Cybercraft
Cyber · · 3 min read

Essential Eight Compliance: Why 78% of Australian Organisations Are Still Falling Short

Only 22% of assessed entities have reached Maturity Level 2 across all eight strategies. With cyber insurers now demanding E8 compliance, the gap is becoming a business risk.

Essential Eight Compliance Cyber Insurance

The Australian Signals Directorate's Essential Eight mitigation strategies have been the baseline cyber hygiene benchmark for Australian organisations since their introduction. Yet compliance data tells a sobering story: only 22% of assessed entities have achieved Maturity Level 2 across all eight strategies. That means 78% of organisations fall below the level the ASD considers effective baseline protection.

The November 2023 update to the Essential Eight Maturity Model raised the bar significantly, tightening control requirements and demanding evidence-based documentation rather than self-assessment questionnaires. Compliance rates actually dropped from 25% before the update as the more rigorous standards took effect.

Why Maturity Level 2 matters now

The ASD recommends that all Australian businesses work toward Maturity Level 3 for optimal protection. Government agencies are required to achieve at least Level 2. But the practical significance of E8 maturity extends well beyond government mandates.

Cyber insurers in Australia now routinely demand Maturity Level 2 as a minimum prerequisite for coverage. Multi-factor authentication must be in place across email, VPN, administrative accounts, and cloud applications. Patching cadences, application whitelisting, and backup practices are all scrutinised during the underwriting process.

For most SMBs, the reality is stark. The majority currently sit between Maturity Level 0 and Maturity Level 1, meaning significant work is required to reach the threshold that insurers β€” and increasingly, clients and partners β€” expect.

The eight strategies and where organisations struggle

The Essential Eight strategies are: application control, patch applications, configure Microsoft Office macros, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.

While MFA has seen the widest adoption β€” driven largely by cloud platform defaults and insurer requirements β€” application control and user application hardening remain the areas where most organisations fall short. These controls require more technical investment and ongoing management, particularly in environments with legacy systems.

The ASD's own analysis found that 59% of entities report that legacy IT systems impede achieving full maturity. This isn't surprising β€” many organisations run critical processes on systems that weren't designed with modern security controls in mind β€” but it does mean that E8 compliance often requires a broader technology modernisation conversation, not just a security configuration exercise.

The cyber insurance connection

The Australian cyber insurance market is growing rapidly β€” forecast to expand from $467 million in 2025 to nearly $2 billion by 2034. As the market matures, underwriters are becoming more sophisticated in their risk assessments. A few years ago, a completed questionnaire might have been sufficient. Today, insurers want evidence: configuration screenshots, policy documents, penetration test results, and E8 maturity assessments from qualified assessors.

Businesses that can't demonstrate at least Maturity Level 2 face higher premiums, restrictive policy exclusions, or outright denial of coverage. In industries where cyber insurance is a contractual requirement β€” government contracting, professional services, healthcare β€” this directly impacts your ability to win and retain work.

Where to start

Commission a formal Essential Eight assessment against the current (November 2023) maturity model. Understand where your gaps are, particularly in application control, patching, and administrative privilege management. Build a prioritised remediation roadmap that your board can track β€” and that you can present to insurers and clients as evidence of your commitment to baseline security.

The four big moves

The ACSC's latest guidance identifies four strategic priorities alongside the Essential Eight: implement best-practice logging, replace legacy IT, manage third-party risk, and prepare for post-quantum cryptography. These signal where the compliance landscape is heading next.

Essential Eight compliance isn't the finish line β€” it's the starting point. But for 78% of Australian organisations, it's a starting point they haven't reached yet. The longer the gap persists, the greater the exposure β€” not just to cyber threats, but to insurability, contractual, and regulatory risk.

Related reading

Cyber Your Trusted Vendor Could Be Your Biggest Cyber Risk: Supply Chain Security in 2026 28 January 2026 Cyber Ransomware Is Australia's Top Cyber Threat β€” And the Costs Are Climbing Fast 5 March 2026 Cyber Australia's Ransomware Reporting Law Is Now in Enforcement Mode: What Your Business Must Do 23 March 2026

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.