In 2026 the Australian Signals Directorate's Essential Eight has moved from recommended framework to expected baseline. Maturity Level 2 is the practical floor for most industries now. Maturity Level 3 is the trajectory for critical infrastructure, energy, finance and defence. The Sovereign AI and Regulatory Assurance Forum on 28 April in Sydney is a public marker of the same direction. Every major audit, procurement and cyber insurance conversation Frontrow is having this quarter is reading from the same page.
For Australian tenants still at ML0 or ML1, which, realistically, is most of the mid-market, that is a 90-day problem, not a three-year program. Almost all of ML2 is achievable with the Microsoft licensing already in place. Here is how Frontrow is running it.
Why the bar moved in 2026
Three things combined. First, the ACSC's updated Essential Eight assessment guidance materially tightened how ML2 is scored. Controls need to be enforced across all systems and reviewed on a real cadence, not attested once. Second, cyber insurance renewal decisions from mid-2026 are being priced off the ML2 line, not ML1. Third, ransomware incident volume targeting SMBs is up sharply worldwide. The reported global increase is around 105% over two years, and Australian SMBs are not outside that trend.
The combined effect is that ML2 is where the evidence (insurance, audit, regulator, board) starts to land favourably. ML1 is no longer a defensible resting position for most organisations.
The 90-day plan from ML1 to ML2
Frontrow runs this as six two-week sprints. Each sprint ends with a measurable control at ML2, documented evidence, and a handover to whoever operates it going forward. This is the sequence that lands fastest in a tenant where Microsoft 365 is the backbone.
Weeks 1 to 2: Patching
Automate the 48-hour patch window on operating systems, and the 48-hour window on browsers, Office and other internet-facing applications. Intune Autopatch for Windows, Microsoft Update for Business for firmware. Evidence: a report showing patch latency by device, exported on a monthly cadence.
Weeks 3 to 4: Multi-factor authentication
Phishing-resistant MFA for privileged users. MFA for all users on internet-facing services. Number matching on, SMS off. Conditional Access baseline live with no exceptions for staff. Evidence: the Microsoft Entra ID sign-in logs showing zero password-only authentications across a 30-day window.
Weeks 5 to 6: Application control
At ML2, application control needs to be enforced on workstations, not just monitored. Microsoft Defender Application Control or AppLocker, with a tested block list drawn from a current application inventory. The common failure pattern is a "monitor mode" deployment that never flips to enforcement. ML2 requires enforcement, with documented review of blocks.
Weeks 7 to 8: Restrict administrative privileges
Standing admin rights are the single most common audit finding Frontrow sees in ML1 tenants. Move privileged roles into Privileged Identity Management with eligibility rather than assignment, just-in-time activation, MFA on activation, and time-bounded sessions. Evidence: PIM activation audit for a 30-day window.
Weeks 9 to 10: User application hardening
Block Java and Flash in browsers. Disable Office macros sourced from the internet. Enable ASR rules in Microsoft Defender for Endpoint. Most of this is tenant-level configuration in Microsoft Intune. Evidence: the ASR rules report with no exceptions below the agreed baseline.
Weeks 11 to 12: Tested restore from backup
ML2 separates backup from tested backup. Daily backups exist in most tenants. ML2 requires a documented restore exercise on a defined cadence. Run the restore, time it, write it up with RTO and RPO measured against target. Evidence: the restore test report.
The three controls that trip most tenants
In assessments this quarter, three ML2 controls consistently come in under target regardless of tenant size or industry.
Application control in enforcement mode. Most tenants stay in audit mode because the operational cost of tuning blocks feels high. It usually lands in about two weeks of concentrated tuning per business unit, not the multi-month program people expect. The trick is scoping block policies per persona rather than attempting a universal list.
Privileged access without standing rights. The PIM configuration itself is straightforward. The cultural shift is harder. Admins accustomed to always-on accounts push back on eligibility, and the rollout stalls. Handle it as a change management project rather than a technical one. The technology is a one-day configuration.
Tested restore with a defined RTO. Almost every tenant has backups. Very few can produce a documented restore report from the last 90 days. It is the cheapest ML2 control to close if the right tooling is in place, and the first one most auditors check.
Try it
Score the current Essential Eight position
Twelve questions, a maturity score against ML1, ML2 and ML3, and the prioritised gap list with Microsoft-native remediation paths for each control.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
A note on Sovereign AI
The 28 April Sovereign AI and Regulatory Assurance Forum in Sydney is worth paying attention to. The direction it signals, that AI, cyber and data residency are converging into a single regulatory conversation for Australian organisations, reshapes what a baseline tenant configuration looks like this year. Essential Eight ML2 is the cyber-side floor. Data residency, sovereign AI grounding and model auditability are being added on top for regulated sectors.
A 2026 plan that says "get to ML2" is the right starting point. For regulated sectors, it is no longer the finish line. If a renewal cycle, audit window or insurance review is sitting on the ML2 line, Frontrow will read the gap against the 2026 assessment guidance and walk a 90-day plan against the tenant. Call 1300 012 466 or book a chat through the contact page.