ASD Framework Update · Thought Leadership · Published 1 July 2026

Consultation closes 12 July 2026

The Essential Eight is being retired. Here's what you need to know.

ASD has officially announced it will retire the Essential Eight within two years and replace it with a new modular framework called the Essentials series. Chapter 1 — Essentials for enterprise IT — is currently in public consultation until 12 July 2026. This page covers what's changing, what's staying the same, the transition timeline, and what your organisation should do now.

Section 1

What's happening — the announcement

ASD (Australian Signals Directorate) has officially announced that the Essential Eight will be retired within two years. In its place, ASD is publishing a new modular framework called the Essentials series. This is not a minor update — it is a deliberate architectural shift in how ASD approaches cyber security guidance for Australian organisations.

The first chapter of the new series — Essentials for enterprise IT — is currently in public consultation. The consultation period closes 12 July 2026. Registered organisations and industry stakeholders can submit responses via the ACSC Partner Portal at partners.cyber.gov.au.

ASD's rationale for the change is straightforward: the threat landscape has evolved significantly since the Essential Eight was designed, and the original framework's prescriptive, Windows-centric design does not translate well to modern environments that include cloud-native workloads, operational technology (OT), and emerging AI-driven systems. The Essential Eight was built around specific Microsoft technologies and specific threat vectors of its era. The Essentials series is designed to remain relevant as technology continues to change.

The key message from ASD on compatibility is clear: existing Essential Eight investments and programmes map across to the Essentials series. The underlying security controls remain largely the same. Nothing done in pursuit of Essential Eight compliance is wasted. Organisations mid-programme should continue.

Note on consultation status

The Essentials for enterprise IT chapter is in public consultation as of 1 July 2026, closing 12 July 2026. The final framework has not yet been published. This page describes what ASD has officially announced and the publicly available consultation draft. We do not state specifics about final control requirements as though they are confirmed — they are not yet finalised.

Section 2

The Essentials series explained

The Essentials series is a multi-chapter framework. Rather than a single monolithic set of controls, it organises guidance into domain-specific chapters, each targeting a distinct technology environment. This modular design is what allows the framework to stay current as new technology categories emerge.

Chapter 1 — In consultation

Essentials for enterprise IT

This is the closest equivalent to the current Essential Eight. It covers enterprise IT environments — the corporate workstations, servers, and identity infrastructure that the Essential Eight was originally designed to protect. Consultation closes 12 July 2026. Final publication expected late 2026.

The key shift: instead of prescribing specific controls (e.g., "restrict Microsoft Office macros"), the chapter describes the outcome — what the organisation needs to achieve — and gives organisations flexibility in how they achieve it. This matters for organisations running non-Microsoft endpoint management, Linux fleets, or mixed environments where M365-specific guidance was previously a poor fit.

Chapter 2 — Forthcoming

Operational technology (OT)

The Essential Eight was never designed for operational technology environments — SCADA systems, industrial control systems, building management systems, and the operational infrastructure that underpins Australian critical infrastructure. Chapter 2 will address OT environments specifically, recognising that the threat landscape and available controls are fundamentally different from enterprise IT.

For SOCI Act operators and critical infrastructure providers who have long struggled to apply Essential Eight controls to OT systems, this chapter represents a significant improvement. Patching SCADA systems on a 14-day cycle, or applying application control to industrial controllers, is often operationally impossible. Chapter 2 is expected to reflect OT-specific realities.

Chapter 3 — Forthcoming

Cloud environments

Cloud-native environments — workloads running in AWS, Azure, GCP, and SaaS platforms — have a different security model from traditional enterprise IT. The Essential Eight's controls were largely written for on-premises or hybrid Microsoft environments. Chapter 3 will address the cloud security outcomes that ASD considers essential for organisations that have migrated significant workloads to cloud platforms.

Cloud environments have different patching models (provider-managed vs. customer-managed), different identity models (service accounts, workload identities, IAM roles), and different backup paradigms. Outcomes-based guidance is better suited to this diversity than the prescriptive approach of the Essential Eight.

