Measured Essential Eight compliance is low, even where it is mandatory. In 2025, just 22 per cent of Australian federal government entities reached Maturity Level 2 across all eight strategies, up from 15 per cent in 2024 (ASD, Commonwealth Cyber Security Posture in 2025). For the private sector, no comprehensive measurement exists at all.
That is the honest headline. The Essential Eight is often discussed as if it were a box most serious organisations have already ticked. The published evidence says otherwise: the only population that is measured every year, the federal government, has never had more than a quarter of entities at the mandated level. This article compiles every verified figure Frontrow could find, with the source and year for each.
Key statistics at a glance
- 22 per cent of Australian government entities reached overall Essential Eight Maturity Level 2 in 2025, up from 15 per cent in 2024 (ASD, Commonwealth Cyber Security Posture in 2025).
- The 2024 result of 15 per cent was a fall from 25 per cent in 2023, largely because ASD hardened the Maturity Level 2 controls in November 2023 (ASD, 2024 and 2025 posture reports).
- Multi-factor authentication was the weakest strategy: entities at Maturity Level 2 or higher fell from 54 per cent in FY2022-23 to 23 per cent in FY2023-24 after the model update, recovering to 34 per cent in FY2024-25 (ASD, 2025 posture report, Figure 1).
- 76 per cent of non-corporate Commonwealth entities reported not fully implementing the mandatory PSPF cyber security policy in 2021-22 (Attorney-General's Department PSPF Assessment Report, cited by the ANAO).
- 59 per cent of entities said legacy IT limited their ability to implement the Essential Eight in 2025, down from 71 per cent in 2024 (ASD, 2025 posture report).
- The average self-reported cost of cybercrime for Australian businesses reached $80,850 per report in FY2024-25, up 50 per cent year on year (ASD Annual Cyber Threat Report 2024-25).
- No comprehensive, independent measurement of private-sector Essential Eight maturity has ever been published.
How many government agencies meet Essential Eight targets?
The best data in the country comes from the annual ASD Cyber Security Survey, which non-corporate Commonwealth entities are required to answer. The 2025 edition covered 101 non-corporate entities plus 79 corporate entities and Commonwealth companies, a 94 per cent participation rate, so it is close to a census of the federal government (ASD, Commonwealth Cyber Security Posture in 2025).
The three most recent results: 25 per cent of entities reached overall Maturity Level 2 in 2023, 15 per cent in 2024, and 22 per cent in 2025. The dip and partial recovery is not agencies going backwards; ASD raised the bar in November 2023, hardening the controls required for Maturity Level 2 in response to the threat environment, and entities are still catching up to the new standard (ASD, 2024 and 2025 posture reports).
The Australian National Audit Office tells a consistent story over a longer period. Across a series of performance audits since 2013-14, the ANAO has repeatedly found low compliance with mandatory cyber security requirements. Its 2021 audit of cyber security strategies concluded that the selected entities' implementation was not fully effective and did not fully meet the mandatory requirements (ANAO, Auditor-General Report No. 32, 2020-21).
"The ANAO has conducted a series of audits on cyber security and identified ongoing low levels of cyber resilience in non-corporate Commonwealth entities, and high rates of non-compliance with the Policy 10 requirements."
The self-reported picture backs the auditors up. The Attorney-General's Department's PSPF assessment found 72 per cent of non-corporate entities reported not fully implementing the mandatory cyber security policy in 2020-21, worsening to 76 per cent in 2021-22 (AGD PSPF Assessment Reports, cited in ANAO reporting). The ANAO also found cases where entities relied on documented policies rather than implemented controls to claim compliance, which means even self-reported figures can flatter the true position.
Is the Essential Eight mandatory?
For the federal government, yes, and the requirement has hardened over time. The Top Four mitigation strategies have been mandatory for non-corporate Commonwealth entities since 2013. From 1 July 2022, the Protective Security Policy Framework extended that to the full Essential Eight at Maturity Level 2, with entities expected to consider Maturity Level 3 where their threat environment warrants it (PSPF, now section 14.2 of the 2025 framework).
