Essential Eight Maturity Levels Explained: What ML1, ML2, and ML3 Actually Require (2026)

You've been told your business needs to meet "Essential Eight Maturity Level 2." You Googled it. You found a wall of government PDFs written for IT security professionals.

This guide is the plain-English version. What each maturity level actually requires, what it costs, which controls are hardest, and what your Microsoft 365 licence already covers.

The Maturity Levels at a Glance

The Essential Eight framework has four maturity levels: 0 through 3. Each level builds on the one below it. The higher the level, the more rigorous the requirements.

Level 0 means you haven't started. No meaningful controls in place.

Level 1 is the basics. MFA turned on, high-risk apps patched within two weeks, macros blocked from the internet. It stops opportunistic attacks.

Level 2 is where most businesses should aim. Phishing-resistant MFA, faster patching, full application control, centralised logging. It's what cyber insurers expect and what the Protective Security Policy Framework (PSPF) requires for Commonwealth entities.

Level 3 is for organisations facing nation-state level threats. Defence contractors, critical infrastructure, intelligence agencies. Most private businesses don't need it and shouldn't pay for it.

What Changed in November 2023

The ASD published a major update to the maturity model in November 2023. It didn't add new controls, but it raised the requirements significantly. If you're reading older guides, they're likely out of date.

The three biggest changes:

MFA got much stricter at ML2. Before the update, any MFA met ML2. After the update, ML2 requires phishing-resistant MFA only. That means FIDO2 security keys, Windows Hello for Business, or smart cards. SMS codes no longer meet any maturity level (they don't satisfy the "something you have" requirement since SIMs can be swapped). Authenticator app push notifications were downgraded to ML1. This was the most disruptive change for most organisations.

Patching deadlines rebalanced. Internet-facing applications now need patching within two weeks at ML2 (tightened from one month). Critical vulnerabilities need patching within 48 hours across all levels. However, OS patching for workstations and non-internet-facing systems was relaxed from two weeks to one month at ML2, shifting focus to higher-risk systems.

Application control moved earlier. Microsoft's recommended application blocklist is now required at ML2, moved down from ML3. This was a shift targeting "living off the land" attacks where attackers use legitimate Windows tools.

These changes are why government compliance rates dropped from 25% to 15% in 2024 (before recovering to 22% in 2025). The controls didn't get worse. The measurement got more honest.

Control by Control: What Each Level Requires

1. Application Control

This is the control that trips up most organisations. It decides which software is allowed to run on your systems.

The hard part: WDAC at ML2 requires deep Windows security knowledge. Misconfigured policies can render devices unbootable. Expect 8-12 weeks for a 50-person business, including an audit mode discovery phase where you identify every legitimate application before enforcing anything.

The shortcut that doesn't work: Windows Defender SmartScreen (reputation-based blocking) does not meet ML2. You need explicit application allowlists.

2. Patch Applications

How fast you patch third-party software: browsers, PDF readers, Office, email clients.

The hard part: Microsoft Intune patches Microsoft products natively and has limited third-party patching via Winget integration, but it's not comprehensive enough for ML2 compliance across apps like Chrome, Adobe, or Zoom. Most organisations still need a dedicated patch management tool (Patch My PC, ManageEngine, Automox). Budget $5,000-$10,000 per year.

Chrome alone releases security patches every 1-2 weeks. Manual patching is not viable at ML2 cadence.

3. Configure Microsoft Office Macros

How macros are handled in Word, Excel, PowerPoint.

The hard part: Many businesses still rely on Excel macros for internal reporting, finance, or operations. You'll need to either sign all macros with a code-signing certificate, migrate to modern tools (Power BI, Python), or accept exceptions that reduce your security posture.

Most SMEs go with: macros blocked everywhere except a restricted Finance folder, with all macros in that folder signed by IT.

4. User Application Hardening

Locking down risky features in browsers, email clients, and PDF viewers.

The hard part at ML3: PowerShell constrained language mode restricts legitimate admin scripts. You'll need a process for signing approved scripts and exceptions. At ML2, the main effort is deploying browser and Office hardening policies via Group Policy or Intune.

