What's Happening?
The Australian Signals Directorate (ASD) plans to retire its Essential Eight cybersecurity framework within two years, replacing it with a broader 'Essentials' series. This new series will cover enterprise IT, cloud, operational technology, and potentially
agentic artificial intelligence (AI) as distinct security domains. The transition aims to address the limitations of the Essential Eight, which was designed for on-premises IT environments and does not fully accommodate cloud and SaaS models. The new framework will emphasize outcomes and intent, allowing organizations more flexibility in meeting security guidance. The transition period will see both frameworks active, with the Essential Eight being phased out over the next 24 months.
Why It's Important?
The shift to a broader cybersecurity framework reflects the evolving nature of IT environments, particularly the widespread adoption of cloud services. By addressing the limitations of the Essential Eight, the new Essentials series aims to provide more relevant and flexible guidance for organizations, enhancing their ability to protect against modern cyber threats. This change is crucial for maintaining robust cybersecurity practices in an increasingly digital world, where cloud and AI technologies play a significant role.
What's Next?
ASD will continue to develop the Essentials series, with initial chapters focusing on enterprise IT, operational technology, and cloud. Organizations currently using the Essential Eight will need to adapt to the new framework, which may involve updating their cybersecurity practices and policies. ASD has opened consultations for the first chapter, with feedback due by July 2026, indicating ongoing collaboration with stakeholders to refine the new guidance.
