The Essential Eight has quietly changed status in 2026. It’s moved from a best-practice recommendation to a baseline expectation across government, regulated industries and — increasingly — the private sector. The ACSC is leaning harder on phishing-resistant MFA (FIDO2 keys and passkeys over SMS codes), privileged-access discipline and patching speed, and signalling that Maturity Level Two is becoming the expected standard for mid-sized businesses and service providers handling sensitive customer data.

The forcing function for most SMBs won’t be the regulator — it’ll be the insurer. Cyber underwriters now routinely require evidence of Essential Eight maturity before issuing or renewing a policy. Organisations that can’t demonstrate even ML1 alignment are facing exclusions, higher premiums, or outright refusal of cover. The questionnaire has teeth now: misrepresent your controls and a claim can be denied.

Treat the Essential Eight as the structure for the security conversation, not a compliance afterthought. Map where you sit against each of the eight, close the cheap gaps first (MFA, patching, admin rights), and keep evidence — because the next renewal will ask for it, and so will any client doing vendor due diligence.

What it means for your businessEssential Eight maturity is becoming a precondition for cyber cover, not just good practice. Map your current maturity, fix the obvious gaps, and keep evidence ready for your next renewal and client security reviews.
Source & referenceTechRepublic — ACSC Essential Eight: what to expect in 2026 ↑Touchpoint — ACSC Essential Eight in 2026 ↑