Skip to content
🛡️ Prepare for Kuwait's NBCC framework with practical guidance and AI-driven compliance. Register now
All Blogs

Essential Eight Maturity Level 2: the new compliance baseline for ANZ

Anthony Stevens
Published
Essential Eight Maturity Level 2: the new compliance baseline for ANZ
8:46

TL;DR

  • Australia's Cyber Security Strategy Horizon 2 (2026–2028) mandates ML2 as the baseline for all industries; ML3 is required for high-risk sectors including critical infrastructure.

  • The Australian Signals Directorate (ASD) released an updated IRAP Quality Assurance Framework in January 2026, raising the bar for how security controls are assessed.

  • Organisations that have not yet achieved ML2 face increasing risk of exclusion from government procurement and partnership opportunities.

  • If you are in critical infrastructure, defence supply chain, or government: ML3 planning should begin now, not after your next audit.

  • 6clicks provides pre-built Essential Eight control mapping, evidence collection workflows, and audit-ready reporting — so uplift is structured, not improvised.

Australia's 2023–2030 Cyber Security Strategy has entered Horizon 2 (2026–2028), making Essential Eight Maturity Level 2 (ML2) the recommended baseline for all industries — not just government. If your organisation hasn't yet assessed its current maturity or begun a structured uplift program, the window to act before auditors and procurement panels start asking for evidence is closing fast.

Why Essential Eight ML2 matters right now

In February 2026, Australia's 2023–2030 Cyber Security Strategy formally entered Horizon 2 — a phase explicitly focused on embedding and operationalising cyber maturity at scale across the Australian economy, not just within government. The strategy is built around six cyber shields, two of which — Sovereign Capabilities and Protected Critical Infrastructure — are directly relevant to organisations in regulated industries.

The practical implication: Essential Eight ML2 is expected to become the government-recommended baseline for all industries by 2026, with ML3 required for high-risk sectors. For organisations that have been treating Essential Eight as a "nice to have" or a government-only concern, this signals a fundamental shift. (Source: Australian Government, Charting New Horizons: Australian Cyber Security Strategy 2023–2030, homeaffairs.gov.au)

This is not a distant policy aspiration. Government procurement panels, defence supply chains, and critical infrastructure operators are already asking vendors and partners to demonstrate their Essential Eight maturity tier. If you cannot provide evidence of ML2 compliance, you are increasingly at risk of being locked out of high-value contracts.

What are the Essential Eight maturity levels?

The Essential Eight is a set of baseline cybersecurity strategies developed by the ASD to help organisations protect against the most common cyber threats. It covers eight mitigation strategies across application control, patching, Microsoft Office macros, user application hardening, admin privilege restriction, multi-factor authentication (MFA), regular backups, and operating system patching.

Understanding the three maturity levels

The Essential Eight uses a four-tier model (ML0–ML3):

  • ML0: Controls are not implemented or are partially implemented with significant gaps
  • ML1: Controls are partially implemented; an adversary with basic capabilities could compromise the environment
  • ML2: Controls are mostly implemented; an adversary with intermediate capabilities would struggle to persist undetected
  • ML3: Controls are fully implemented; even a sophisticated, targeted adversary faces significant barriers

Under Horizon 2, ML2 is the floor — not the ceiling. Organisations in healthcare, financial services, legal, and professional services should be targeting ML2 as their immediate priority. Entities in defence, critical infrastructure, and government should be planning for ML3.

The eight mitigation strategies at ML2: what changes

At ML2, organisations must demonstrate consistent, evidence-backed implementation of controls — not just intent or policy. The key shift from ML1 is that controls must be enforced and monitored, not merely configured. For example:

  1. Patching applications must occur within 48 hours for critical vulnerabilities — not just tracked in a register
  2. MFA must be enforced for all remote access and privileged accounts — not just recommended
  3. Regular backups must be tested to confirm data recovery is actually possible — not just scheduled

What the updated IRAP QA Framework means for your assessment

In January 2026, the ASD published a new IRAP Quality Assurance Framework, designed to standardise how IRAP assessors evaluate security controls for Commonwealth entities and private sector contractors. The framework introduces more rigorous quality checks on every assessment — assessors now face scrutiny of their methodology, not just their findings.

For organisations preparing for IRAP assessment, this has a direct implication: clean, traceable, and auditable evidence is no longer optional. Assessors who submit inconsistent or poorly documented findings will face quality review. That means your evidence trail must be structured, timestamped, and directly mapped to ISM controls.

