The Goalposts Finally Stop Moving.
Big news has landed in Australian cyber security. The Australian Signals Directorate (ASD) has confirmed it will retire the Essential Eight. The framework that has shaped how thousands of Australian businesses think about cyber risk is being replaced.
There is a hidden win in here too. If you have ever felt the bar for compliance shift under your feet, that frustration is finally being addressed. The goalposts that kept moving are about to be fixed, hopefully.
At FocusNet, we have leaned on the ACSC Essential Eight for years. It is the backbone of how we audit and harden the systems we look after. So when the people who built it say it is time for something new, we pay close attention. In this article we will cover what is changing, when it is happening, and what it means for you.
What the ASD actually announced
The ASD plans to retire the Essential Eight within two years. In its place comes a broader set of guidance called the Essentials series.
This is not a small tweak. It is a rethink of how Australia’s national cyber advice is built. The new approach is wider, more flexible, and designed for the way businesses run today.
Think of the Essential Eight as a GPS loaded with maps from 2017. It guided you reliably for years. But new roads have opened since then, whole cloud highways the old maps never knew about. The directions still work for the streets you have always driven, yet they cannot route you through roads that did not exist when the maps were drawn. The Essentials series is the live update for the way business moves today.
Why the change is happening
The Essential Eight first appeared in 2017. It grew out of the older Top Four controls from 2012. Back then, the cloud was a small part of business life. Most systems sat in a server room down the hall.
That world has gone. The ASD has been clear about the core problem. The Essential Eight was built for on-premises IT, and its controls do not fit cleanly into cloud and SaaS environments. As the ASD put it, a business running no cloud at all would now be a surprising sight.
The new Essentials series fixes this by changing its whole shape. Instead of strict rules tied to certain technology, it focuses on outcomes and intent. In plain terms, it tells you what you need to achieve and lets you choose the right tools to get there. That gives businesses room to move.
When it will happen
Nothing changes overnight. The ASD has set out a steady path.
- Both documents stay live during a transition period.
- The Essential Eight starts to be deprecated at around the 12-month mark.
- The Essential Eight is fully retired at around 24 months.
Since the announcement landed in June 2026, full retirement points to around the middle of 2028. You have time. There is no need to tear anything up today.
What the new Essentials series looks like
The biggest shift is structure. The Essential Eight was one list for everyone. The Essentials series splits cyber guidance into separate domains, each with its own chapter. Three are confirmed to begin with.
- Enterprise IT, which is open for feedback now.
- Operational technology, which covers the systems that run physical equipment.
- Cloud, which gets its own dedicated chapter.
Cloud is being pulled out on purpose. When you use a cloud provider, security is a shared job. The provider guards some things. You guard others. This is called the shared responsibility model.
Think of it like a bank. The bank builds the vault, mans the doors, and guards the cash. But the PIN to your account is yours alone, and if you hand it out, no vault can help. The provider protects the building and the systems. You protect the keys to your own data. The new cloud chapter aims to make that line crystal clear.
Underpinning all of this is the ASD’s Modern Defensible Architecture thinking. It pushes for defence in depth and for protecting your crown jewels. The old habit was to build one strong wall around everything. The smarter approach is layered, like a castle with an outer wall, an inner keep, and a locked vault for what matters most.
AI is fast quickly into the frame
The ASD has signalled that agentic AI may earn its own chapter down the track. This matters because AI agents now act on networks much like staff members, with their own logins and access. They also face new kinds of attack, such as prompt injection, where a hacker hides instructions inside ordinary text to trick the AI into misbehaving.
The ASD sees these risks as different enough to need their own guidance. It is a clear sign of where cyber thinking is heading. The tools your business adopts tomorrow will need protecting just like the staff you hire today.
The moving goalposts problem
This is the part the headline promised, and it has frustrated business owners for years.
Under the Essential Eight, the bar for each maturity level kept shifting. A business could do everything right and still appear to slip backwards on paper. Nothing about their security had actually weakened. The measuring stick had simply moved.
