The Essential Eight is structured into three maturity levels, each describing progressively more rigorous implementation. Maturity Level One (ML1) is described in the ACSC documentation as appropriate for businesses with limited threat exposure. Maturity Level Two (ML2) and Maturity Level Three (ML3) are aimed at organisations with progressively higher risk profiles or threat actors actively targeting them.
For years, ML1 has been the de facto target for most SMBs. In 2026, that's quietly shifting. Cyber insurers increasingly want to see ML2 evidence before underwriting. Larger customers ask about it in supplier-onboarding questionnaires. The ACSC itself is signalling that ML1 is the floor for any organisation handling sensitive data.
The practical step-up from ML1 to ML2 isn't dramatic for an environment already running M365 Business Premium, Defender, Intune and a competent backup product. It's mostly tighter patching windows, application control via AppLocker or ASR rules, and a more disciplined admin-access model. Worth doing while there's time, rather than under deadline.