Corporate Commonwealth entities and Commonwealth companies are encouraged rather than bound, although some have adopted the standard voluntarily: ANAO auditing noted the Reserve Bank of Australia and ASC had internally mandated the Essential Eight despite not being required to (ANAO, Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities).
For private businesses there is no legal mandate. The pressure arrives indirectly: government supply chain contracts, Defence industry requirements, cyber insurance questionnaires and enterprise customers' security reviews increasingly ask for Essential Eight maturity, which makes it a commercial requirement long before it is a legal one.
What maturity level do most organisations actually reach?
Overall maturity is set by the weakest of the eight strategies, so the per-strategy numbers explain the low headline. In FY2024-25, the proportion of government entities at Maturity Level 2 or higher was 62 per cent for patching operating systems, 56 per cent for patching applications, 48 per cent for application control, 46 per cent for restricting administrative privileges, and just 34 per cent for multi-factor authentication (ASD, 2025 posture report, Figure 1).
Multi-factor authentication is the clearest example of the moving target. In FY2022-23, 54 per cent of entities met Maturity Level 2 for MFA. The November 2023 model update required phishing-resistant MFA at that level, and the pass rate collapsed to 23 per cent before recovering to 34 per cent as entities rolled out the stronger standard (ASD, 2025 posture report). An organisation can stand still and lose a maturity level, because the model is deliberately re-anchored to current adversary tradecraft.
If most well-resourced federal agencies land at Maturity Level 1 overall, with individual strategies scattered between Level 0 and Level 3, it is reasonable to assume the typical unmeasured business sits at Level 0 or Level 1 across several strategies. But that is inference, not measurement, and it should be labelled as such.
Why do so few reach Maturity Level 2?
- 1The weakest-link rule. Overall maturity equals the lowest score across all eight strategies. Seven strong strategies and one weak one still means a low overall result, and maturity can slip between assessments as environments change.
- 2Legacy IT. In 2025, 59 per cent of government entities said legacy technologies limited their Essential Eight implementation; in 2024 it was 71 per cent (ASD posture reports). Systems the vendor no longer patches make several strategies impossible to complete.
- 3A rising bar. The November 2023 maturity model update moved controls such as Microsoft's recommended application block-list from Maturity Level 3 down to Level 2 and required phishing-resistant MFA, so yesterday's pass became today's fail (ASD, 2025 posture report).
- 4Self-assessment optimism. ANAO audits found entities claiming compliance on the strength of documented policies rather than implemented, tested controls (ANAO, Report No. 32, 2020-21). Independent verification routinely lands lower than self-assessment.
- 5Operational discipline, not products. Most Essential Eight controls are configuration and process: patch windows measured in days, admin privilege reviews, macro policy, tested restores. These need sustained attention rather than a one-off purchase.
What do the statistics say about the private sector?
Here is the honest finding: no comprehensive private-sector measurement exists. There is no equivalent of the ASD survey for Australian businesses, no mandatory reporting, and no independent audit program. Vendor surveys circulate, but Frontrow could not verify any of them against a named methodology and sample, so none are quoted here. Anyone stating a precise percentage of Australian businesses at a given maturity level is estimating, whether they say so or not.
What can be said with confidence is the cost of staying at low maturity. In FY2024-25, ASD received more than 84,700 cybercrime reports, roughly one every six minutes, and the average self-reported cost per report for businesses rose 50 per cent to $80,850: $56,571 for small businesses, $97,166 for medium and $202,700 for large (ASD Annual Cyber Threat Report 2024-25). The same report notes that basic mitigations of the kind the Essential Eight formalises can prevent the majority of incidents reported to ASD.
Statistics compiled July 2026 from the ASD Commonwealth Cyber Security Posture reports (2023, 2024 and 2025 editions), ANAO performance audit reports and insights, the Protective Security Policy Framework, and the ASD Annual Cyber Threat Report 2024-25. Figures describe the most recent reporting period available at publication.