ASD Is Retiring the Essential Eight. Don’t Wait Two Years to Fix the Basics.
ASD is retiring the Essential Eight, quietly admitting it was built for a world we have left. A founder’s take: do not wait for the replacement — and do not assume it fits small business.
A consultation notice went up on the ASD website this month that I had half-expected for years. The Australian Signals Directorate is going to retire the Essential Eight — the framework everyone in this country means when they say “the cyber checklist” — and replace it, over the next two years, with something new.
A consultation notice went up on the ASD website this month that I had half-expected for years. The Australian Signals Directorate is going to retire the Essential Eight — the framework everyone in this country means when they say "the cyber checklist" — and replace it, over the next two years, with something new.
I have opinions about the replacement. But the first thing I felt reading it was not vindication. It was worry about who is going to act on it, and who is going to use it as one more reason to do nothing.
The quiet admission in the announcement
ASD did not say the Essential Eight was wrong. It said it was old. Chris Horlyck from the ACSC put it about as plainly as a public servant can in 2026: "Essential Eight started before cloud was really a big thing in the sector." The controls, he said, do not translate cleanly to the cloud and SaaS setups almost everyone runs now.
Read that again, because it is the whole story. The agency that wrote the Essential Eight is telling you it was built for a world — on-premises Windows networks, a server room, a sysadmin down the hall — that most businesses have already left.
I have been making a narrower version of that argument to small-business owners for a while: the Essential Eight was built for an org chart you do not have. Now ASD is saying it was built for a decade you have also left. Same problem, bigger frame.
What this does not mean
It does not mean the Essential Eight stops working on a date. There is a two-year transition; the old framework and the new "Essentials" run side by side, and ASD says the money you have already spent carries over. If a contract or your insurer names the Essential Eight, it is still the standard. Keep meeting it.
And it does not mean a better framework is about to arrive and rescue you. That is the trap I am worried about.
Don't wait for the replacement
Here is what two decades of watching this stuff has taught me. Every time a new framework is announced, a certain kind of business treats it as permission to pause. Why fix the email records now if the rules are changing? Why turn on multi-factor authentication this quarter if there is a new model coming?
Because the people trying to get into your accounts did not read the consultation paper. While the framework gets its rewrite, the invoice scammer is still spoofing your domain, and the median small-business website I look at still grades an F. In our own June 2026 scan, only 43% of small-business domains actually enforce DMARC — the one record that stops criminals emailing your customers as you. None of that is waiting two years. Neither should you.
The basics have not changed, and they are not in the consultation: multi-factor authentication, automatic updates, tested backups, and a clean public surface. I wrote recently about big budgets sitting on F-grade basics. If the well-funded cannot be bothered, the framework was never the thing holding anyone back.
And don't assume the new one is for you either
The first chapter ASD has put out for consultation is called "Essentials for enterprise IT". Enterprise. Again. The feedback runs through the ACSC partner portal, which is not exactly a front door a five-person plumbing firm walks through.
I am not sour about it — covering cloud, operational technology and eventually AI is the right call, and the people doing this work are good at it. But I would put money on how it ends: when the dust settles, small business will once more be handed the enterprise document and told to shrink it. The cost of cybercrime to a small business is already $56,571 on ASD's own numbers. The owners wearing that are not the ones who picked the wrong maturity level. They are the ones who never did the three things that fit on an index card.
The question worth sitting with
So the framework I have spent years telling small-business owners to skip is being retired, and I find myself oddly unbothered by its passing. It was good engineering for the networks it was built for. It just never fit yours — and now its own author is saying it does not fit the times either.
The new one will have a new name and a cleaner diagram. The question underneath it is the same one it always was: not "which framework are we complying with," but "which of the handful of things that actually matter have I still not done?" You already know your answer. The rebrand does not change it.
Sources
- Australian Signals Directorate, Consultation on the evolution of the Essential Eight — retrieved 25 June 2026
- iTnews, ASD to retire Essential Eight cyber security framework within next two years — retrieved 25 June 2026
- Australian Signals Directorate, Annual Cyber Threat Report 2024-2025 — retrieved 25 June 2026
- Red Bridge Cyber, SMB Posture Baseline, June 2026