The Essential Eight is being retired: here's what's changing, and why your baselines shouldn't skip a beat

3 min read
Jul 13, 2026 1:48:38 PM

The Essential Eight is being retired: here's what's changing, why it's happening, and why none of it should catch you off guard 

If the Essential Eight has been the backbone of your security conversations with clients, some news out of Canberra is worth your attention. The Australian Signals Directorate (ASD) has confirmed it will retire the Essential Eight over the next two years, replacing it with a broader, more modern framework. As reported by IT News, this isn't a tweak. It's a major shift in how Australia's flagship cyber guidance for Enterprise and SMB is structured. 

Here's what's actually changing, why it's happening, and why, if you manage your baselines the right way, none of it should catch you off guard.

What ASD announced

The Essential Eight will be replaced by a new "Essentials" series. Rather than a single list of eight controls, the Essentials will treat different technology environments as distinct security domains, starting with enterprise IT, followed by operational technology (OT) and cloud, with agentic AI flagged as a possible future chapter of its own.

The transition is deliberate and gradual. According to the Assured Cybersecurity Security Consultancy (ACSC)'s head of cyber security resilience, Chris Horlyck, the Essential Eight and the Essentials will both run as live documents through a transition period. ASD then expects to begin deprecating the Essential Eight at roughly the 12-month mark, and to retire it entirely at around 24 months. Consultation on the first chapter, Essentials for enterprise IT, has already opened, with initial feedback via the ACSC Partner Portal finishing in mid-July 2026. 

Why it's changing

The reasoning behind this change is one that will be no surprise to any of us: the Essential Eight is old and needs to be retired. The Essential Eight was first published in 2017 (evolving from ASD's Top Four in 2012), and it was designed for on-premises enterprise IT at a time when cloud adoption was still in its infancy. Its controls don't translate cleanly into the SMB space and can be hard for MSPs to adopt and implement with its on premise and enterprise approach. It also doesn’t scale well to cloud-based technologies which, in 2026, is where most organisations actually live. 

A few themes stand out from ASD's rationale: 

  • Outcomes over prescription: The Essentials shift emphasis from prescriptive controls tied to specific technologies and move them more towards outcomes and intent, giving organisations more flexibility to meet the guidance with whatever tooling fits their environment. 
  • Cloud gets its own chapter: Cloud now offers controls that simply don't exist in the on-premise world, and separating it out lets ASD give clearer guidance on what shared responsibility with a provider actually looks like in practice. 
  • The 'moved goalposts' problem: ASD acknowledged a long-standing complaint: maturity requirements have shifted under organisations' feet as new threat vectors were absorbed into existing maturity levels. This created the impression of going backwards without any real change in posture. The Essentials aim to fix this by decoupling threat-informed controls from a fixed maturity ladder. 
  • Defence in depth: The series draws heavily on ASD's Modern Defensible Architecture work, prioritising protection of "crown jewels" over a thin perimeter around IT. 

What this means for organisations: don't panic

The most important message for anyone who has invested in Essential Eight services is that it hasn’t been wasted. 
The fundamentals, multi-factor authentication, patching applications and operating systems, restricting administrative privileges, application control, hardening, restricting Office macros, and regular backups, aren't going anywhere. They're being re-framed and extended, not discarded. And crucially, the Essential Eight stays live throughout the transition, so there's no cliff edge. The task ahead for MSPs isn’t the need to throw away all you’ve done but transition across to the new Essentials Series as it becomes relevant. 

Where inforcer fits

This is exactly the kind of change our platform is built to absorb, and it's where the value of managing baselines properly, rather than manually, becomes obvious. 

At inforcer, our Essential Eight baselines are maintained, not static. We keep them aligned with ASD's guidance, so that when maturity requirements shift, the very "moving goalposts" ASD has now acknowledged, your baselines move with them across every tenant - without a manual scramble.

As the Essentials changes roll out, we'll adapt in step. Enterprise IT, cloud, AI: as each becomes formal guidance, our baselines and best-practice policies will evolve to reflect it, so you're never left interpreting a new framework alone or waiting to catch up.

And where a framework leaves gaps, as every framework inevitably does, we go further. inforcer continues to provide best-practice policies that fill the space between standard and genuinely strong security. This means that your clients aren't just compliant on paper, but actually well defended. That's especially important during a two-year transition where two frameworks run side by side and the guidance itself is still settling. 

nathan atkins circle
Nathan Atkins
Head of Cloud Enablement - ANZ
false