The Australian Signals Directorate and the Australian Cyber Security Centre say the Essential Eight cyber security framework will be retired within the next two years and replaced by a new “Essentials series”.
According to information published by ASD and ACSC, the change is intended to address limits of the current Essential Eight model, which was developed around conventional malware and more static threat conditions. The agencies say the framework has become too rigid for faster-moving threats, including those enabled by AI, and for shifting technology environments.
The replacement guidance is expected to be introduced as “Essentials for enterprise IT”, which the agencies describe as a set of prioritised, threat-informed mitigations rather than a static compliance ladder.
ASD has also indicated that organisations that have already invested in Essential Eight implementation will not see their work made redundant, with the new series expected to align closely with existing controls.
A national consultation on “Essentials for enterprise IT” is currently open and scheduled to run until July 12, 2026. Feedback can be submitted via the ACSC Partner Portal.
For many Australian organisations, the announcement signals a likely shift in how baseline cyber controls are assessed and maintained, particularly for programs that have treated Essential Eight maturity levels as a primary compliance benchmark. During the transition period, the existing Essential Eight remains in place while the new guidance is phased in.
