Essential Eight 2025 Update: What Changed and What Businesses Must Do

The ASD periodically updates the Essential Eight Maturity Model to reflect changes in the threat landscape and lessons from incidents affecting Australian organisations. The 2025 update introduced changes relevant to businesses at all maturity levels, with the most significant affecting Maturity Level Two requirements.

01Application Control: Cloud Application Coverage

The 2025 update extends application control requirements to cover cloud-delivered applications and browser-based execution in more detail. At Maturity Level Two, organisations must now demonstrate that application control covers script execution within web browsers — not just on the endpoint operating system. This addresses the growing use of browser-based attack techniques that bypass traditional endpoint application control.

02MFA: All Internet-Facing Services Now Required at Level One

Previously, Maturity Level One required MFA for services that process sensitive data. The 2025 update extends this to all internet-facing services for all users at Level One — previously a Level Two requirement. This reflects the ACSC's assessment that the credential threat is now sufficiently widespread to justify this as a baseline expectation rather than an advanced control.

03Backup Integrity Verification

The backup control now explicitly requires that backup integrity is verified — not just that backups are taken and a restoration has been performed. Integrity verification means confirming that backup data is complete and uncorrupted, not just that the restoration process completed without errors. This distinction is important for ransomware scenarios where backup data itself may have been partially corrupted.

04What Businesses Should Do

If you have a recent Essential Eight assessment, review it against the 2025 guidance. MFA extension to all internet-facing services at Level One and backup integrity verification are the changes most likely to affect current compliance status. A gap assessment against the updated guidance is advisable before the next formal assessment or insurer review.