Essential Eight 2026: What Changed and Why Australian SMBs Should Care

---

What Is the Essential Eight and Why Does It Matter?

The Essential Eight is a set of baseline cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and published through the Australian Cyber Security Centre (ACSC). Originally derived from the broader Strategies to Mitigate Cyber Security Incidents list, the Essential Eight was established as a prioritised set of eight strategies that, when implemented correctly, can mitigate up to 85 per cent of targeted cyber intrusions.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

The eight strategie

s are grouped into three objectives: preventing malware delivery and execution (application control, patching applications, configuring Microsoft Office macro settings, user application hardening), limiting the extent of incidents (restricting administrative privileges, patching operating systems, multi-factor authentication), and recovering data and system availability (regular backups).

For Australian SMBs, the Essential Eight matters for three reasons. First, it is the framework the Australian Government uses to assess cybersecurity posture for its own agencies and, increasingly, for its suppliers. Second, regulators including the OAIC have cited inadequate security controls in enforcement actions, and the Essential Eight represents a recognised standard of reasonable measures. Third, it is practical — unlike ISO 27001 or SOC 2, the Essential Eight is focused on specific technical controls that deliver measurable risk reduction.​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

What Has Changed in the Essential Eight Maturity Model?

The ASD has continued refining the Essential Eight maturity model through 2025 and into 2026. These changes reflect evolving threat intelligence and lessons learned from incidents affecting Australian organisations.

Application Control Refinements

Application control — the strategy of only allowing approved applications to run on systems — has received updated guidance around implementation on workstations and servers. The maturity model now provides clearer definitions of what constitutes effective application control at each maturity level, including specific requirements for logging and monitoring application execution events.

At Maturity Level One, organisations must implement application control on workstations to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, and HTML applications. Maturity Level Two extends this to internet-facing servers. Maturity Level Three requires application control on all workstations and servers, with logging of allowed and blocked execution events centrally stored and protected from unauthorised modification.

For SMBs, the practical implication is that simply having Windows AppLocker configured with default rules is no longer sufficient. You need documented policies, tested rules, and evidence that your application control is actually preventing unauthorised software from running.

Patching Timelines Tightened

Patch management requirements have been refined with clearer timelines for addressing vulnerabilities. The maturity model distinguishes between vulnerabilities in internet-facing services, where patches must be applied within specific timeframes based on severity, and vulnerabilities in other applications and operating systems.

At Maturity Level One, patches for vulnerabilities in internet-facing services should be applied within two weeks of release, or within 48 hours if an exploit exists. At Maturity Level Two, the general patching window tightens and organisations must use automated asset discovery to ensure nothing is missed. Maturity Level Three requires patching of critical vulnerabilities within 48 hours across all systems.

This is particularly significant for SMBs running legacy applications or appliances that are slow to receive vendor patches. If you are running software that a vendor has stopped patching, the maturity model expects you to mitigate the risk through other controls or decommission the system.

Macro Restrictions Updated

Microsoft Office macro settings guidance has been updated to reflect both the evolving threat landscape and changes to Microsoft's own default behaviour. Since 2022, Microsoft has been progressively blocking macros from untrusted sources by default in Office applications. The Essential Eight maturity model aligns with and extends this approach.

At Maturity Level One, Microsoft Office macros must be blocked from the internet. At Maturity Level Two, macros must be blocked for users who do not have a demonstrated business requirement. Maturity Level Three requires all macros to be digitally signed by a trusted publisher, with antivirus scanning of macros before execution.

For most SMBs, the practical action is straightforward: unless a specific business process genuinely requires macros, block them organisation-wide using Group Policy or equivalent endpoint management tools.

Multi-Factor Authentication Expansion

MFA requirements have been clarified and expanded across all maturity levels. The maturity model now provides more specific guidance on what constitutes acceptable MFA, distinguishing between phishing-resistant methods (such as FIDO2 security keys and passkeys) and weaker methods (such as SMS-based OTP).

At Maturity Level One, MFA is required for all users when accessing internet-facing services and when authenticating to privileged accounts. Maturity Level Two requires MFA for all users on all services. Maturity Level Three mandates phishing-resistant MFA for all authentication events.

The FIDO Alliance reports growing enterprise adoption of passkeys, and major platform vendors including Apple, Google, and Microsoft have accelerated passkey support as a phishing-resistant replacement for password-only authentication. This aligns directly with the Essential Eight's direction of travel on MFA.

Why Australian SMBs Are Disproportionately at Risk

The ACSC Annual Cyber Threat Report has consistently identified ransomware as the most destructive cybercrime threat to Australian organisations. Small and medium businesses remain disproportionately targeted for several reasons.

First, SMBs generally have fewer dedicated security resources. The Australian Bureau of Statistics reports that approximately 97 per cent of Australian businesses are small businesses (fewer than 20 employees), and most do not have a dedicated cybersecurity role. Security is typically handled by an IT generalist or outsourced to a managed service provider, neither of which guarantees Essential Eight alignment.

