The Australian Signals Directorate has opened consultation on retiring the Essential Eight within two years, replacing Australia's best-known cyber security baseline with a broader "Essentials" series covering enterprise IT, cloud, operational technology, and potentially agentic AI as separate domains.
The reasoning ASD has given is structural. The Essential Eight was built for on-premises IT at a time when cloud adoption was still nascent, and its controls don't map cleanly onto SaaS or shared-responsibility environments. It was also written before generative AI became both a mainstream business tool and a mainstream attack vector - it contains no controls for either. The new model shifts emphasis from prescriptive, technology-specific controls towards outcomes and intent, and explicitly decouples threat-informed controls from the fixed maturity ladder that has caused organisations to appear to "go backwards" on security in past updates, even when their actual posture hadn't changed.
This is a significant moment, but it shouldn't be a surprising one for those in the cyber sector. We made the case in our May article, that Essential Eight compliance was never a proxy for genuine cyber resilience - that the framework was a baseline, not a strategy, and that organisations treating it as an endpoint were often missing the risks that actually caused incidents: governance, third-party exposure, and data classification chief among them. We set out a fuller roadmap for closing that gap as outlined in our whitepaper, Beyond the Essential Eight, which take into account the evolving threats.
ASD's own retirement of the framework, for largely the same reasons, is a useful confirmation of that argument - but the more relevant question now is practical: what should organisations actually do about it?
How should organisations prepare?
The instinct, when a framework changes, is to wait for the new one to land and then map controls to it, another checklist to work through once it's published. That instinct is the wrong one, for the same reason the original problem existed in the first place.
A few things are worth doing now, none of which require waiting for the Essentials series to be finalised:
Don't discard the work you've already done. ASD has been explicit that Essential Eight investment carries forward. Patching, MFA, admin restriction, application control and backups remain foundational regardless of what the framework is called. The shift is in emphasis and scope, not a reset.
Get an honest baseline. The organisations best placed for this transition are the ones that already understand where their real exposure sits, independent of any single framework. That means looking at governance, third-party and supply chain risk, and data classification - the areas the Essential Eight never covered and the Essentials series is explicitly trying to address.
Treat this as a governance shift, not a procurement decision. The move to outcomes-based, intent-driven guidance means a control-by-control checklist will matter less than being able to demonstrate why your controls are appropriate for your risk profile. That's a conversation for risk and leadership, not just IT.
Get ahead of AI exposure now. ASD flagged agentic AI as a likely future chapter, specifically around non-person identity and prompt injection. Most organisations don't have policy or visibility here yet, and that gap predates the framework change - it doesn't need to wait for it.
The pattern underneath all of this is the same one we raised recently: resilience is a function of understanding your actual risk, not satisfying a fixed list. ASD's own move confirms that the list was always going to change. The organisations in the best position now are the ones that were never just working to the list in the first place.
For a detailed look at what a complete cyber resilience programme looks like beyond the Essential Eight - including practical frameworks for healthcare, financial services, utilities, and government organisations - download our full whitepaper.