TL;DR
Australia's Cyber Security Strategy Horizon 2 (2026–2028) mandates ML2 as the baseline for all industries; ML3 is required for high-risk sectors including critical infrastructure.
The Australian Signals Directorate (ASD) released an updated IRAP Quality Assurance Framework in January 2026, raising the bar for how security controls are assessed.
Organisations that have not yet achieved ML2 face increasing risk of exclusion from government procurement and partnership opportunities.
If you are in critical infrastructure, defence supply chain, or government: ML3 planning should begin now, not after your next audit.
6clicks provides pre-built Essential Eight control mapping, evidence collection workflows, and audit-ready reporting — so uplift is structured, not improvised.
Australia's 2023–2030 Cyber Security Strategy has entered Horizon 2 (2026–2028), making Essential Eight Maturity Level 2 (ML2) the recommended baseline for all industries — not just government. If your organisation hasn't yet assessed its current maturity or begun a structured uplift program, the window to act before auditors and procurement panels start asking for evidence is closing fast.
In February 2026, Australia's 2023–2030 Cyber Security Strategy formally entered Horizon 2 — a phase explicitly focused on embedding and operationalising cyber maturity at scale across the Australian economy, not just within government. The strategy is built around six cyber shields, two of which — Sovereign Capabilities and Protected Critical Infrastructure — are directly relevant to organisations in regulated industries.
The practical implication: Essential Eight ML2 is expected to become the government-recommended baseline for all industries by 2026, with ML3 required for high-risk sectors. For organisations that have been treating Essential Eight as a "nice to have" or a government-only concern, this signals a fundamental shift. (Source: Australian Government, Charting New Horizons: Australian Cyber Security Strategy 2023–2030, homeaffairs.gov.au)
This is not a distant policy aspiration. Government procurement panels, defence supply chains, and critical infrastructure operators are already asking vendors and partners to demonstrate their Essential Eight maturity tier. If you cannot provide evidence of ML2 compliance, you are increasingly at risk of being locked out of high-value contracts.
The Essential Eight is a set of baseline cybersecurity strategies developed by the ASD to help organisations protect against the most common cyber threats. It covers eight mitigation strategies across application control, patching, Microsoft Office macros, user application hardening, admin privilege restriction, multi-factor authentication (MFA), regular backups, and operating system patching.
The Essential Eight uses a four-tier model (ML0–ML3):
Under Horizon 2, ML2 is the floor — not the ceiling. Organisations in healthcare, financial services, legal, and professional services should be targeting ML2 as their immediate priority. Entities in defence, critical infrastructure, and government should be planning for ML3.
At ML2, organisations must demonstrate consistent, evidence-backed implementation of controls — not just intent or policy. The key shift from ML1 is that controls must be enforced and monitored, not merely configured. For example:
In January 2026, the ASD published a new IRAP Quality Assurance Framework, designed to standardise how IRAP assessors evaluate security controls for Commonwealth entities and private sector contractors. The framework introduces more rigorous quality checks on every assessment — assessors now face scrutiny of their methodology, not just their findings.
For organisations preparing for IRAP assessment, this has a direct implication: clean, traceable, and auditable evidence is no longer optional. Assessors who submit inconsistent or poorly documented findings will face quality review. That means your evidence trail must be structured, timestamped, and directly mapped to ISM controls.
Organisations that rely on spreadsheets or disconnected documents to track control evidence will find it significantly harder to pass a 2026 IRAP assessment than they did in previous years. (Source: ASD, IRAP Quality Assurance Framework, cyber.gov.au, January 2026)
Based on the patterns that emerge across ANZ compliance engagements, the most common gaps preventing organisations from achieving ML2 include:
Each of these gaps is addressable — but only if you have a structured framework for tracking control status, collecting evidence, and surfacing gaps before an assessor does.
6clicks provides a purpose-built platform for structured Essential Eight compliance uplift. Unlike generic audit tools or spreadsheet-based approaches, 6clicks delivers:
For DISP members and defence contractors navigating both Essential Eight and ISM requirements simultaneously, 6clicks supports multi-framework mapping — so you assess once and satisfy multiple frameworks, rather than running parallel compliance programs.
Deploy on your terms. Not ours. Whether your environment is cloud-hosted, hybrid, or requires on-premises sovereign deployment, 6clicks works where other GRC platforms cannot reach.
If your organisation is not yet at Essential Eight ML2, start with a structured gap assessment. Book a demo with 6clicks to see how the platform maps your current control state against ACSC requirements, identifies your priority gaps, and tracks evidence collection toward ML2 — so you are always audit-ready when procurement panels or IRAP assessors come calling.