ASD Framework Update · Thought Leadership · Published 1 July 2026
ASD has officially announced it will retire the Essential Eight within two years and replace it with a new modular framework called the Essentials series. Chapter 1 — Essentials for enterprise IT — is currently in public consultation until 12 July 2026. This page covers what's changing, what's staying the same, the transition timeline, and what your organisation should do now.
Section 1
ASD (Australian Signals Directorate) has officially announced that the Essential Eight will be retired within two years. In its place, ASD is publishing a new modular framework called the Essentials series. This is not a minor update — it is a deliberate architectural shift in how ASD approaches cyber security guidance for Australian organisations.
The first chapter of the new series — Essentials for enterprise IT — is currently in public consultation. The consultation period closes 12 July 2026. Registered organisations and industry stakeholders can submit responses via the ACSC Partner Portal at partners.cyber.gov.au.
ASD's rationale for the change is straightforward: the threat landscape has evolved significantly since the Essential Eight was designed, and the original framework's prescriptive, Windows-centric design does not translate well to modern environments that include cloud-native workloads, operational technology (OT), and emerging AI-driven systems. The Essential Eight was built around specific Microsoft technologies and specific threat vectors of its era. The Essentials series is designed to remain relevant as technology continues to change.
The key message from ASD on compatibility is clear: existing Essential Eight investments and programmes map across to the Essentials series. The underlying security controls remain largely the same. Nothing done in pursuit of Essential Eight compliance is wasted. Organisations mid-programme should continue.
Note on consultation status
The Essentials for enterprise IT chapter is in public consultation as of 1 July 2026, closing 12 July 2026. The final framework has not yet been published. This page describes what ASD has officially announced and the publicly available consultation draft. We do not state specifics about final control requirements as though they are confirmed — they are not yet finalised.
Section 2
The Essentials series is a multi-chapter framework. Rather than a single monolithic set of controls, it organises guidance into domain-specific chapters, each targeting a distinct technology environment. This modular design is what allows the framework to stay current as new technology categories emerge.
This is the closest equivalent to the current Essential Eight. It covers enterprise IT environments — the corporate workstations, servers, and identity infrastructure that the Essential Eight was originally designed to protect. Consultation closes 12 July 2026. Final publication expected late 2026.
The key shift: instead of prescribing specific controls (e.g., "restrict Microsoft Office macros"), the chapter describes the outcome — what the organisation needs to achieve — and gives organisations flexibility in how they achieve it. This matters for organisations running non-Microsoft endpoint management, Linux fleets, or mixed environments where M365-specific guidance was previously a poor fit.
The Essential Eight was never designed for operational technology environments — SCADA systems, industrial control systems, building management systems, and the operational infrastructure that underpins Australian critical infrastructure. Chapter 2 will address OT environments specifically, recognising that the threat landscape and available controls are fundamentally different from enterprise IT.
For SOCI Act operators and critical infrastructure providers who have long struggled to apply Essential Eight controls to OT systems, this chapter represents a significant improvement. Patching SCADA systems on a 14-day cycle, or applying application control to industrial controllers, is often operationally impossible. Chapter 2 is expected to reflect OT-specific realities.
Cloud-native environments — workloads running in AWS, Azure, GCP, and SaaS platforms — have a different security model from traditional enterprise IT. The Essential Eight's controls were largely written for on-premises or hybrid Microsoft environments. Chapter 3 will address the cloud security outcomes that ASD considers essential for organisations that have migrated significant workloads to cloud platforms.
Cloud environments have different patching models (provider-managed vs. customer-managed), different identity models (service accounts, workload identities, IAM roles), and different backup paradigms. Outcomes-based guidance is better suited to this diversity than the prescriptive approach of the Essential Eight.
ASD has flagged an agentic AI chapter as a likely future addition to the Essentials series. As organisations deploy AI agents, LLM-powered systems, and automated decision-making tools in production, a new category of security outcomes will be needed. The modular chapter structure means ASD can publish AI-specific guidance without rearchitecting the entire framework.
No timeline has been confirmed for the AI chapter. It reflects ASD's intention to make the framework future-proof rather than a commitment to a specific delivery date.
ASD has published four explicit design attributes that characterise the Essentials series and distinguish it from the Essential Eight.
The framework is outcomes-based and technology-agnostic. Organisations choose the tools and implementations that fit their environment, as long as they achieve the required security outcome. This removes the implicit Microsoft-only bias of the Essential Eight and accommodates the full diversity of Australian IT environments.
Like the Essential Eight before it, the Essentials series is grounded in the current Australian threat landscape and the ISM (Information Security Manual). Controls are not theoretical — they address the techniques that adversaries are actually using against Australian targets today.
