The Australian Signals Directorate (ASD) has released significant updates to the Essential Eight Maturity Model, reinforcing its position as the cornerstone cybersecurity framework for Australian organisations. These changes reflect the evolving threat landscape and raise the bar for what constitutes effective cyber hygiene across all maturity levels.
What Is the Essential Eight?
For those new to the framework, the Essential Eight is a set of baseline mitigation strategies recommended by the ASD to protect organisations against cyber threats. The strategies are organised across three maturity levels, with each level representing an increasing degree of implementation rigour. The eight strategies cover:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Key Changes in the 2025 Update
Tighter Patching Timelines
One of the most impactful changes is the reduction in acceptable patching windows. At Maturity Level 2, organisations are now expected to patch critical vulnerabilities in internet-facing services within 48 hours of a patch becoming available, down from the previous two-week window. This reflects the reality that threat actors are weaponising vulnerabilities faster than ever, often within days of public disclosure.
Expanded MFA Requirements
Multi-factor authentication requirements have been broadened significantly. Maturity Level 2 now mandates phishing-resistant MFA — such as FIDO2 hardware tokens or passkeys — for all users accessing internet-facing services, not just privileged accounts. SMS and email-based one-time codes are no longer considered sufficient at this level, acknowledging the rise of MFA bypass techniques like adversary-in-the-middle attacks.
Application Control Enhancements
The updated model places greater emphasis on application control beyond simple allowlisting. Organisations at Maturity Level 3 must now implement controls that validate the integrity of allowed applications, ensuring that even approved software hasn't been tampered with. This addresses supply chain attack vectors that have become increasingly prevalent.
Backup and Recovery Testing
The backup strategy requirements now explicitly mandate regular recovery testing. It's no longer enough to simply maintain backups — organisations must demonstrate that their backups can be restored within defined recovery time objectives. This change was driven by numerous incidents where organisations discovered their backups were corrupted or incomplete only during an actual ransomware event.
What This Means for Australian Organisations
These updates present both challenges and opportunities. Organisations that have been steadily progressing through the maturity levels may find that their current implementations no longer meet the revised criteria. A self-assessment that previously scored at Maturity Level 2 might now fall short under the updated requirements.
The message from ASD is clear: static security postures are no longer acceptable. Continuous improvement and regular reassessment are essential.
For government agencies and critical infrastructure operators, these changes carry additional weight. The Protective Security Policy Framework (PSPF) increasingly references the Essential Eight, and procurement processes are beginning to require evidence of maturity level compliance from suppliers.
How DGplex Can Help
At DGplex, we work with organisations across Australia to assess their current Essential Eight maturity, identify gaps against the updated model, and build practical roadmaps to achieve compliance. Our approach focuses on pragmatic, risk-based implementation rather than checkbox exercises — ensuring that security investments deliver genuine protection.
If you're unsure where your organisation stands against the 2025 updates, our team can conduct a rapid assessment and provide clear, actionable recommendations.