The is retiring the and replacing it with a set of domain-specific frameworks called the Essentials series. The first chapter, Essentials for Enterprise IT, is the one that matters to most Australian businesses, because it is the direct successor to the Essential Eight for the ordinary corporate IT that a typical office runs. Consultation on the draft closed on 12 July 2026, and the shape of it is now clear enough to plan around.
If you have been working towards the Essential Eight, the first thing to know is that you have not wasted the effort. The ASD has been explicit that the investment made under the Essential Eight stays relevant under the Essentials. This is an evolution, not a reset.
What Essentials for Enterprise IT is
Essentials for Enterprise IT is the first of three confirmed chapters in the new series. The other two are Essentials for Cloud and Essentials for Operational Technology, aimed at cloud-native environments and at the industrial control systems that run infrastructure. A fourth chapter for agentic AI has been raised but is not confirmed. Enterprise IT came first on purpose: it covers the environment almost every organisation has, the laptops, servers, identities and or similar platforms that run day-to-day business.
In practice, this chapter is what the Essential Eight becomes. If your obligations or your customers have pointed you at the Essential Eight, Essentials for Enterprise IT is where that requirement is heading.
What actually changes
The biggest change is in how the guidance is written. The Essential Eight was prescriptive: eight specific mitigation strategies, each with defined maturity levels, described in terms of particular technologies. That worked well when it was built, when most organisations ran on-premises Windows environments with clear network boundaries.
It fits the current world less cleanly. A business running in the cloud, on shared-responsibility platforms and SaaS, cannot always apply a control that assumes it owns the underlying server. The Essentials series answers this by shifting from prescriptive controls to outcomes and intent. Rather than naming the exact technical step, it describes the security outcome you need to achieve and leaves more room for how you achieve it in your particular environment.
For a well-run business this is a helpful change. The familiar disciplines, patching, , controlling who has administrator access, restricting what can run, keeping backups you have tested, all carry through. What changes is that you are measured against whether the outcome is met, not against a single prescribed method that may not suit your setup.
The transition timeline
Nothing switches off overnight. The ASD is keeping both the Essential Eight and the Essentials as live documents through a transition period. On the current plan, deprecation of the Essential Eight begins around 12 months out, and full retirement lands at around 24 months. In practical terms, the Essential Eight remains a valid and current framework into 2028.
That matters for anyone with a live obligation. If a contract, an insurer or a funder asks for Essential Eight progress today, that requirement is still real and still current. You are not waiting for a new framework before you act.
Does your Essential Eight work still count
Yes. This is the question we are asked most, and the answer from the ASD is clear: the work you have done under the Essential Eight stays relevant under the Essentials. The maturity you have built, the controls you have configured and the evidence you have gathered do not become worthless when the label changes.
The reason is that the underlying disciplines are the same. Essentials for Enterprise IT is a re-expression of the same security fundamentals in a more flexible form, not a different set of things to do. A business at Essential Eight Two has built real capability, and that capability maps forward. If anything, the outcomes-based framing rewards organisations that understood why they were applying a control rather than just ticking it off.
What to do now
The sensible position is to keep going, not to pause.
- If you are working towards the Essential Eight, continue. It is current until at least 2028, and the work carries forward.
- If you have a baseline already, keep maturing it. The gaps that matter under the Essential Eight are the same gaps that will matter under Essentials for Enterprise IT.
- If you are about to start, start against the Essential Eight now and treat the Essentials transition as a later refinement, not a reason to wait.
- Watch the other chapters if they apply to you. A business with significant cloud or operational technology should keep an eye on Essentials for Cloud and Essentials for Operational Technology as they are published.
The organisations that will find the transition easiest are the ones that treated the Essential Eight as a way to actually reduce risk rather than as a compliance checklist. If your controls are configured, understood and evidenced, moving to an outcomes-based framework is straightforward. If they were only ever documented, the shift is a good prompt to close the gap between what is written down and what is really running.
A structured assessment is the practical way to see where you stand and what carries forward. We measure your environment against the Essential Eight today, and against the direction Essentials for Enterprise IT is heading, and give you an ordered list of what to fix first. If you would like to know where your business sits before the transition tightens, that is the sensible first step.
General guidance based on ASD material current at July 2026. The Essentials series is still being finalised, and specific details may change as further chapters are published.