Future chapter — Flagged

Agentic AI

ASD has flagged an agentic AI chapter as a likely future addition to the Essentials series. As organisations deploy AI agents, LLM-powered systems, and automated decision-making tools in production, a new category of security outcomes will be needed. The modular chapter structure means ASD can publish AI-specific guidance without rearchitecting the entire framework.

No timeline has been confirmed for the AI chapter. It reflects ASD's intention to make the framework future-proof rather than a commitment to a specific delivery date.

ASD's four design attributes for the Essentials series

ASD has published four explicit design attributes that characterise the Essentials series and distinguish it from the Essential Eight.

1. Flexibility

The framework is outcomes-based and technology-agnostic. Organisations choose the tools and implementations that fit their environment, as long as they achieve the required security outcome. This removes the implicit Microsoft-only bias of the Essential Eight and accommodates the full diversity of Australian IT environments.

2. Threat-informed design

Like the Essential Eight before it, the Essentials series is grounded in the current Australian threat landscape and the ISM (Information Security Manual). Controls are not theoretical — they address the techniques that adversaries are actually using against Australian targets today.

3. Compatibility

Existing Essential Eight investments map across. This is ASD's direct commitment to organisations mid-programme: your work carries forward. The controls themselves are not being discarded — the way they are expressed and assessed is changing. Nothing is wasted.

4. Future-focused

The modular chapter structure allows ASD to publish new guidance as technology evolves — OT, cloud, AI — without requiring a complete framework rewrite. As new environments become security-critical, new chapters can be added. The framework grows with the threat landscape.

Section 3

The transition timeline

The transition will unfold over approximately two years from ASD's announcement. During that window, both frameworks will be live simultaneously. Here is what we know and what is still to be determined.

12 Jul 2026

Public consultation closes

The consultation period for Essentials for enterprise IT (Chapter 1) closes. Submissions via the ACSC Partner Portal at partners.cyber.gov.au. After this date, ASD will review submissions and incorporate feedback into the final publication.

Late 2026

Essentials series published (expected)

ASD expected to publish the final Essentials for enterprise IT chapter. Procurement panels, insurers, and regulatory bodies will begin reviewing their requirements and planning updates. Both the Essential Eight and the Essentials series will be live simultaneously from this point.

~12 months

Essential Eight deprecation begins (approximate)

Approximately 12 months after ASD's retirement announcement, the Essential Eight begins active deprecation. Procurement panels and regulators are expected to start updating their requirements during this window. Essential Eight references in contracts will need to be reviewed and updated over time.

~24 months

Essential Eight fully retired (approximate)

Approximately 24 months after the announcement, the Essential Eight is fully retired. By this point, procurement panels and regulators should have updated their requirements to reference the Essentials series. Organisations will need Essentials series compliance documentation rather than Essential Eight evidence packs.

During the transition: both frameworks are live

For approximately two years from the announcement, organisations need to be aware of both the Essential Eight (still required by existing procurement contracts, PSPF obligations, and insurer requirements that reference it) and the Essentials series (the emerging standard that replacements will be written around). Compliance365 will maintain coverage of both frameworks during the transition and update client documentation accordingly.

Section 4

Essential Eight vs Essentials for IT — what changes

Understanding what actually changes — and what stays the same — is critical to planning your programme. The shift is more philosophical than technical, but the practical implications are real.

Dimension Essential Eight Essentials for enterprise IT
Compliance model Prescriptive — specific controls and specific behaviours required Outcomes-based — defines the security result, not the implementation
Technology scope Primarily Windows / Microsoft 365-centric; other environments require interpretation Technology-agnostic; outcomes achievable with any qualifying toolset
Maturity model ML0–ML3 maturity levels with specific criteria at each level Outcomes-based model; ML0–ML3 may not carry across in the same form (TBC in final guidance)
Example — macros "Restrict Microsoft Office macros" — specific to Microsoft Office product "Prevent execution of unauthorised macros" — outcome, achievable any way that works
OT coverage Not designed for OT; poor fit; organisations improvise Separate dedicated Chapter 2 for OT environments
Cloud coverage Partially applicable; cloud-native environments require significant interpretation Separate dedicated Chapter 3 for cloud environments
AI environments Not addressed Future chapter flagged; agentic AI guidance planned
Core controls 8 specific strategies (app control, patching, macros, hardening, admin privileges, OS patching, MFA, backups) Same underlying security outcomes — controls map across; nothing is discarded
Procurement impact Referenced in PSPF, state government panels, insurer requirements Procurement requirements will update gradually over 2-year transition; E8 references remain active until updated