Second, SMBs are increasingly part of supply chains serving larger organisations and government agencies. A compromise at the SMB level can provide attackers with a pathway into larger targets. The Protective Security Policy Framework (PSPF) now references Essential Eight as a baseline for government suppliers, meaning SMBs in government supply chains may find compliance is not optional.

Third, the OAIC has been increasingly active in enforcement following significant data breaches. The Office has pursued civil penalty proceedings against organisations for failing to take reasonable steps to protect personal information under the Privacy Act 1988. Having Essential Eight controls in place — and being able to demonstrate them — strengthens your position in any regulatory inquiry.

Practical Steps to Get Started

If your organisation has not yet assessed its Essential Eight posture, the good news is that most SMBs can reach Maturity Level One without expensive tools or specialist consultants. Here is a practical approach.

Step 1: Run a Baseline Assessment

Before you can improve, you need to know where you stand. Go through each of the eight strategies and document your current state against the Maturity Level One requirements. Be honest — the goal is not to pass a test, it is to identify your gaps.

For each strategy, ask: do we have this control in place? Is it configured correctly? Do we have evidence that it is working? Can we demonstrate it to a third party?

Step 2: Prioritise Based on Risk

Not all gaps are equally dangerous. If you have no MFA on internet-facing services, that is a higher priority than refining your application control rules. If you have no tested backups, that is more urgent than configuring macro restrictions.

A sensible prioritisation for most SMBs is: MFA first, then patching, then backups, then administrative privileges, then application control, then macros, then user application hardening.

Step 3: Implement Maturity Level One Controls

Maturity Level One represents the baseline — the minimum set of controls that any organisation should have. For most of the eight strategies, Maturity Level One can be achieved using built-in features of Windows, Microsoft 365, and standard enterprise tools.

For example, MFA can be enabled through Microsoft 365 at no additional cost. Application control can be configured using Windows Defender Application Control or AppLocker. Macro restrictions can be set through Group Policy. Regular backups can be automated using existing cloud storage or backup tools.

Step 4: Document Everything

Documentation serves two purposes. First, it ensures your team understands what controls are in place and how to maintain them. Second, it provides evidence for regulatory inquiries, client audits, and insurance applications.

At minimum, you should document: what controls are implemented, how they are configured, who is responsible for maintaining them, and when they were last reviewed.

Step 5: Test and Review Regularly

A control that is configured but never tested is a control that may not work when you need it. Test your backups by performing a restore. Test your application control by attempting to run an unapproved application. Test your MFA by verifying it is enforced for all required accounts.

Review your Essential Eight posture at least quarterly, and after any significant change to your environment.

Government Suppliers: Essential Eight Is Becoming Mandatory

If your business supplies goods or services to Australian Government agencies, Essential Eight compliance is increasingly a contractual requirement. The Protective Security Policy Framework (PSPF) references Essential Eight as a baseline, and individual agencies may specify particular maturity levels in their procurement requirements.

The Department of Home Affairs has been progressively strengthening cybersecurity requirements for government contractors, particularly those handling sensitive or classified information. Even if your current contracts do not explicitly require Essential Eight compliance, demonstrating a structured approach to these controls positions your business for future opportunities.

For SMBs in government supply chains, a practical approach is to achieve Maturity Level One across all eight strategies and document your roadmap to Maturity Level Two. This provides evidence of both current compliance and continuous improvement.

Privacy Act Reforms: What Is Coming

The Australian Government has been progressing reforms to the Privacy Act 1988, following the Attorney-General's Department review. Proposed changes include expanded definitions of personal information, new individual rights, a statutory tort for serious privacy invasions, and a children's privacy code.

These reforms, when enacted, will raise the bar for what constitutes reasonable security measures. Organisations that can demonstrate Essential Eight compliance will be in a stronger position to meet these new obligations. Those that cannot may face increased regulatory risk.

The Notifiable Data Breaches scheme, which requires organisations to assess and report eligible breaches to the OAIC, continues to be actively enforced. Having Essential Eight controls in place reduces both the likelihood of a reportable breach and the severity of regulatory consequences if one occurs.

APRA CPS 230: Financial Services Impact

APRA's Prudential Standard CPS 230 on Operational Risk Management, which took effect on 1 July 2025, requires APRA-regulated entities to manage operational risks including technology and cyber risks. If your SMB provides services to banks, insurers, or superannuation funds, you may be impacted as a material service provider.

CPS 230 does not specifically mandate the Essential Eight, but it does require demonstrable risk management of technology and cyber threats. The Essential Eight provides a recognised framework for meeting these obligations, and APRA-regulated entities are likely to expect their service providers to align with it.

Frequently Asked Questions

Take the First Step Today

Knowing where you stand against the Essential Eight is the single most valuable action you can take for your organisation's cybersecurity posture. A structured baseline assessment turns abstract risk into concrete, actionable gaps.

The Security Checklist Bundle includes 50+ critical security checkpoints aligned to the Essential Eight, an implementation guide for each strategy, and vendor risk assessment templates — everything you need to assess your current posture and start closing gaps today.

If you need the full Australian compliance picture, including Essential Eight assessment tools, Privacy Act alignment, and OAIC notification templates, the AU Compliance Bundle provides a complete framework built specifically for Australian SMBs.