The Essential Eight maturity levels are not changing on 1 July 2026. The bigger change is broader. ASD is evolving the Essential Eight into a new Essentials series, starting with a first chapter called Essentials for enterprise IT. Consultation runs until 12 July 2026, so nothing new is mandatory yet and the current maturity model still applies.
Is the Essential Eight changing in 2026?
Yes, but not in the way most search results suggest. There is no scheduled change to the Essential Eight maturity levels on 1 July 2026. What is underway is larger and slower. ASD has opened a consultation on evolving the Essential Eight into a broader Essentials series. Until that work is published, the current Essential Eight and its maturity levels stay in force, and any assessment you hold against them is still valid. If you saw a 1 July date, it is easy to confuse with the consultation window, which closes on 12 July 2026.
What is the new Essentials series?
ASD describes the Essentials series as a way to give organisations more flexibility in how they reach strong cyber resilience, while keeping a clear path to follow. It is grounded in the Information Security Manual and offers prioritised, threat informed mitigations aimed at current technology environments, with practical tools and implementation guidance. The current Essential Eight becomes the first chapter, Essentials for enterprise IT, and further chapters are expected to follow for other types of environment.
| Aspect | Essential Eight today | Essentials series (proposed) |
|---|---|---|
| Structure | Eight strategies, assessed across maturity levels | A series of chapters, first is Essentials for enterprise IT |
| Basis | Derived from the ISM | Grounded in the ISM, threat informed |
| Scope | Internet connected enterprise IT | Current technology environments, more chapters to follow |
| Status | Current and in force (November 2023 version) | In consultation until 12 July 2026 |
| What to do | Keep meeting your target maturity | Review and give feedback, then reassess when published |
Is the Essential Eight being replaced or scrapped?
No. ASD has been clear that organisations already working to the Essential Eight can expect strong alignment with their existing controls and investments. This is an evolution of guidance, not a teardown. If you have built towards a maturity level, that work carries forward. New adopters will start on the updated guidance once it is published.
What actually changed most recently?
The last substantive change to the model was in November 2023, and it still defines what you are assessed against today. Two points matter most. Multi factor authentication requirements were strengthened so that phishing resistant MFA is expected at a lower maturity level, which affects Maturity Level Two. And where both ASD and vendor hardening guidance exist, you are now expected to apply both, with the stricter requirement taking precedence, which affects Maturity Level Two and Three. If you are unsure where you sit, start with the maturity levels and what the Essential Eight actually covers.
When do the changes take effect, and what should you do now?
Nothing requires action for compliance today. The consultation on Essentials for enterprise IT closes on 12 July 2026, and any published guidance will follow after that. The practical steps now are simple. Keep meeting your target maturity under the current model. Non corporate Commonwealth entities are still expected to reach Maturity Level Two under the Protective Security Policy Framework. If you want a say in the new guidance, you can take part through the ASD Cyber Security Partnership Program. When the Essentials guidance lands, run a fresh gap check against it rather than rebuilding from scratch.
Frequently asked questions
For non corporate Commonwealth entities, yes. They are expected to reach Maturity Level Two under the Protective Security Policy Framework. For the private sector it is not law, but it is widely required in contracts and tenders and treated as the baseline expectation.
Yes. The maturity model has not changed in 2026. Your assessment against the current model still stands until ASD publishes new guidance.
It is the first chapter of ASD’s new Essentials series and an evolution of the current Essential Eight, aimed at enterprise IT environments.
ASD has not set a publication date. Consultation closes on 12 July 2026 and guidance will follow after that.
No. ASD has said existing controls and investments will align strongly with the new guidance. It is an evolution, not a replacement.
Sources:
- ASD, Consultation on the evolution of the Essential Eight, cyber.gov.au, June 2026
- ASD, Essential Eight maturity model changes, cyber.gov.au, November 2023
- ASD, Essential Eight maturity model, cyber.gov.au, 2026
- ASD, Essential Eight explained, cyber.gov.au, November 2023
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Last updated: 21 June 2026