Existing Essential Eight investments map across. This is ASD's direct commitment to organisations mid-programme: your work carries forward. The controls themselves are not being discarded — the way they are expressed and assessed is changing. Nothing is wasted.
The modular chapter structure allows ASD to publish new guidance as technology evolves — OT, cloud, AI — without requiring a complete framework rewrite. As new environments become security-critical, new chapters can be added. The framework grows with the threat landscape.
Section 3
The transition will unfold over approximately two years from ASD's announcement. During that window, both frameworks will be live simultaneously. Here is what we know and what is still to be determined.
Public consultation closes
The consultation period for Essentials for enterprise IT (Chapter 1) closes. Submissions via the ACSC Partner Portal at partners.cyber.gov.au. After this date, ASD will review submissions and incorporate feedback into the final publication.
Essentials series published (expected)
ASD expected to publish the final Essentials for enterprise IT chapter. Procurement panels, insurers, and regulatory bodies will begin reviewing their requirements and planning updates. Both the Essential Eight and the Essentials series will be live simultaneously from this point.
Essential Eight deprecation begins (approximate)
Approximately 12 months after ASD's retirement announcement, the Essential Eight begins active deprecation. Procurement panels and regulators are expected to start updating their requirements during this window. Essential Eight references in contracts will need to be reviewed and updated over time.
Essential Eight fully retired (approximate)
Approximately 24 months after the announcement, the Essential Eight is fully retired. By this point, procurement panels and regulators should have updated their requirements to reference the Essentials series. Organisations will need Essentials series compliance documentation rather than Essential Eight evidence packs.
For approximately two years from the announcement, organisations need to be aware of both the Essential Eight (still required by existing procurement contracts, PSPF obligations, and insurer requirements that reference it) and the Essentials series (the emerging standard that replacements will be written around). Compliance365 will maintain coverage of both frameworks during the transition and update client documentation accordingly.
Section 4
Understanding what actually changes — and what stays the same — is critical to planning your programme. The shift is more philosophical than technical, but the practical implications are real.
| Dimension | Essential Eight | Essentials for enterprise IT |
|---|---|---|
| Compliance model | Prescriptive — specific controls and specific behaviours required | Outcomes-based — defines the security result, not the implementation |
| Technology scope | Primarily Windows / Microsoft 365-centric; other environments require interpretation | Technology-agnostic; outcomes achievable with any qualifying toolset |
| Maturity model | ML0–ML3 maturity levels with specific criteria at each level | Outcomes-based model; ML0–ML3 may not carry across in the same form (TBC in final guidance) |
| Example — macros | "Restrict Microsoft Office macros" — specific to Microsoft Office product | "Prevent execution of unauthorised macros" — outcome, achievable any way that works |
| OT coverage | Not designed for OT; poor fit; organisations improvise | Separate dedicated Chapter 2 for OT environments |
| Cloud coverage | Partially applicable; cloud-native environments require significant interpretation | Separate dedicated Chapter 3 for cloud environments |
| AI environments | Not addressed | Future chapter flagged; agentic AI guidance planned |
| Core controls | 8 specific strategies (app control, patching, macros, hardening, admin privileges, OS patching, MFA, backups) | Same underlying security outcomes — controls map across; nothing is discarded |
| Procurement impact | Referenced in PSPF, state government panels, insurer requirements | Procurement requirements will update gradually over 2-year transition; E8 references remain active until updated |
The underlying security controls remain largely the same. MFA, patching, application control, privileged access management, and backups are as relevant under the Essentials series as they are under the Essential Eight. ASD is changing how controls are expressed and assessed — not discarding the security thinking that underpins them. The threat actors exploiting credential theft, unpatched software, and privilege escalation will not stop because the framework changed names.
Section 5
The short answer: continue your programme. Do not stop.
If you have a current Essential Eight ML2 assessment, are mid-programme toward ML2, or have compliance obligations that reference the Essential Eight — none of that changes today. The procurement panels, PSPF requirements, insurer conditions, and enterprise TPRM programmes that require Essential Eight compliance all continue to reference it until they are individually updated. That process will take time and will be communicated by the relevant bodies.
ASD's explicit design attribute of compatibility means your existing implementation maps across to the Essentials series. The controls you have implemented — Conditional Access policies, PIM configuration, application control, patch management, backups — all address the same security outcomes that the Essentials series will require. Your evidence pack may need to be re-mapped to new Essentials criteria once the final guidance is published, but the underlying work is not undone.
Your current ML2 assessment documentation remains valid for any procurement or insurance requirement that references the Essential Eight. Maintain your evidence pack and your continuous monitoring. Do not let controls lapse in anticipation of the new framework — you will need them regardless.