5. Restrict Administrative Privileges

Who has admin access and how they use it.

The hard part: People resist using two accounts. Admins want to check email from their admin session. That's exactly the behaviour this control prevents. Expect 8-12 weeks of enforcement, including pushback.

At ML3, Secure Admin Workstations are dedicated hardened devices used only for admin tasks. They add $2,000-$5,000 per workstation for hardware and management.

6. Patch Operating Systems

How fast you patch Windows, macOS, and Linux.

The reality: Microsoft ended support for Windows 10 in October 2025. If you still have Windows 10 machines, they're receiving no security updates and they fail this control at every maturity level. Budget for hardware upgrades if needed.

Intune setup: Create update rings with 0-day deferral for security patches, auto-restart at 2am, and a 14-day deadline for forced installation if users haven't rebooted.

7. Multi-Factor Authentication

The control that changed the most in November 2023.

Cost of phishing-resistant MFA: FIDO2 security keys (YubiKey, Titan) cost $30-$80 each. For 50 users plus backup keys, budget $3,000-$8,000 in hardware. Windows Hello for Business is free if your devices have TPM 2.0 and requires Intune for management (works on both Windows 10 and 11).

For SMEs, Windows Hello for Business is the most practical path to ML2. It uses your existing devices (if they have TPM 2.0 hardware), integrates with Intune, and users are already familiar with biometric authentication. Check your devices with the Get-Tpm PowerShell command.

8. Regular Backups

Your last line of defence when everything else fails.

The 3-2-1 rule: Three copies of your data, on two different storage types, with one copy offsite. For ransomware protection, add: one copy immutable (can't be modified or deleted even by admin), and zero unscheduled access.

The hard part: Quarterly restore testing. Not checking that backups are running. Actually restoring data and timing how long it takes. Most businesses set up backups and never test them until something goes wrong.

What Your Microsoft 365 Licence Covers

Most Australian SMEs already have Microsoft 365. The question is whether your licence tier covers what you need.

The honest answer for most SMEs: Business Premium gets you further than most people think. It includes Conditional Access (P1) for phishing-resistant MFA enforcement and Intune for device management. ML2 requires either E5 or Business Premium plus the E5 Security add-on (~A$12/user/month extra) for advanced EDR and risk-based policies. Both options still leave a gap for third-party application patching, and Sentinel (SIEM) is a separate Azure service regardless of licence tier.

What It Costs

Real estimates for a 50-person Australian SME. These are industry ranges, not exact quotes. Your costs will vary based on environment complexity, existing tools, and how many gaps you have.

Biggest Cost Drivers

1. Phishing-resistant MFA hardware. Security keys at $30-$80 per user, plus backup keys. Windows Hello for Business is free if your hardware supports TPM 2.0 (works on both Windows 10 and 11).

2. Endpoint Detection and Response (EDR). $100-$300 per device annually. Required for proper threat detection and logging at ML2.

3. SIEM / centralised logging. $5,000-$15,000 setup plus $200-$500 per month ongoing. Required at ML2 for centralised event collection and analysis.

4. Third-party patch management. $5,000-$10,000 per year for tools like Patch My PC, ManageEngine, or Automox.

5. Professional services. Implementation consulting runs $150-$250 per hour. Budget 100-300 hours depending on scope.

Ongoing Annual Costs

ML2 isn't a one-time expense. Budget $15,000-$25,000 per year for:

• EDR and SIEM licensing
• Patch management tooling
• Quarterly backup testing
• Annual application control review
• Reassessment (typically 40-60% of the initial assessment cost)

Which Controls to Tackle First

Not all controls are equally hard or equally impactful. This is the implementation order that maximises risk reduction while building momentum.

Phase 1: The Quick Wins (Weeks 1-8)

Multi-factor authentication. Highest impact per dollar spent. Start with authenticator apps for immediate protection, then plan the phishing-resistant hardware rollout for ML2. Two weeks to deploy across the organisation.

Macro lockdown. Pure policy change, no hardware needed. Deploy "disable all except digitally signed" via Group Policy. One week. Immediately stops the most common ransomware delivery method.

