If the Essential Eight has been the backbone of your security conversations with clients, some news out of Canberra is worth your attention. The Australian Signals Directorate (ASD) has confirmed it will retire the Essential Eight over the next two years, replacing it with a broader, more modern framework. As reported by IT News, this isn't a tweak. It's a major shift in how Australia's flagship cyber guidance for Enterprise and SMB is structured.
Here's what's actually changing, why it's happening, and why, if you manage your baselines the right way, none of it should catch you off guard.
The Essential Eight will be replaced by a new "Essentials" series. Rather than a single list of eight controls, the Essentials will treat different technology environments as distinct security domains, starting with enterprise IT, followed by operational technology (OT) and cloud, with agentic AI flagged as a possible future chapter of its own.
The transition is deliberate and gradual. According to the Assured Cybersecurity Security Consultancy (ACSC)'s head of cyber security resilience, Chris Horlyck, the Essential Eight and the Essentials will both run as live documents through a transition period. ASD then expects to begin deprecating the Essential Eight at roughly the 12-month mark, and to retire it entirely at around 24 months. Consultation on the first chapter, Essentials for enterprise IT, has already opened, with initial feedback via the ACSC Partner Portal finishing in mid-July 2026.
The reasoning behind this change is one that will be no surprise to any of us: the Essential Eight is old and needs to be retired. The Essential Eight was first published in 2017 (evolving from ASD's Top Four in 2012), and it was designed for on-premises enterprise IT at a time when cloud adoption was still in its infancy. Its controls don't translate cleanly into the SMB space and can be hard for MSPs to adopt and implement with its on premise and enterprise approach. It also doesn’t scale well to cloud-based technologies which, in 2026, is where most organisations actually live.
A few themes stand out from ASD's rationale:
The most important message for anyone who has invested in Essential Eight services is that it hasn’t been wasted.
The fundamentals, multi-factor authentication, patching applications and operating systems, restricting administrative privileges, application control, hardening, restricting Office macros, and regular backups, aren't going anywhere. They're being re-framed and extended, not discarded. And crucially, the Essential Eight stays live throughout the transition, so there's no cliff edge. The task ahead for MSPs isn’t the need to throw away all you’ve done but transition across to the new Essentials Series as it becomes relevant.
This is exactly the kind of change our platform is built to absorb, and it's where the value of managing baselines properly, rather than manually, becomes obvious.
At inforcer, our Essential Eight baselines are maintained, not static. We keep them aligned with ASD's guidance, so that when maturity requirements shift, the very "moving goalposts" ASD has now acknowledged, your baselines move with them across every tenant - without a manual scramble.
As the Essentials changes roll out, we'll adapt in step. Enterprise IT, cloud, AI: as each becomes formal guidance, our baselines and best-practice policies will evolve to reflect it, so you're never left interpreting a new framework alone or waiting to catch up.
And where a framework leaves gaps, as every framework inevitably does, we go further. inforcer continues to provide best-practice policies that fill the space between standard and genuinely strong security. This means that your clients aren't just compliant on paper, but actually well defended. That's especially important during a two-year transition where two frameworks run side by side and the guidance itself is still settling.