What does not change

The underlying security controls remain largely the same. MFA, patching, application control, privileged access management, and backups are as relevant under the Essentials series as they are under the Essential Eight. ASD is changing how controls are expressed and assessed — not discarding the security thinking that underpins them. The threat actors exploiting credential theft, unpatched software, and privilege escalation will not stop because the framework changed names.

  • MFA enforcement across all internet-facing services — still essential
  • Patching within ASD-specified timeframes — still essential
  • Application control to prevent malicious executables — still essential
  • Privileged access management with time-limited elevation — still essential
  • Tested, immutable backups — still essential

Section 5

If you're already on the Essential Eight

The short answer: continue your programme. Do not stop.

If you have a current Essential Eight ML2 assessment, are mid-programme toward ML2, or have compliance obligations that reference the Essential Eight — none of that changes today. The procurement panels, PSPF requirements, insurer conditions, and enterprise TPRM programmes that require Essential Eight compliance all continue to reference it until they are individually updated. That process will take time and will be communicated by the relevant bodies.

ASD's explicit design attribute of compatibility means your existing implementation maps across to the Essentials series. The controls you have implemented — Conditional Access policies, PIM configuration, application control, patch management, backups — all address the same security outcomes that the Essentials series will require. Your evidence pack may need to be re-mapped to new Essentials criteria once the final guidance is published, but the underlying work is not undone.

Your current ML2 assessment documentation remains valid for any procurement or insurance requirement that references the Essential Eight. Maintain your evidence pack and your continuous monitoring. Do not let controls lapse in anticipation of the new framework — you will need them regardless.

Continue doing

  • Your current Essential Eight uplift programme
  • Maintaining existing ML2 controls and evidence
  • Meeting current procurement and insurance requirements
  • Quarterly evidence reviews and control monitoring
  • Working toward ML2 if not yet achieved

Watch for

  • Final Essentials series publication (expected late 2026)
  • PSPF updates referencing the Essentials series
  • Procurement panel requirement updates
  • Insurer requirement updates
  • Compliance365 mapping guidance (we'll publish it)

Section 6

If you haven't started yet

This requires nuance. The answer depends on why you need to comply and how urgent your timeline is.

Start with Essential Eight now if:

  • You have a government contract or procurement panel requirement referencing the Essential Eight
  • You need cyber insurance and your insurer requires ML2 evidence
  • You have a DISP or SOCI Act obligation to meet
  • You have an enterprise customer running TPRM that references E8
  • Your board or executive team is asking for a cyber security baseline today

In all of these cases, starting on the Essential Eight now is correct. The controls carry forward to the Essentials series. You will not redo the work. The uplift you do today addresses the same outcomes the new framework will require.

You might wait if:

  • You have no immediate procurement driver and a 12+ month runway
  • You operate in a cloud-native or OT environment where E8 is a poor fit
  • You have already done significant security uplift and are assessing which framework to formally align to

Even in these cases, "waiting" does not mean doing nothing. It means running your security uplift programme now — implementing MFA, patching discipline, privileged access management, and backups — without formally committing to Essential Eight maturity levels. That work will count under both frameworks.

Do not let the transition announcement become a reason to delay security investment. The threat actors are not waiting for the new framework to be published.

Section 7

What Compliance365 is doing

We are tracking the public consultation closely and have reviewed the Essentials for enterprise IT consultation draft. We will submit to the consultation before 12 July 2026 with practitioner feedback from our work with Australian mid-market and government organisations.

