For most Australian organisations, the Essential Eight has been the shorthand for baseline cyber security for the better part of a decade. That is now changing. On 24 June 2026 the Australian Signals Directorate confirmed that the Essential Eight will be retired and replaced by a broader set of guidance called the Essentials series. The change is significant, but it is not sudden, and for organisations that treat cyber security as a governed, risk-based discipline it is more an evolution than a disruption.
Key takeaways
- The Australian Signals Directorate (ASD) will retire the Essential Eight over roughly two years and replace it with a new Essentials series.
- The Essential Eight remains the current, supported framework today, and it is still what tenders, contracts and regulators reference. Nothing needs to be abandoned.
- Essential Eight Maturity Level Two remains the mandated baseline for Defence Industry Security Program membership and is referenced within the PSPF.
- The first chapter, Essentials for enterprise IT, is open for consultation until 12 July 2026, with operational technology and cloud chapters to follow.
- Work already done under the Essential Eight carries across, and organisations with controls tied to documented risk will transition most smoothly.
What the Essential Eight is today
The Essential Eight is a set of eight prioritised mitigation strategies published by ASD through the Australian Cyber Security Centre to help organisations prevent, limit and recover from cyber incidents. Organisations assess themselves across four maturity levels, from zero to three, with the level chosen to match the threat they face. The last revision to the maturity model was made in November 2023.
For regulated organisations the Essential Eight is not optional. Maturity Level Two is the baseline mandated for membership of the Defence Industry Security Program, measured through the cyber security questionnaire and maintained through the annual security report, and it is embedded in the PSPF‘s technology requirements for Commonwealth entities. It also appears widely in cyber insurance questionnaires, government procurement and board risk reporting.
What ASD has announced
ASD will replace the Essential Eight with the Essentials series, a set of separate, domain-specific chapters rather than a single universal checklist. The first chapter, Essentials for enterprise IT, is the direct successor to the current framework, with further chapters planned for operational technology and cloud, and a dedicated chapter on agentic artificial intelligence flagged as a possibility. The new guidance is grounded in the same Information Security Manual that underpins the Essential Eight, and ASD describes it as prioritised, threat-informed mitigations for contemporary technology environments.
The transition is deliberate and staged. ASD has said the Essential Eight will remain a live, supported document during the transition, that it expects to begin deprecating the framework at around 12 months, and to retire it fully at around 24 months. On that timeline the Essential Eight remains in force now, is likely to be deprecated around mid-2027, and fully retired around mid-2028. Consultation on the first chapter is open through ASD’s Cyber Security Partnership Program portal until 12 July 2026.
Why the change
The reasoning is structural rather than a criticism of the controls themselves. The Essential Eight was first published in 2017, evolving from the earlier Top Four, and it was designed for an on-premises, Windows-centred, perimeter-based environment. Most organisations no longer operate that way. Cloud platforms, software as a service, operational technology and mobile endpoints do not map cleanly onto controls written for a shared responsibility model that did not yet exist.
A second driver is a long-standing complaint that the maturity goalposts kept moving. Because ASD folded new attacker tradecraft into the existing maturity levels, an organisation could hold the same controls steady and still appear to slip backwards on paper. The Essentials series is intended to fix this by decoupling threat-informed controls from a fixed maturity ladder, and by shifting emphasis from prescriptive, technology-specific controls towards outcomes and intent, giving organisations more flexibility in how they meet the guidance.
What it means for your organisation
The headline message from ASD is continuity, not disruption. The practical implications are these.
- Keep going. The Essential Eight is the framework in force today, it is still referenced in tenders and contracts, and walking away now would leave an organisation exposed and, for regulated entities, non-compliant. Continue maturing against it.
- Your investment carries across. ASD has confirmed that controls and tools implemented under the Essential Eight remain relevant under the Essentials series and will map into the new guidance, so the work is not wasted.
- Treat controls as a management system, not a checklist. Organisations whose controls are tied to documented risks and clear outcomes, rather than to a list of technologies, will map into an outcomes-based framework with far less rework. This is the same logic that underpins a sound information security management system.
- Map your cloud and shared responsibilities now. Most Essential Eight programs under-cover cloud and software as a service, and the Essentials series will make those responsibilities explicit. Understanding where your obligations end and a provider’s begin is work worth starting early.
- Watch the consultation if it affects you. Government, critical infrastructure and financial services organisations should follow how the transition interacts with their obligations under the PSPF, the SOCI Act and APRA’s standards. Consultation on Essentials for enterprise IT closes on 12 July 2026.
Where this sits in your wider obligations
The Essential Eight has never been a complete security program. It is a baseline for internet-connected IT, and it sits inside a wider set of obligations that includes the PSPF for protective security, the SOCI Act for critical infrastructure, and sector regulation such as APRA’s prudential standards. The move to the Essentials series reinforces that point, by treating enterprise IT, operational technology and cloud as distinct domains that each warrant their own considered treatment. These frameworks are mapped in Agilient’s security and compliance frameworks hub.
This is the governance question the change really raises. It is less about which eight controls to implement, and more about whether an organisation’s cyber controls are anchored to its assessed risks, its critical assets and its regulatory obligations, so that the framework underneath them can evolve without the whole program having to be rebuilt.

How Agilient can assist
Agilient works in the governance and advisory lane. Agilient does not perform Essential Eight maturity assessments, ISM assessments or IRAP certification, and does not provide technical cyber or network consulting. What Agilient does is help boards, executives and security leaders make sense of where controls like the Essential Eight, and the coming Essentials series, fit within an entity’s overall security risk and governance posture, and within its obligations under the PSPF, the SOCI Act and the Defence Industry Security Program.
That includes security risk assessment, protective security and PSPF advisory, and critical infrastructure and SOCI readiness, delivered independently and vendor-neutral. Agilient’s consultants have worked in classified Australian Government environments, and Agilient’s founder led national standards development in security, risk and resilience. For an organisation trying to work out what the end of the Essential Eight means for its governance and compliance position, that is the starting point.
Frequently asked questions
Is the Essential Eight still current?
Yes. The Essential Eight is the active, supported framework today and remains so throughout the transition. ASD does not expect to begin deprecating it for around 12 months, with full retirement at around 24 months.
What is replacing the Essential Eight?
A broader Essentials series, made up of separate chapters for enterprise IT, operational technology and cloud, with a dedicated chapter on agentic artificial intelligence flagged as a possibility. The first chapter, Essentials for enterprise IT, is the direct successor to the Essential Eight.
Will the work we have done on the Essential Eight be wasted?
No. ASD has confirmed that the controls and tools invested in under the Essential Eight remain relevant under the Essentials series and will map across to the new guidance.
Does this change our Defence Industry Security Program obligations?
Not for now. Essential Eight Maturity Level Two remains the mandated baseline for DISP membership during the transition, so the priority is keeping controls operating and evidence current.
When does the change take effect?
The Essential Eight is in force today. Consultation on the first Essentials chapter closes on 12 July 2026. On ASD’s stated timeline, deprecation begins at around 12 months and full retirement at around 24 months.
References
- Australian Signals Directorate, Consultation on evolution of the Essential Eight (Essentials series and Essentials for enterprise IT), cyber.gov.au
- Australian Signals Directorate, Essential Eight and Information Security Manual, cyber.gov.au
- iTnews, ASD to retire Essential Eight within two years (interview with Chris Horlyck, ACSC), itnews.com.au