SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Australia replaces Essential Eight with new Essentials

Australia replaces Essential Eight with new Essentials

Fri, 3rd Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

The Australian Signals Directorate and the Australian Cyber Security Centre have announced a new Essentials series to replace the long-standing Essential Eight cyber security framework, marking a shift in federal guidance for organisations managing cyber risk.

The change follows growing concern that the Essential Eight no longer reflects current technology environments in Australia. Cloud services, software-as-a-service platforms, flexible device policies and AI-enabled tools now sit at the core of many organisations' operations. Security specialists say this has exposed gaps between the framework's controls and the modern threat landscape.

For many businesses, the Essential Eight has served as a de facto baseline for cyber hygiene and a reference point for board oversight. The new Essentials series is expected to reset that baseline. It also comes as regulators and directors intensify scrutiny of cyber resilience after a series of high-profile breaches and disruptions across sectors.

Cornelius Mare, chief information security officer, Australia, at Fortinet, said the earlier framework had become misaligned with operational reality.

"The Essentials series is a welcome update. The previous Essential Eight was showing its age and is no longer the best fit for a 2026 environment characterised by software-as-a-service, cloud, bring-your-own-device, microservices and AI agents. This mismatch affects both its effectiveness against a 2026 threat environment and its return on investment. With so much of the economy made up of small and medium-sized businesses, some enterprise-level controls in the previous Essential Eight are extremely difficult to implement from a cost perspective and hard to use to build operational efficiency. Any controls must remain simple, have business context and be cost-effective, while still providing a realistic view of an organisation's maturity journey," Mare said.

Security leaders have long argued that smaller organisations struggle with complex frameworks that assume large internal security teams and significant budgets. The new approach from ASD and ACSC is expected to place greater emphasis on business context and practicality for a wider range of organisations, including the small and medium-sized enterprises that make up a large part of the economy.

Boards have increased their focus on the Essential Eight in recent years, pushing for audits and maturity assessments as part of broader governance reforms and director education initiatives.

"We have always understood there is no one-size-fits-all approach. However, having clear guidance as a starting point is valuable, particularly when it comes from ASD and can be used by businesses as an authoritative reference. We are seeing more boards requesting Essential Eight audits, driven in part by the Australian Institute of Company Directors' work in promoting cyber maturity. That is strengthening CISO conversations at board level because directors are also hearing this from their peers. However, the reality is that many organisations are still likely using the Essential Eight as a compliance exercise rather than as a proactive, risk- and context-based program to increase maturity and resilience," Mare said.

Global agencies have also warned that artificial intelligence is reshaping cyber risk. Security defenders face more automated and adaptive attacks as adversaries experiment with AI tools and models.

"The Five Eyes cybersecurity agencies' joint statement warning that AI will reshape risk within months reinforces this. If AI-enabled threats are accelerating and response windows are shrinking, baseline controls cannot sit in a static compliance frame," Mare said.

The new Essentials series arrives against this backdrop of rapidly shifting threat dynamics. ASD and ACSC expect organisations to refresh their control sets and reconsider assumptions about what constitutes minimum protection.

"As the threat landscape evolves, so too must the baseline required to protect critical infrastructure. It will be important to define a baseline that supports the safe adoption of emerging technologies and AI, with more context-aware frameworks that help secure critical infrastructure and Australian businesses," Mare said.

Vulnerability management specialist Tenable also backed the decision to move on from the Essential Eight, arguing that the change better reflects how Australian organisations now run technology across different environments and asset types.

"Retiring the Essential Eight is the right call. It was built for an era when most Australian organisations ran on-premises IT, and that world is largely gone. The new Essentials framework reflects where enterprises actually are: operating across cloud environments, operational technology and, increasingly, AI agents. For organisations that have heavily invested in Essential Eight compliance, that work is not wasted. But the transition period should be used actively, not merely as a waiting room. Organisations that use the next 24 months to assess their exposure across those domains will be considerably better placed when the Essentials framework formally lands. Compliance tells you where you stand against a standard. The question the new framework is really asking is whether you understand where you are exposed," said Ben Mudie, field CTO, Asia Pacific and Japan, at Tenable.