Compliance is not the same as resilience: What Australian organisations are missing beyond the Essential Eight

Many Australian businesses, particularly small and mid-market organisations have not achieved even the minimum level of Essential Eight compliance. This is not widely discussed, but it shapes almost every conversation practitioners in this field are having.

The Essential Eight is a set of baseline cybersecurity controls published by the Australian Signals Directorate (ASD). It is widely cited, well-structured, and genuinely useful. For most private organisations, compliance remains voluntary, however, those operating in critical infrastructure sectors, including healthcare and financial services, face obligations under the Security of Critical Infrastructure Act that make the framework effectively the expected baseline.

Even where compliance is not mandated, market pressure is creating its own requirements. Cyber insurers are asking more detailed questions at renewal, increasingly linking coverage eligibility to evidence of basic controls. Enterprise clients are adding security questionnaires to supplier onboarding. The regulatory mandate may not be universal, but commercial pressure is making the framework unavoidable for a growing number of organisations.

What is rarely said plainly is that ASD itself considers Maturity Level One (the lowest of three meaningful tiers) is generally suitable for small to medium enterprises. That is the starting point, but it should not be an endpoint. Yet, for most organisations in that segment, it remains aspirational.

The framework was not designed for your business

The Essential Eight was designed as a universal baseline, which means it was not designed for any organisation in particular. It does not account for operating model, sector, supply chain, or the specific ways a business creates and stores value. A professional services firm holding client records has a materially different risk profile to a healthcare operator managing patient data across multiple sites, which differs again from a business with operational technology on the floor. The framework applies equally to all three. The actual risk exposure does not.

Organisations that implement Essential Eight controls in isolation consistently encounter the same finding: compliance does not equal resilience. The incidents that occur after implementation tend to emerge from areas the framework does not adequately address; cyber governance, formal risk assessment, third-party and supply chain exposure, and data classification and protection. These are not niche concerns. They are the domains that most commonly carry real exposure for mid-market businesses, especially in regulated sectors.

Artificial intelligence has changed the threat landscape

It is important to acknowledge the Essential Eight was designed before generative AI became a mainstream business tool and a mainstream attack vector. It contains no controls for either.

ASD's own 2024-25 Annual Cyber Threat Report states that AI almost certainly enables malicious actors to execute attacks on a larger scale and at a faster rate. According to IDC commissioned by Fortinet's 2025 Asia-Pacific Cybersecurity Report, (reported in Channel Life) 51 per cent of Australian organisations reported encountering AI-powered threats in the past year. Phishing communications have reached a level of sophistication that makes them indistinguishable from legitimate correspondence. Voice cloning is enabling fraud that bypasses verbal verification processes.

The internal risk is less visible but equally significant. It includes, staff using generative AI platforms without policy guidance, sensitive information entered into public AI tools, and AI integrations adopted without security assessment. Neither dimension appears in the Essential Eight framework.  

For mid-market organisations in 2026, a cyber programme that does not account for AI is already operating with a material blind spot.

The right question to ask

The question 'are we Essential Eight compliant?' is less useful than it appears. Compliance is binary; risk is not. An organisation can satisfy every control in the framework and still carry significant exposure in governance, third-party access, or the emerging areas the framework does not reach. Equally, an organisation that has not formally completed the framework may already have the controls most relevant to its specific risk profile in place.

The Essential Eight is a baseline, not a strategy. It identifies whether controls exist. The more important question is whether they are effective for your business.

The most productive first step for any organisation uncertain about its cyber posture is not a tool purchase, or a formal audit or assessment. It is an honest, structured baseline; that is an objective view of where the organisation sits across the controls that carry the most weight for its size, sector, and operating model. Understanding that baseline is what allows investment to be directed at the gaps that actually matter, rather than the gaps that are most visible.

The majority of cybercrime incidents continue to exploit known, preventable weaknesses. The controls that reduce that risk are not expensive or exotic. The barrier, in most cases, is simply not knowing where the genuine exposure lies.

Read the whitepaper

For a detailed examination of what a complete cyber resilience programme looks like beyond the Essential Eight - including practical frameworks for healthcare, financial services, utilities, and government organisations - download the full white paper. Download: Beyond the Essential Eight