Organisations that rely on spreadsheets or disconnected documents to track control evidence will find it significantly harder to pass a 2026 IRAP assessment than they did in previous years. (Source: ASD, IRAP Quality Assurance Framework, cyber.gov.au, January 2026)

The most common ML2 gaps ANZ organisations face:

Based on the patterns that emerge across ANZ compliance engagements, the most common gaps preventing organisations from achieving ML2 include:

  1. Inconsistent patching evidence — patching is performed but not logged with timestamps and system scope in an auditable format
  2. MFA gaps for privileged accounts — MFA is enforced for end users but not for service accounts, shared admin accounts, or legacy systems
  3. Untested backups — backups exist but recovery has not been tested against a defined RTO/RPO
  4. Application allow-listing gaps — application control is applied to workstations but not to servers or OT environments
  5. Disconnected evidence — control evidence lives in multiple tools, spreadsheets, and email threads, making it impossible to produce a coherent audit package on demand

Each of these gaps is addressable — but only if you have a structured framework for tracking control status, collecting evidence, and surfacing gaps before an assessor does.

How 6clicks helps ANZ organisations reach Essential Eight ML2

6clicks provides a purpose-built platform for structured Essential Eight compliance uplift. Unlike generic audit tools or spreadsheet-based approaches, 6clicks delivers:

  • Pre-mapped Essential Eight control libraries aligned to the current ACSC framework — so you start from a structured baseline, not a blank template
  • Evidence collection workflows that support both manual uploads and automated integrations — because manual and automated evidence are equally important, and your environment may require both
  • Hub & Spoke deployment — enabling managed service providers (MSPs) and enterprise IT teams to manage multiple entities, sites, or subsidiaries from a single platform
  • Sovereign Infrastructure deployment options — including self-hosted and air-gapped environments for PROTECTED-level data handling requirements
  • Always audit-ready reporting — dashboards that show real-time maturity status, outstanding gaps, and evidence completeness, so you are never caught unprepared by an audit

For DISP members and defence contractors navigating both Essential Eight and ISM requirements simultaneously, 6clicks supports multi-framework mapping — so you assess once and satisfy multiple frameworks, rather than running parallel compliance programs.

Deploy on your terms. Not ours. Whether your environment is cloud-hosted, hybrid, or requires on-premises sovereign deployment, 6clicks works where other GRC platforms cannot reach.

 

Frequently asked questions about DISP

All Australian government agencies are required to achieve ML2 as a minimum. Under Horizon 2 of the National Cyber Security Strategy, ML2 is the government-recommended baseline for all industries — including private sector organisations in critical infrastructure, financial services, healthcare, and professional services. Compliance is not yet legislatively mandated for most private sector entities, but ML2 is increasingly a procurement prerequisite for government contracts and supply chain participation. 

The timeline depends on your current maturity (ML0 or ML1) and the size and complexity of your environment. Organisations starting from ML1 with a structured program typically achieve ML2 within three to six months. Key factors are the speed of patching uplift, MFA rollout across all privileged accounts, and the time required to implement and test application allow-listing. Starting with a gap assessment against current ACSC guidance is the fastest way to identify your critical path. 

IRAP (Information Security Registered Assessors Program) is a formal assessment process conducted by ASD-endorsed assessors to evaluate whether an ICT system meets the requirements of the Information Security Manual (ISM). Essential Eight compliance is a separate but related framework — many IRAP assessments reference Essential Eight maturity as part of the overall security posture evaluation. For government contractors, achieving Essential Eight ML2 or ML3 is often a prerequisite before an IRAP assessment is initiated. 

Yes — and this is one of the most common gaps. The ACSC acknowledges that applying Essential Eight controls to operational technology (OT), industrial control systems (ICS), and legacy environments requires careful scoping. For organisations in energy, utilities, manufacturing, and defence, OT environments must be included in the maturity assessment, but the control implementation approach may differ from standard IT environments. Platforms that support air-gapped and OT-specific deployments are essential for these use cases. 

Yes — and for many mid-market organisations, a managed service model is the most efficient approach. The global MSP market is growing at nearly 10–15% annually, with cybersecurity compliance consistently ranked as the top driver of MSP growth (Source: CRN MSP 500, 2026). Engaging an MSP with access to a GRC platform purpose-built for Essential Eight means you get structured uplift support without needing to build an internal GRC team from scratch. 

Next step

If your organisation is not yet at Essential Eight ML2, start with a structured gap assessment. Book a demo with 6clicks to see how the platform maps your current control state against ACSC requirements, identifies your priority gaps, and tracks evidence collection toward ML2 — so you are always audit-ready when procurement panels or IRAP assessors come calling.

 

Have a question? Let's talk.

 
Anthony Stevens
Written by
Ant Stevens is a luminary in the enterprise software industry, renowned as the CEO and Founder of 6clicks, where he spearheads the integration of artificial intelligence into their cybersecurity, risk and compliance platform. Ant has been instrumental developing software to support advisor and MSPs. Away from the complexities of cybersecurity and AI, Ant revels in the simplicity of nature. An avid camper, he cherishes time spent in the great outdoors with his family and beloved dog, Jack, exploring serene landscapes and disconnecting from the digital tether.
Join a global movement of leaders shaping sovereign AI

Recommended posts

Book a strategy call

Send a message

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

Talk to an expert Send a message
awards-mobile-v3