On 24 June 2026, Chris Horlyck, 's Head of Cyber Security Resilience, confirmed what the industry had been circling for some time: the is being retired. Not updated. Not restructured. Retired.
The timeline: deprecation in approximately 12 months, full retirement in 24. A replacement framework called the "Essentials series" is out for public consultation, closing 12 July 2026. The final version hasn't been published.
If you've been working toward Essential Eight compliance, or wondering whether to start, this is what the announcement actually said, what it didn't say, and what you should do in the meantime.
What ASD actually announced
The Essential Eight will be deprecated around mid-2027 and fully retired by approximately mid-2028. That's what Horlyck said publicly, with the caveat that consultation is open and the timeline could shift.
The replacement is the "Essentials series" — separate domain-specific frameworks rather than a single universal checklist. The confirmed domains are enterprise IT (the direct successor to the current Essential Eight), cloud, and operational technology (OT). Agentic AI was mentioned as a possibility, not a confirmed track.
The rationale for retiring the current framework tells you something about where the new one is headed. The Essential Eight was designed before cloud became mainstream. It was built around a particular operating model — on-premises, Windows-heavy, perimeter-based — and it doesn't account for sector differences, supply chain risk, or how most Australian businesses actually run their IT today. Applying the same eight controls at the same to a 20-person law firm and a 500-person financial services firm was always a rough approximation. ASD has acknowledged that directly.
The consultation notice is at cyber.gov.au. If you have views on what the new framework should require, submissions close 12 July 2026.
What the Cyber Security Act 2024 has to do with this
Not much, directly. The Cyber Security Act 2024 — passed November 2024 — does not mention the Essential Eight anywhere in its text. The Act introduced four things: smart device security standards, mandatory payment reporting, limited-use protections for voluntarily shared incident information, and a Cyber Incident Review Board.
The ransomware reporting obligation is the one that catches most businesses off guard. If you carry on business in Australia with annual turnover above $3 million, you're required to report any ransomware payment to ASD within 72 hours of making or becoming aware of the payment. There's no minimum payment threshold. All payments must be reported, regardless of amount. The 72-hour clock runs from when you make the payment or learn it was made — not from when the attack started. Reports go through the ReportCyber portal at cyber.gov.au. The obligation commenced 30 May 2025.
The ransomware reporting requirement and the Essential Eight sit on completely separate legislative tracks. Retiring the Essential Eight has no effect on the reporting obligation.
For Commonwealth agencies, the Essential Eight mandate continues via PSPF Policy 14, which requires Maturity Level 2. That requirement will presumably be updated once ASD publishes the final Essentials series, but nothing has changed yet. Worth noting: as of the 2025 Commonwealth Cyber Security Posture report, only 22% of Commonwealth entities had achieved the ML2 they're mandated to reach. The framework being retired is one most government agencies haven't fully implemented.
SMB1001 — useful, but understand what it is
has been positioned by some in the market as the Essential Eight alternative for SMEs. Before treating it as a replacement, it helps to understand what it actually certifies.
SMB1001 is a private market certification, not an ASD standard. The Cyber Security Act 2024, the SOCI Amendment Rules 2025, and the PSPF make no reference to it. At Bronze, Silver, and Gold tiers, certification is granted on the basis of a company director's personal attestation via the CyberCert portal. No independent auditor verifies controls are in place. That only changes at Diamond — the highest tier — which requires external audit.
The coverage gaps relative to the Essential Eight are real. Application control (allowlisting) and Microsoft Office macro restrictions — both ML1 requirements in the Essential Eight — don't appear in SMB1001 until Level 5 (Diamond). If you're considering SMB1001 because it covers Essential Eight controls in an SME-friendly format, it doesn't fully do that at the lower tiers.
That said, SMB1001:2025 has one structural advantage that matters in practice: you can advance control by control, rather than being held to your lowest-scoring strategy. Under the Essential Eight, your maturity level is your worst-performing strategy. You can have seven of eight at ML2 and still be scored as ML1. SMB1001 doesn't work that way, which makes incremental progress easier to demonstrate.
If you're evaluating SMB1001 as a market signal to clients or supply chain partners who want to see a certification, it serves that purpose at lower tiers. If you want controls that match Essential Eight ML1, you need Diamond, with an auditor behind it.
What to do right now
The controls in the Essential Eight remain technically valid. The retirement announcement doesn't make , patching, application hardening, or offline backups less important — it means ASD is building a more fit-for-purpose framework around those same controls. Work you do now translates directly into whatever the Essentials series requires.
Keep going if you're working toward ML1 or ML2. Pausing because the framework is being retired is like skipping seatbelts because crash safety standards are being updated.
The consultation closes 12 July 2026. ASD will publish the final Essentials series after that, most likely late 2026. That's when you'll know what "Essentials for Enterprise IT" actually requires and how your existing work maps to it.
Don't wait for the new framework to start. The deprecation window means the Essential Eight is still the active standard until roughly mid-2027. The controls that matter most — MFA everywhere, patching internet-facing systems quickly, tested backups, application hardening — are not going away.
If you need a certifiable standard now and can't wait for the Essentials series, is worth a look. It's externally audited, internationally recognised, and has no retirement date on it. More resource-intensive than the Essential Eight, but it won't be deprecated in 18 months.
Ask your IT provider what they're doing with this. The better ones are already tracking the ASD consultation and mapping client environments against the expected Essentials for Enterprise IT requirements. If yours isn't, it's a fair question to raise.
Where things stand
The Essential Eight is being retired on a 12-to-24 month timeline, to be replaced by a framework family that better accounts for cloud, OT, and how Australian businesses actually operate. The final shape of that replacement isn't published yet.
For most businesses, the right move is to keep implementing the controls that have always mattered, watch the ASD consultation output after 12 July, and treat the next 18 months as time to build a security posture that will port cleanly to whatever the Essentials series requires. The controls aren't changing. The structure around them is.
If you want to understand where your current posture sits and how to position for the new framework, we're happy to walk through it with you.
