If your business had an Essential Eight assessment done in 2023 or 2024, there's a reasonable chance it no longer reflects your actual security posture. Not because your environment has changed (though it probably has), but because the way the framework is being interpreted and assessed has shifted significantly.
The eight controls themselves haven't changed. Application control, patching applications, restricting Microsoft Office macros, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups — they're the same strategies the Australian Signals Directorate (ASD) has recommended since 2017.
What has changed is how organisations are expected to prove they're actually implementing them.
From checkbox to evidence
The biggest shift heading into 2026 is the move from self-assessed maturity to evidence-based maturity. The ACSC is pushing organisations to stop claiming maturity levels based on assumptions and start demonstrating them with real operational evidence.
For example, saying "we patch within 48 hours" is no longer sufficient. Assessors and auditors now expect to see automated patch deployment logs showing actual deployment timelines, documented exceptions for systems that couldn't be patched within the required timeframe, and evidence that vulnerability scanners are running regularly and that identified vulnerabilities are being tracked through to remediation.
This is a meaningful change for mid-market businesses in particular. Many organisations self-assessed at Maturity Level 1 or 2 based on what they believed was happening, without actually validating it against the maturity model's specific requirements.
What the ACSC is focusing on in 2026
Based on updated guidance and what we're seeing in real assessments, here are the areas getting the most scrutiny:
Faster patching timelines. The expectation for patching internet-facing services and applications with known exploits is tightening. At Maturity Level 1, patches for vulnerabilities in internet-facing services should be applied within two weeks. At ML2, that drops to 48 hours for exploited vulnerabilities. Many businesses we assess are surprised by how short these windows actually are.
Universal MFA. Multi-factor authentication needs to cover more than just user logins. The ACSC expects MFA on all internet-facing services, privileged accounts, and increasingly on non-user accounts like service accounts with elevated access. At ML2 and above, phishing-resistant MFA methods (such as FIDO2 security keys or certificate-based authentication) are expected instead of SMS or basic push notifications.
Application control beyond the basics. Organisations can no longer claim compliance if application allowlisting only covers a handful of systems. The expectation is that application control is enforced across all workstations and servers, with proper logging to prove it's working.
Backup verification. Having backups isn't enough — you need to prove they work. Assessors want evidence of tested restoration processes. Backups should be stored offline or in an immutable format to protect against ransomware, and restoration testing should be documented.
Admin privilege restrictions in cloud. With more organisations using Microsoft 365 and Azure, the ACSC has explicitly called out cloud services in the admin privilege controls. You need to demonstrate that privileged access to cloud platforms is restricted, time-limited, and audited — not just on-premise Active Directory.
The end-of-life problem
One of the most common compliance failures we find in real assessments is end-of-life operating systems. The Essential Eight is explicit: unsupported operating systems should not be used. Yet we regularly encounter Windows Server 2012 and 2012 R2 (out of support since October 2023), Windows Server 2008 R2 (out of support since January 2020), and older Linux distributions like Ubuntu 16.04 still running in production environments.
These systems can't receive security patches, which means they're an automatic failure against the "Patch Operating Systems" control, regardless of how well you're doing everything else. Remember — your overall maturity is determined by your weakest control.
What this means for your business
If you're an Australian business — particularly one that handles customer data, works with government, or needs cyber insurance — here's what we'd recommend:
Get a fresh assessment. If your last E8 assessment was done before the November 2023 updates, it's worth redoing. The maturity model requirements have been refined, and what counted as ML1 in 2022 might not pass today.
Collect evidence, not just compliance. Start documenting your patch timelines, MFA coverage, backup test results, and application control logs now. If you can't prove it, it didn't happen — that's the 2026 mindset.
Deal with end-of-life systems. If you have unsupported operating systems in your environment, make decommissioning or upgrading them a priority. They're the single easiest finding for an assessor to flag, and they drag your entire maturity level down.
Don't treat it as a one-off project. Essential Eight compliance isn't something you achieve and forget about. It requires ongoing monitoring, regular patching, periodic reassessment, and continuous improvement. Treat it as part of your normal operations, not a once-a-year audit.
The bottom line
The Essential Eight isn't changing in 2026 — but the bar for proving you comply is. Organisations that treat it as a genuine operational standard rather than a compliance exercise will be better protected, better positioned for cyber insurance, and better prepared if (when) something goes wrong.
The average cost of a cybercrime incident for an Australian small business rose 14% to $56,600 in the 2024–25 financial year, according to the ASD's Annual Cyber Threat Report. The controls in the Essential Eight exist specifically to prevent the kinds of attacks that drive those numbers. The question isn't whether you can afford to implement them — it's whether you can afford not to.