It's a fair question. You've heard the term, maybe seen it on an insurance form or in a contract, and now you're wondering: does this actually apply to my business?
The short answer: if you're an Australian organisation that uses computers, the Essential Eight is relevant to you. Here's the longer answer.
Who It's Mandatory For
Strictly speaking, the Essential Eight is mandatory for Australian Government entities under the Protective Security Policy Framework (PSPF). Government departments and agencies are required to implement the framework and report on their maturity levels.
For everyone else (private businesses, not-for-profits, local councils) it's technically voluntary. But "voluntary" is doing a lot of heavy lifting in that sentence.
Why "Voluntary" Doesn't Mean "Optional"
In practice, the Essential Eight is becoming a requirement through the back door. Here's how:
Cyber Insurance
Australian insurers are increasingly asking about Essential Eight maturity on cyber insurance applications. Some won't offer coverage without evidence of basic controls. Others adjust premiums based on your posture. If you can't demonstrate MFA, patching, and backups, expect higher premiums, or outright rejection.
Supply Chain Requirements
Larger organisations, especially government contractors and enterprises, are pushing Essential Eight compliance down their supply chains. If you're a supplier, subcontractor, or partner to a large organisation, expect to be asked about your cybersecurity posture.
Defence Contracts (DISP)
If you do any work with the Department of Defence, the Defence Industry Security Program (DISP) requires Essential Eight maturity at Level 2 or higher. This applies to prime contractors and subcontractors alike.
The Privacy Act
Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, organisations that experience a data breach must notify affected individuals and the OAIC. If a breach occurs because you lacked basic security controls, like those in Level 1 of the Essential Eight, you may face regulatory scrutiny, fines, and reputational damage.
"But We're Just a Small Business"
We hear this a lot. Here are the facts:
- 43% of cyber attacks target small businesses, according to industry research.
- The average self-reported cost of a cybercrime incident for a small Australian business is $56,600, according to the ASD Annual Cyber Threat Report 2024-2025.
- Small businesses are targeted because they're less protected, not because they're less valuable.
- Ransomware doesn't check your ABN or your revenue before encrypting your files.
The question isn't whether your business is "big enough" to need cybersecurity. The question is whether you can afford to lose your client data, your financial records, or a week of operations to a preventable attack.
What Level Do You Need?
For the vast majority of Australian SMBs, Level 1 is the right target. It covers the baseline controls that stop the most common attacks, the ones that hit thousands of businesses every day.
Level 2 becomes relevant if you handle particularly sensitive data (health records, financial information, government data) or operate in a regulated industry. Level 3 is for organisations facing sophisticated, targeted threats: think defence, intelligence, critical infrastructure.
How to Find Out Where You Stand
The fastest way is to run a self-assessment. Eito's Quick Check takes 5 minutes and covers the 10 most critical controls. It gives you a clear red/amber/green picture of your baseline security posture. No account required, no data leaves your browser.
If the results concern you, do a full assessment (15 minutes) to see a detailed strategy-by-strategy breakdown. Then take the PDF report to your IT provider and have a real conversation about closing the gaps.
The bottom line: you probably do need the Essential Eight. The good news is that starting is free, fast, and easier than you think.