The Essential Eight has quietly changed status in 2026. It’s moved from a best-practice recommendation to a baseline expectation across government, regulated industries and — increasingly — the private sector. The ACSC is leaning harder on phishing-resistant MFA (FIDO2 keys and passkeys over SMS codes), privileged-access discipline and patching speed, and signalling that Maturity Level Two is becoming the expected standard for mid-sized businesses and service providers handling sensitive customer data.
The forcing function for most SMBs won’t be the regulator — it’ll be the insurer. Cyber underwriters now routinely require evidence of Essential Eight maturity before issuing or renewing a policy. Organisations that can’t demonstrate even ML1 alignment are facing exclusions, higher premiums, or outright refusal of cover. The questionnaire has teeth now: misrepresent your controls and a claim can be denied.
Treat the Essential Eight as the structure for the security conversation, not a compliance afterthought. Map where you sit against each of the eight, close the cheap gaps first (MFA, patching, admin rights), and keep evidence — because the next renewal will ask for it, and so will any client doing vendor due diligence.