OS patching. Configure Windows Update for Business through Intune. Set security patches to auto-install with 0-day deferral. One week of setup, then it runs itself.

These three controls alone would have prevented or limited most major Australian breaches in the last three years.

Phase 2: The Backbone (Weeks 8-16)

Restrict admin privileges. Create separate admin accounts. Block admin accounts from web browsing and email. Four to six weeks including training and pushback management.

Patch applications. Deploy third-party patch management. Set up vulnerability scanning. Three to four weeks for setup, then ongoing.

Application control (audit mode). Start WDAC in audit mode to discover all legitimate applications. No enforcement yet. Four to six weeks of discovery.

Phase 3: Defence in Depth (Weeks 16-24)

User application hardening. Browser lockdown, PDF restrictions, Office ASR rules. Three to four weeks.

Backup automation. Deploy backup solution with immutable storage, offsite copy, and quarterly testing schedule. Two to three weeks of setup, then ongoing discipline.

Phase 4: Complete ML2 (Weeks 20-28)

Application control (enforcement). After the audit phase, gradually enforce WDAC policies. Expect some breakage. Four to six weeks of gradual rollout.

Full phishing-resistant MFA. Complete the hardware rollout (security keys or Windows Hello for Business) across all users and systems.

The Hardest Parts (What Actually Stalls Projects)

Application Control (WDAC)

The longest implementation timeline. Requires identifying every legitimate application in your environment (2-4 weeks in audit mode), testing enforcement without breaking anything (4-6 weeks), and then gradually rolling out. Misconfigured policies can make devices unbootable. This is where most businesses bring in outside help.

Admin Privilege Separation

Technically simple. Organisationally hard. Admins don't want to switch between accounts. IT support staff need elevated access for routine tasks like printer drivers. Expect resistance and plan for 8-12 weeks of change management.

Third-Party Patching

The operational burden never goes away. Chrome patches every 1-2 weeks. Adobe has multiple products with different release cycles. Legacy applications stop receiving updates entirely, and you need to decide: retire them or accept the risk and document the exception.

Backup Testing Discipline

Setting up backups is easy. Testing them quarterly is where organisations fail. Restore tests take 2-4 hours each. Recovery documentation goes stale. Most businesses discover their backup gaps during an actual incident, which is the worst time to discover them.

Legacy Systems: The Reality

Every business has them. The 15-year-old accounting package. The manufacturing software from 2008. The Access database that runs a critical process.

These systems often can't support modern controls. They need macro access. They can't handle application control policies. They run on unsupported operating systems.

The approach that works:

1. Isolate the system. Dedicated workstation or network segment. No internet access. Only users who need it.
2. Compensating controls. Enhanced monitoring, restricted access, network-level detection.
3. Document the exception. Risk register entry with business justification and planned retirement date.
4. Plan the migration. Even if it's 12-24 months away, having a timeline matters for your assessment report.

An assessor won't fail you for having a documented, compensated legacy exception. They will fail you for pretending it doesn't exist.

Do You Need ML2 or Will ML1 Do?

For most Australian SMEs handling customer data, working with government, or carrying cyber insurance, ML2 is the target. ML1 is a reasonable interim step if you're starting from zero and need to show progress quickly.

ML3 is almost never the right target for a private business. If you're not sure whether you need ML3, you don't.

Getting Started

The gap between "knowing what ML2 requires" and "actually being compliant" is where most businesses get stuck. The framework is well documented. The implementation is where it gets hard.

Three things to do this week:

1. Take the free scorecard. The Innitor compliance scorecard maps to Essential Eight controls and tells you roughly where you stand. Five minutes, no email required.

2. Check your M365 licence. If you're on Business Premium, understand the gaps before assuming you're covered. The third-party patching gap and phishing-resistant MFA gap affect most SMEs.

3. Start with MFA. If you haven't already, turn on MFA for every account in your organisation today. Even basic app-based MFA puts you ahead of most Australian businesses. Plan the phishing-resistant upgrade for the next quarter.