IronSights
All insights

compliance

The Essentials series: what comes after the Essential Eight

ASD is retiring the Essential Eight and replacing it with a family of domain-specific frameworks called the Essentials series. Three domains are confirmed: enterprise IT, cloud, and operational technology. Here's what's been announced, what's still in consultation, and how existing Essential Eight work maps across.

By IronSights Editorial, Practitioner team8 July 20264 min read
ByIronSights Editorial8 July 20264 min read

The is being retired. The replacement has a name: the Essentials series. Here's what has said publicly, what the three domain frameworks will cover, and how existing work translates. If you want the full announcement breakdown first, we covered it here.

Why a new framework

The Essential Eight was designed around a specific kind of IT environment: on-premises, Windows-heavy, with a clear network perimeter. That was a reasonable model when the framework was written. It isn't how most Australian organisations run their IT now, and ASD has been direct about acknowledging that.

The problem is fit. The same eight controls at the same maturity levels don't apply the same way to a professional services firm and a manufacturing plant with SCADA systems. Patch management requirements that are straightforward in corporate IT can cause real availability problems in operational technology. Cloud workloads don't give you the kind of infrastructure control that backup and application hardening controls were built around. The Essentials series is an attempt to fix that, not to replace the controls themselves.

The three confirmed domains

ASD has confirmed three. A fourth is under consideration.

Essentials for Enterprise IT is the direct successor to the current Essential Eight, covering standard corporate environments: workstations, servers, SaaS platforms, and whatever cloud workloads sit alongside them. The specific controls haven't been published yet, but ASD has been clear the new framework builds on the existing Essential Eight rather than replacing it outright. This is the one most Australian businesses are waiting on.

Essentials for Cloud addresses environments where cloud is the primary operating model, not an addition to on-premises infrastructure. Applying the current Essential Eight to IaaS and PaaS requires workarounds, and some of them don't hold up well in practice. This framework is intended to replace those workarounds with controls that fit how cloud infrastructure is managed.

Essentials for Operational Technology is the most structurally different from the current framework. OT networks, SCADA systems, building management infrastructure: longer patching windows, stricter uptime constraints, different failure modes. Applying the Essential Eight to these environments directly has always created problems. This domain is a purpose-built fix.

Agentic AI was mentioned in consultation materials as a possible fourth domain. Under consideration, not confirmed.

The consultation

Public consultation opened in late June 2026 and closes 12 July 2026. The final framework won't publish until after ASD has reviewed submissions, which puts it most likely later in 2026.

If your organisation applies the Essential Eight to cloud, OT, or a regulated sector and has views on where the controls don't translate well, the consultation portal at cyber.gov.au is the place to put them. ASD is asking for that kind of specific, practical input.

The June 2026 announcement put deprecation at mid-2027 and full retirement at mid-2028. The final Essentials series should publish ahead of the deprecation point, giving organisations time to understand where their existing work sits before anything actually expires.

How existing work maps across

The framework retiring doesn't mean the controls inside it are wrong.

on email, admin accounts, and remote access will be in Essentials for Enterprise IT. Patching internet-facing systems quickly will remain a core requirement whatever the framework is called. Application hardening, macro controls, and tested offline backups address problems that haven't changed and won't change when the framework name does.

Where the new framework is expected to differ is in how maturity gets measured. Under the Essential Eight, one underperforming control drags your overall rating down: seven of eight strategies at ML2 with one lagging still scores you at ML1. Whether that approach carries into the Essentials series is part of what ASD is working through. Maturity measurement for cloud and OT environments is still an open question.

What to do now

The Essential Eight is the active standard until mid-2027 at the earliest. PSPF Policy 14 still requires Commonwealth entities to reach ML2. Contracts, insurers, and government tenders still reference it. None of that changes until ASD publishes the final Essentials series and updates the relevant policies, and that hasn't happened.

The case for pausing doesn't hold up. Organisations that wait for the new framework will be starting from scratch when it lands, 18 months behind the ones that kept going. The controls in the Essential Eight map directly to what Essentials for Enterprise IT is going to require. Doing the work now isn't a sunk cost if the framework changes. It's the work.

If you want to understand where your current posture sits before the transition, we run fixed-price Essential Eight assessments with a board-ready report and results in 2 to 3 weeks.

Keep reading

More from the IronSights team.