you stand and what it will take to reach your target maturity level, schedule an Essential Eight Assessment with our GRC team. You can also explore our full suite of Essential Eight and compliance services to see how CyberCorp supports organisations from initial gap assessment through to IRAP-assessed ML3.
