Security2026-06-29·5 min read

The Essential Eight Is Being Retired: What ASD’s New “Essentials” Means for Small Business

ASD will retire the Essential Eight within two years and replace it with the “Essentials” series. What the change means for Australian small business — and why the basics still matter.

In June 2026 the ASD confirmed it will retire the Essential Eight and replace it, over about two years, with a broader “Essentials” series. For a small business:

  • Nothing breaks today — the Essential Eight is still current; if a contract or insurer names it, keep meeting it, and existing work carries forward.
  • The reason is cloud — ASD says the Essential Eight predates cloud and does not translate cleanly to shared-responsibility and SaaS environments; the Essentials series splits into chapters for enterprise IT, cloud and operational technology.
  • The basics still matter most — ASD puts small-business cybercrime at $56,571 a year, and only 43% of small-business domains enforce DMARC; MFA, updates, backups and a clean public surface beat any framework version number.

Do not wait two years for a new framework to fix what the basics already cover — and note the first Essentials chapter is, again, written for enterprise IT.

In June 2026 the Australian Signals Directorate confirmed it will retire the Essential Eight — the cyber framework most Australian businesses have at least heard of — and replace it over the next two years with a broader model called the "Essentials" series. If you run a small business, here is the short version: nothing breaks today, the basics still matter more than the badge, and this change is aimed mostly at organisations far larger than yours.

What ASD actually announced

ASD has opened a public consultation on evolving the Essential Eight into a new "Essentials" series, and will phase the old framework out over roughly two years (Australian Signals Directorate, consultation on the evolution of the Essential Eight, June 2026). The two run side by side at first: ASD expects to begin deprecating the Essential Eight in about 12 months and to retire it fully in about 24.

The first piece out for feedback is "Essentials for enterprise IT". Further chapters are planned for cloud and operational technology, with agentic AI flagged as a likely future domain. In other words, one framework is being split into several, each written for a specific kind of environment.

Why retire something that works?

Because the Essential Eight was built for a kind of network that is disappearing. The ACSC's Chris Horlyck put it plainly in 2026: "Essential Eight started before cloud was really a big thing in the sector. Now, if you don't have cloud, that would be a really surprising architecture to have." The controls, he noted, do not translate cleanly to the shared-responsibility and SaaS setups almost everyone runs now.

There is also a structural shift. The Essential Eight pairs eight controls with a rigid maturity ladder, Maturity Level Zero through Three. The Essentials series is being framed as prioritised, threat-informed mitigations rather than a fixed compliance ladder — guidance meant to flex with how organisations actually run their technology.

A quick refresher on the Essential Eight

The Essential Eight is ASD's list of eight baseline mitigations: patch applications, patch operating systems, multi-factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening, and regular backups. Organisations rate themselves against four maturity levels. It has been the de facto Australian baseline since 2017 — and, by ASD's own scoping, was designed for Microsoft Windows-based internet-connected networks.

What changes for your business right now

Nothing you must act on today. If a contract, insurer or tender names the Essential Eight, it is still the current standard, so keep meeting it. ASD has been explicit that existing work carries over: "The investment you've made under the Essential Eight will still be relevant under the Essentials," Horlyck said. Tools and controls you have already put in place map forward into the new model.

What you should not do is treat a two-year transition as a reason to delay fixing anything.

The small-business catch

Here is the part worth saying out loud: the Essential Eight was never a comfortable fit for a small business, and the first chapter of its replacement is, once again, "Essentials for enterprise IT". Most of the Essential Eight assumes a managed Windows fleet and IT staff to run it — infrastructure a five- or ten-person firm does not have. We have written before about security advice that is sized for someone else, and a rename does not change that arithmetic.

The risk is real whichever framework is in fashion. ASD puts the average cost of cybercrime to a small business at $56,571 (Australian Signals Directorate, Annual Cyber Threat Report 2024-25). And the basics that actually stop those incidents are still widely undone: in our June 2026 SMB Posture Baseline, only 43% of small-business domains enforce DMARC, and the median web-security grade was F (Red Bridge Cyber SMB Posture Baseline, June 2026).

What to do instead of waiting

Do the things that do not depend on any framework's version number:

  • Turn on multi-factor authentication everywhere it is offered, starting with email.
  • Keep software and devices on automatic updates.
  • Back up what would end the business if you lost it — and test that the backup actually restores.
  • Fix your public surface: enforced HTTPS, the SPF, DKIM and DMARC email records, and your response headers.

If you want a standard sized for a business your size, SMB1001 starts where you are rather than where an enterprise is. And if a defence or government contract requires the Essential Eight — for example DISP membership — that requirement stands until ASD says otherwise, so meet it properly.

Should you send feedback?

You can, if it affects you. The consultation on the first Essentials chapter is open until 12 July 2026, submitted through the ACSC Partner Portal. It is pitched at enterprise IT, so it is most relevant if your business is large enough to run the Essential Eight in earnest. For everyone else, the more useful hour is the one you spend turning on MFA and checking your email records.

The framework is changing. The threats — invoice fraud, account takeover, unpatched websites — are not. Whatever ASD calls the baseline in 2028, the businesses that come through fine will be the ones that did the basics in 2026.

Sources

#security#australian-business#small-business