The Australian Cyber Security Centre's Essential Eight has been a recommendation for years. In 2026, expectations are tightening into something that looks much more like a baseline. According to industry guidance summarising the ACSC's direction, three areas are being prioritised: patching speed (with shorter windows for internet-facing services), privileged access discipline (just-in-time, time-bound, MFA-protected), and hardening practices (especially around cloud and OT/ICS environments).
For SMBs that previously treated Essential Eight as a maturity-level-one tick-box, the implication is uncomfortable. The standard is becoming "defensible" — meaning insurable, auditable, and survivable under regulator scrutiny. Maturity Level One was always a starting line. It is no longer a destination.
The practical work, for most SMBs running M365 + AVD + Defender + Intune, is achievable. Application control via AppLocker or Defender ASR rules. Patching cadence tracked in RMM. Admin accounts separated from daily accounts. Office macro execution constrained. None of it is new. What's new is that the ACSC is expecting you to show your working.