Section 6
This requires nuance. The answer depends on why you need to comply and how urgent your timeline is.
In all of these cases, starting on the Essential Eight now is correct. The controls carry forward to the Essentials series. You will not redo the work. The uplift you do today addresses the same outcomes the new framework will require.
Even in these cases, "waiting" does not mean doing nothing. It means running your security uplift programme now — implementing MFA, patching discipline, privileged access management, and backups — without formally committing to Essential Eight maturity levels. That work will count under both frameworks.
Do not let the transition announcement become a reason to delay security investment. The threat actors are not waiting for the new framework to be published.
Section 7
We are tracking the public consultation closely and have reviewed the Essentials for enterprise IT consultation draft. We will submit to the consultation before 12 July 2026 with practitioner feedback from our work with Australian mid-market and government organisations.
Once the final Essentials series guidance is published, we will:
Clients on ongoing support arrangements do not need to do anything differently right now. Their documentation will be updated as the final guidance is published. Clients who are mid-programme should continue — we will guide the transition when the time comes.
If you have questions about how this affects your specific programme, book a call. We will give you a straight answer based on your environment and compliance drivers.
FAQ
The questions we are most commonly asked about the Essential Eight retirement, the Essentials series transition, and what organisations should do now.
No. ASD has been explicit: Essential Eight investments carry across to the Essentials series. The underlying security controls remain largely the same. If you have procurement drivers, insurance requirements, or government contracts that reference the Essential Eight today, continue your programme — those requirements do not change until regulators and panels update their references, which will happen gradually over the transition period.
Yes, with caveats. ASD has confirmed that existing Essential Eight investments and programmes map across to the Essentials series — the design attribute of 'compatibility' was explicitly included to ensure nothing is wasted. However, how existing ML evidence translates to outcomes-based Essentials assessments will depend on the final published guidance, which is still in consultation as of July 2026. The controls themselves carry across; the exact evidence format may evolve.
This is one of the key open questions while consultation is underway. The Essentials series shifts to an outcomes-based model, which means the ML0–ML3 maturity levels may not carry across in the same form. The final framework will describe security outcomes to achieve rather than specific maturity thresholds, though ASD may retain some form of tiered assessment. We will update this page once the final guidance is published, expected late 2026.
Not until regulators and panel administrators update their requirements — which will happen gradually. The PSPF, state government procurement panels, and enterprise TPRM programmes all reference the Essential Eight by name. These will be updated to reference the Essentials series over the transition period, but procurement panels move slowly. Do not expect an overnight switch. During the transition both frameworks will be live simultaneously, and Essential Eight requirements will remain active for existing procurement contracts.
Outcomes-based compliance means the framework specifies what security result you need to achieve — not the specific product or policy name you must use to achieve it. Instead of "restrict macros using Microsoft Office Group Policy setting X", the Essentials series would say something like "prevent execution of unauthorised macros". You can meet that outcome using Microsoft Group Policy, Intune ADMX templates, a third-party endpoint management tool, or any other mechanism that reliably achieves the result. This matters most for organisations running non-Microsoft environments or hybrid OT/IT infrastructure.
The PSPF currently mandates Essential Eight compliance for non-corporate Commonwealth entities. The PSPF will eventually be updated to reference the Essentials series once it is finalised, but PSPF updates follow their own process and timeline. Until a formal PSPF update is issued, Commonwealth entities remain obligated to the Essential Eight as written. State government agencies should monitor their own jurisdictional frameworks. We will publish guidance when PSPF changes are formally announced.
Your existing ML2 assessment documentation remains valid for any requirement that currently references the Essential Eight. As procurement panels and insurers update their requirements to reference the Essentials series, they will need to define how existing Essential Eight evidence is accepted during transition — this is something industry bodies and ASD will need to communicate clearly. For now, continue maintaining your ML2 evidence pack. Do not let it lapse in anticipation of the new framework.
We are tracking the public consultation closely and will publish our mapping of Essential Eight controls to the Essentials series once the final guidance is released, expected late 2026. Existing clients will receive updated assessment templates and evidence pack documentation as part of their ongoing support arrangements. Check back here or book a call if you have specific questions about your programme.
Book a 30-minute call and we will give you a straight answer based on your environment and compliance drivers — what to do now, what to watch for, and how your existing Essential Eight work maps to the new framework.
Hi! I’m the Compliance365 AI. I can help you work out which security or privacy framework you need, explain what’s involved, and answer questions about ISO 27001, SOC 2, Essential Eight, and more.
What can I help you with today?
Messages are sent to our AI assistant (Claude, by Anthropic) to generate a reply — not stored as part of your account and not used to train AI models.