What Tightens at ML2
Maturity Level 2 introduces stricter controls, reflecting a more mature cyber security posture. Application control extends to servers, requiring greater diligence in managing allowed software. Patching of internet-facing services is significantly accelerated, demanding a 48-hour remediation timeframe. Privileged accounts must now utilise phishing-resistant Multi-Factor Authentication (MFA), adding a crucial layer of defence. Logging and event monitoring are expanded to provide greater visibility into system activity, and restrictions are placed on Microsoft Office macros originating from the internet to mitigate malware risks.
AU Sector Reality
In Australia, Essential Eight Maturity Level 2 is increasingly expected for APRA-regulated entities under CPS 234, healthcare providers adhering to privacy obligations under the Privacy Act 2024, and larger professional services firms facing heightened scrutiny. Organisations experiencing targeted attacks or handling sensitive data should prioritise Level 2 implementation. Delivering this often involves leveraging the Microsoft 365 ecosystem – Microsoft Defender for Endpoint, Microsoft Sentinel for SIEM capabilities, Conditional Access policies, and Intune for device management – to automate and enforce these controls effectively.