Essential Eight in 2026: the framework didn't change — but the people judging you did
The Essential Eight hasn't changed since 2023 — but insurers, big clients and government supply chains now want provable Maturity Level 2. Here's why.
The Essential Eight controls are exactly what they were in 2023 — what's changed is that someone with a chequebook now wants you to prove your maturity before they'll sign.
You can't see the Essential Eight on your balance sheet — until an insurer or a big client asks you to prove it before they'll sign. That's the quiet shift Melbourne business owners are running into right now. The framework itself hasn't moved. The eight mitigation strategies, and the maturity model that grades them, are the same model the Australian Signals Directorate (ASD) and its Australian Cyber Security Centre last updated in November 2023. What's changed in 2026 is the audience. The people reading your security posture have got far less forgiving — and they're attaching real money to the answer.
The controls stood still. The stakes didn't.
If you've already read our plain-English guide to the eight controls, you know the mechanics: application control, patching, macro settings, hardening, admin privileges, OS patching, multi-factor authentication and backups, each graded from Maturity Level Zero up to Level Three. None of that has changed. What's changed is who's looking, why, and how hard they're pushing.
- The framework is settled. The current Essential Eight maturity model dates to the ASD's November 2023 update. Treat any "new for 2026" Essential Eight claim with suspicion — the news isn't the controls, it's the expectation around them.
- The judgement isn't. Industry commentators increasingly describe Maturity Level 2 as the expected baseline for businesses bidding for serious work in 2026 — not because the law moved, but because buyers and insurers decided "Level 1, we hope" is no longer good enough.
Your insurer wants proof, not a tick
Cyber insurers have spent a few hard years paying out, and they've responded by tightening their questionnaires. The change worth noticing in 2026 isn't a longer list of questions — it's that "yes" now needs evidence behind it. Insurers and their brokers increasingly want to see that your Essential Eight controls are genuinely in place and operating, and many renewals now hinge on demonstrable maturity rather than a self-assessed box-tick.
This builds directly on what we covered about what cyber insurers now require to issue and pay out a policy. The honest risk is the gap between what you declared and what was actually running on the day of a breach. If you ticked "MFA on all remote access" and one service slipped through, that's the gap a claims assessor lives for.
Phishing-resistant MFA is the line in the sand
For years, "do you have MFA?" was a yes/no question and any second factor counted. That's the assumption quietly being retired. Commentary across the security industry now points to phishing-resistant multi-factor authentication — passkeys, FIDO2 security keys, certificate-based methods — as the bar that matters, because attackers have got good at intercepting SMS codes and fatiguing people into approving push prompts.
- Not all MFA is equal anymore. An SMS code is better than nothing, but it can be intercepted or socially engineered. Phishing-resistant methods can't be relayed to an attacker the same way, which is why they're increasingly named specifically in maturity expectations.
- It's an identity project, not a toggle. Moving a whole organisation onto phishing-resistant MFA across Microsoft 365, remote access and admin accounts takes planning, the right licensing and a rollout that doesn't lock your team out. It rewards doing it properly once.
Your biggest client is now your auditor
The other group judging you isn't an insurer at all — it's the larger business or government department you want to sell to. Supply-chain security scrutiny has pushed down the food chain: prime contractors and government buyers increasingly ask their suppliers to demonstrate Essential Eight maturity before awarding or renewing work, because a weak supplier is now treated as their own risk.
- The questionnaire arrives before the contract. A vendor risk assessment landing in your inbox is no longer a formality. For many Melbourne SMBs, an honest, evidenced answer is now the difference between making the shortlist and being quietly dropped.
- Evidence beats assertion. Buyers and assessors want artefacts — patching reports, MFA coverage, backup test results — not a confident email. Being able to produce them turns security from a cost into a reason you win the work a less-prepared competitor can't.
How Key IT helps you prove it, not just claim it
Maturity Level 2 isn't a product you buy; it's a state you can demonstrate on any given day. That's the part most businesses underestimate — it's the ongoing evidence, not the initial fix, that wins renewals and contracts. As Melbourne's security-first MSP, with an in-house team where every engineer is security-certified, this is the work we do every day.
An honest baseline first.
Our Essential 8 service grades your current maturity against the ASD model — by your weakest control, the way it's actually scored — then sets a roadmap to lift it, rather than telling you what you'd like to hear.
Controls that keep proving themselves.
Patching, hardening, EDR on every device and phishing-resistant MFA only count if they stay in place. Our in-house 24/7 SOC monitors and maintains them, and produces the reporting that insurers, brokers and big clients now ask to see.
The paperwork, handled.
When an insurer questionnaire or a client vendor assessment lands, we help you answer it accurately and back it with documentation — so your cover stays valid and your tenders stand up to scrutiny.
Frequently asked questions
Did the Essential Eight change in 2026?
No. The eight controls and the maturity model behind them are the same ones the ASD's Australian Cyber Security Centre last updated in November 2023. What's changed in 2026 is the expectation around them — insurers, larger clients and government supply chains increasingly want provable maturity, not a self-declared tick. Always check the ACSC's own guidance for the current detail at the time you're reading.
Is Maturity Level 2 legally required for my business?
For most private businesses, no — it isn't a blanket legal mandate. Industry commentary describes ML2 as an expected baseline for winning serious contracts and renewing cyber insurance in 2026, which is a commercial pressure rather than a law. Specific government and regulated sectors can have stricter, separate obligations, so it's worth confirming what applies to your work.
What is phishing-resistant MFA and do I need it?
It's multi-factor authentication that can't easily be intercepted or relayed to an attacker — methods like passkeys, FIDO2 security keys or certificate-based logins, rather than SMS codes or basic push approvals. It's increasingly named in maturity expectations because attackers have learned to defeat weaker second factors. If insurers or clients are assessing you, it's fast becoming the version that counts.
How do I prove our Essential Eight maturity to an insurer or client?
With evidence, not assertions: patching and OS update records, MFA coverage across email, remote access and admin accounts, application control and hardening configurations, and tested backup restores. An assessment that documents your maturity level — and ongoing reporting that shows the controls staying in place — is what stands up when a claims assessor or a procurement team looks closely.
Related Key IT services
More insights
The Essential Eight explained
Australia's Essential Eight cybersecurity controls explained in plain English — what each one does…
Read article →RansomwareAustralia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →ScamsThe $25M deepfake phone call
AI voice cloning lets scammers fake your voice to authorise payments. Here's how Melbourne…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.