Skip to content
🌍 Ready for Sovereignty 2026: Global tour on sovereign AI & governance. Register now
All Blogs

Australia's Cyber Security Strategy Horizon 2: What it means for GRC

Anthony Stevens
Published
Australia's Cyber Security Strategy Horizon 2: What it means for GRC

TL;DR

  •  Australia's Cyber Security Strategy moves into Horizon 2 in 2026, shifting the national focus from building cyber foundations to embedding maturity at scale across the entire economy.

 

  • For organisations in government, critical infrastructure, financial services, and defence, this means a significant compliance uplift — Essential Eight Maturity Level 2 (ML2) is expected to become the baseline for all industries, with ML3 required for high-risk sectors.

 

  • If your Governance, Risk, and Compliance (GRC) program isn't ready to scale, Horizon 2 will expose the gap. 

 

Australia has reached an inflection point in its national cyber journey — and for those of us working in GRC, the implications are substantial and immediate.

In 2026, Australia's 2023–2030 Cyber Security Strategy formally enters Horizon 2, a three-year phase focused not on building capability, but on embedding it. The distinction matters. The build phase gave organisations permission to plan. Horizon 2 removes that permission — it demands execution.

What Horizon 2 actually means

Horizon 2 (2026–2028) represents the middle leg of Australia's ten-year cyber roadmap. Where Horizon 1 focused on establishing legislative foundations and baseline capabilities, Horizon 2 has three explicit priorities:

  1. Embedding cyber standards and literacy across government, industry, and the broader community
  2. Scaling cyber maturity across the whole economy — not just regulated sectors
  3. Growing a diverse and capable cyber workforce to sustain the uplift

The strategy is built around six 'cyber shields' — layered defences spanning citizens, safe technology, world-class threat sharing, protected critical infrastructure, sovereign capabilities, and resilient regional and global leadership. For enterprise and public sector organisations, the Sovereign Capabilities and Protected Critical Infrastructure shields are the ones that translate most directly into GRC program requirements.

This isn't aspirational language. It is the policy architecture that procurement requirements, audit frameworks, and funding conditions will increasingly reference over the next three years.

 

Join senior leaders shaping sovereign AI in Australia
Join us at the Ready for Sovereignty Roadshow in Canberra, Melbourne, Sydney, and Brisbane in April 2026. Register now to hear how leading Australian organisations are building the GRC programs that Horizon 2 demands. 

Essential Eight: the compliance uplift is real

Perhaps the single most consequential Horizon 2 development for compliance and risk teams is the expected trajectory of the Essential Eight.

The Australian Signals Directorate (ASD) Essential Eight Maturity Model has long been the baseline cyber hygiene standard for Australian Government agencies. Under Horizon 2, Essential Eight Maturity Level 2 (ML2) is expected to become the recommended baseline for all industries by 2026 — not just government. For high-risk sectors including critical infrastructure, energy, finance, and defence, ML3 is the target.

For many organisations, this represents a meaningful uplift. ML2 requires controls to be applied consistently and verifiably across the environment — not just implemented in pockets. ML3 requires those controls to be resilient against sophisticated, targeted attacks, with evidence of continuous improvement.

What this means in practice

  • Asset and vulnerability management must be systematic, not reactive
  • Application control and patch management must be documented and auditable
  • Multi-factor authentication must extend to all privileged users and internet-facing systems
  • User application hardening and macro restrictions must be enforced and verified

The compliance burden is not just technical — it is evidential. You need to demonstrate maturity, not just assert it.

Why scaling GRC is the critical challenge of Horizon 2

The strategic language of Horizon 2 — scaling maturity across the whole economy — sounds broad. In practice, it creates a very specific operational challenge for risk and compliance leaders: how do you extend cyber controls, evidence collection, and assurance reporting across a complex, often decentralised organisation?

This is where many GRC programs will struggle. Most were built for a world where compliance was episodic — an annual audit, a point-in-time assessment. Horizon 2 demands continuous assurance.

The challenge is compounded for organisations operating across multiple entities, business units, or regulated subsidiaries. Each one must demonstrate its own maturity uplift, yet the compliance function cannot simply multiply its headcount to match.