Once the final Essentials series guidance is published, we will:

Clients on ongoing support arrangements do not need to do anything differently right now. Their documentation will be updated as the final guidance is published. Clients who are mid-programme should continue — we will guide the transition when the time comes.

If you have questions about how this affects your specific programme, book a call. We will give you a straight answer based on your environment and compliance drivers.

FAQ

Frequently asked questions

The questions we are most commonly asked about the Essential Eight retirement, the Essentials series transition, and what organisations should do now.

Should I stop my Essential Eight programme?

No. ASD has been explicit: Essential Eight investments carry across to the Essentials series. The underlying security controls remain largely the same. If you have procurement drivers, insurance requirements, or government contracts that reference the Essential Eight today, continue your programme — those requirements do not change until regulators and panels update their references, which will happen gradually over the transition period.

Will my Essential Eight evidence still count under the new framework?

Yes, with caveats. ASD has confirmed that existing Essential Eight investments and programmes map across to the Essentials series — the design attribute of 'compatibility' was explicitly included to ensure nothing is wasted. However, how existing ML evidence translates to outcomes-based Essentials assessments will depend on the final published guidance, which is still in consultation as of July 2026. The controls themselves carry across; the exact evidence format may evolve.

What is the maturity model in the Essentials series?

This is one of the key open questions while consultation is underway. The Essentials series shifts to an outcomes-based model, which means the ML0–ML3 maturity levels may not carry across in the same form. The final framework will describe security outcomes to achieve rather than specific maturity thresholds, though ASD may retain some form of tiered assessment. We will update this page once the final guidance is published, expected late 2026.

When do procurement panels switch from Essential Eight to the Essentials series?

Not until regulators and panel administrators update their requirements — which will happen gradually. The PSPF, state government procurement panels, and enterprise TPRM programmes all reference the Essential Eight by name. These will be updated to reference the Essentials series over the transition period, but procurement panels move slowly. Do not expect an overnight switch. During the transition both frameworks will be live simultaneously, and Essential Eight requirements will remain active for existing procurement contracts.

What does "outcomes-based" compliance mean in practice?

Outcomes-based compliance means the framework specifies what security result you need to achieve — not the specific product or policy name you must use to achieve it. Instead of "restrict macros using Microsoft Office Group Policy setting X", the Essentials series would say something like "prevent execution of unauthorised macros". You can meet that outcome using Microsoft Group Policy, Intune ADMX templates, a third-party endpoint management tool, or any other mechanism that reliably achieves the result. This matters most for organisations running non-Microsoft environments or hybrid OT/IT infrastructure.

Does this affect PSPF obligations for government entities?

The PSPF currently mandates Essential Eight compliance for non-corporate Commonwealth entities. The PSPF will eventually be updated to reference the Essentials series once it is finalised, but PSPF updates follow their own process and timeline. Until a formal PSPF update is issued, Commonwealth entities remain obligated to the Essential Eight as written. State government agencies should monitor their own jurisdictional frameworks. We will publish guidance when PSPF changes are formally announced.

What happens to Essential Eight ML2 assessments I already have?

Your existing ML2 assessment documentation remains valid for any requirement that currently references the Essential Eight. As procurement panels and insurers update their requirements to reference the Essentials series, they will need to define how existing Essential Eight evidence is accepted during transition — this is something industry bodies and ASD will need to communicate clearly. For now, continue maintaining your ML2 evidence pack. Do not let it lapse in anticipation of the new framework.

When will Compliance365 publish updated guidance for the Essentials series?

We are tracking the public consultation closely and will publish our mapping of Essential Eight controls to the Essentials series once the final guidance is released, expected late 2026. Existing clients will receive updated assessment templates and evidence pack documentation as part of their ongoing support arrangements. Check back here or book a call if you have specific questions about your programme.

Related resources

Not sure how the Essentials series transition affects your programme?

Book a 30-minute call and we will give you a straight answer based on your environment and compliance drivers — what to do now, what to watch for, and how your existing Essential Eight work maps to the new framework.

Microsoft Teams