The ASD has now confirmed this was real. It happened because new threat know-how was folded into the existing maturity levels. The Essentials series is built to fix it. It separates threat-informed controls from a fixed maturity ladder. The goalposts should stop sliding under your feet.
What this means for your business right now
Here is the calm, practical view.
- Your current work is safe. The ASD has confirmed that investment made under the Essential Eight stays relevant under the Essentials.
- The eight core actions are still strong security. Multi-factor authentication, patching, backups, application control, restricting admin rights, hardening systems, restricting Office macros, and keeping operating systems current all remain good practice.
- You have a runway of about two years. This is a planned transition, not a sudden switch.
- The direction of travel is towards flexibility. Outcomes will matter more than ticking a fixed list.
In short, keep doing the fundamentals. They are not going anywhere. What changes is the framework that wraps around them.
A special note for insurance brokers and AFSL holders
If you run a brokerage and hold an Australian Financial Services Licence (AFSL), this update connects straight to duties you already carry.
Cyber risk is now part of your licence obligations. Under section 912A of the Corporations Act, an AFSL holder must provide financial services efficiently, honestly and fairly, and must keep adequate risk management systems in place. In the landmark case ASIC v RI Advice (2022), the Federal Court confirmed that poor cyber security and cyber resilience can breach those very obligations. In plain terms, weak IT controls are not just a technical headache for a broker. They are a compliance failure.
The stakes are no longer theoretical. In February 2026, the Federal Court fined FIIG Securities $2.5 million for cyber security failures under its AFS licence. ASIC found the firm had named cyber as a risk and even written the policies, yet failed to put enough people, funding and technology behind them for more than four years. The cost of the breach ended up far outweighing the cost of doing it properly in the first place. We unpack that case, alongside the $5.8 million Australian Clinical Labs penalty, in our piece on the first cyber fines handed down by the Federal Court.
ASIC has also been clear about where the benchmark sits. It urges licensees to follow the guidance of the Australian Cyber Security Centre. For years that has meant the Essential Eight. Soon it will mean the Essentials series. Either way, the regulator expects you to measure your systems against a recognised standard and to close the gaps you find.
The frameworks may evolve, but the expectation does not. A broker is trusted with sensitive client and policy data, and that trust now lives inside your licence. Treating cyber security as core compliance, rather than background IT, is fast becoming the mark of a well-run brokerage. It is the lens we bring to our IT support for insurance brokers.
How FocusNet sees it
We welcome this change. The Essential Eight served the country well, and it still has roughly two good years left in it. But cyber risk does not stand still, and neither should the advice that guides it.
The move from a single fixed list to flexible, outcome-based guidance reflects how real businesses operate now. Part on the ground. Part in the cloud. Increasingly supported by AI. A framework that bends with that reality is a stronger shield than one frozen in 2017.
We are already tracking the Essentials series as each chapter is released. As the guidance matures, our audits and recommendations will move with it. The fundamentals we build for our clients today are the same fundamentals that will carry through into the new framework tomorrow.
The names on the framework may change. The goal does not. Strong, sensible protection for your business, your people, and your data.
References
Australian Signals Directorate. (2025, October 23). Modern defensible architecture. Cyber.gov.au. https://www.cyber.gov.au/business-government/secure-design/secure-by-design/modern-defensible-architecture
FocusNet Technology. (2026, March 5). Breach to boardroom: Australian Federal Court hands down first-ever cyber fines. https://www.focusnet.com.au/breach-to-boardroom-federal-court-penalties/
FocusNet Technology. (n.d.). Cyber security. https://www.focusnet.com.au/cyber-security/
FocusNet Technology. (n.d.). IT support for insurance brokers. https://www.focusnet.com.au/it-support-for-insurance-brokers/
Saarinen, J. (2026, June 24). ASD to retire Essential Eight cyber security framework within next two years. iTnews. https://www.itnews.com.au/news/asd-to-retire-essential-eight-cyber-security-framework-within-next-two-years-626851