The Hub & Spoke model for distributed compliance

Organisations with federated structures — government departments with agencies, financial groups with subsidiaries, managed service providers serving multiple clients — need a model that allows central visibility while enabling local execution. Without that architecture, Horizon 2 compliance becomes an unmanageable coordination burden.

This is precisely the problem that well-designed GRC platforms address: centralising frameworks, controls, and reporting while distributing assessments and evidence capture to the teams closest to the risk.

How 6clicks helps organisations meet Horizon 2 requirements

6clicks is purpose-built for the compliance complexity that Horizon 2 will create. I want to be specific about what that means, because "GRC platform" can mean many things.

  • Framework alignment out of the box - The 6clicks Content Library includes pre-built Essential Eight assessment templates aligned to ML1, ML2, and ML3, as well as mappings to ISO 27001, the PSPF, ISM, and other frameworks relevant to Australian government and critical infrastructure. You are not starting from a blank page.

  • Hub & Spoke architecture for federated compliance - The Hub & Spoke model in 6clicks allows a central compliance function to publish frameworks, controls, and assessments to business units or client organisations, while rolling up results into a consolidated view. For organisations with multiple entities under Horizon 2 obligations, this is the architecture that makes scale achievable.

  • Hailey AI for assessment acceleration - Our AI capability, Hailey, assists compliance teams in mapping controls, identifying gaps, and drafting responses — reducing the manual effort of ML2 and ML3 evidence collection without compromising rigour.

     

For Australian government agencies, critical infrastructure operators, financial institutions, and defence contractors, the question is not whether Horizon 2 will affect your compliance program — it will. The question is whether your GRC infrastructure is built to absorb the uplift without breaking.

Frequently asked questions

What is Australia's Cyber Security Strategy Horizon 2?

Horizon 2 is the second phase (2026–2028) of Australia's 2023–2030 Cyber Security Strategy, published by the Department of Home Affairs. It focuses on embedding cyber maturity at scale across the economy, moving beyond the foundational work of Horizon 1. Key priorities include scaling the Essential Eight, strengthening sovereign capabilities, and protecting critical infrastructure.

When does Essential Eight ML2 become mandatory for all Australian industries?

Under the Horizon 2 trajectory, Essential Eight ML2 is expected to become the recommended baseline for all industries by 2026. For high-risk sectors — including critical infrastructure, government, finance, and defence — ML3 is the target. Specific mandatory requirements may vary by sector regulation, but organisations should treat these as the effective compliance standard.

What is the Essential Eight Maturity Level 3 (ML3)?

Essential Eight ML3 is the highest maturity tier in ASD's Essential Eight Maturity Model. It requires that security controls are consistently applied, actively maintained, and demonstrably resilient against sophisticated, targeted cyber attacks. Evidence of continuous improvement and proactive threat response is expected.

How should a CISO prepare their organisation for Horizon 2?

CISOs should begin with a gap assessment against the Essential Eight at the target maturity level for their sector. From there, the priority is building the evidential infrastructure — controls libraries, assessment workflows, and reporting dashboards — that can demonstrate maturity continuously, not just at audit time. Ensuring your GRC platform can scale across your organisational structure is a prerequisite.

What does sovereign cyber capability mean for Australian organisations?

Sovereign capability is one of the six shields in Australia's strategy. For organisations, it means prioritising Australian-controlled technology, data sovereignty, and supply chain resilience. For GRC programs, it means vendor risk management and supply chain assessments will face increasing scrutiny — particularly for critical infrastructure and government contracts.

 
Anthony Stevens
Written by
Ant Stevens is a luminary in the enterprise software industry, renowned as the CEO and Founder of 6clicks, where he spearheads the integration of artificial intelligence into their cybersecurity, risk and compliance platform. Ant has been instrumental developing software to support advisor and MSPs. Away from the complexities of cybersecurity and AI, Ant revels in the simplicity of nature. An avid camper, he cherishes time spent in the great outdoors with his family and beloved dog, Jack, exploring serene landscapes and disconnecting from the digital tether.
Join a global movement of leaders shaping sovereign AI

Recommended posts

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

Request a demo
cta-logos