The Short Answer: Most Australian Businesses Should Target Maturity Level 2

If you’ve started looking into the Essential Eight, you’ve probably hit a wall of acronyms and government frameworks that feel like they were written for auditors, not business owners. This post cuts through that. We’ll explain what each maturity level actually means in practice, what it costs in effort, and how to figure out which level is right for your business.

If you’re new to the Essential Eight framework itself, start with our guide to what the Essential Eight is and why it matters for Australian businesses. This post picks up from there and goes deeper on maturity levels.

What Are Essential Eight Maturity Levels?

The Australian Cyber Security Centre (ACSC) designed the Essential Eight with four maturity levels: ML0 through ML3. Think of them as a sliding scale of how thoroughly your business has implemented each of the eight mitigation strategies.

The higher the maturity level, the harder it is for an attacker to compromise your systems. The trade-off is that higher maturity levels require more investment, more discipline, and more ongoing effort to maintain.

Here’s the key insight most businesses miss: maturity levels are applied across all eight strategies together. You don’t cherry-pick ML3 for one control and ML1 for another. Your overall maturity level is determined by the lowest level you’ve achieved across all eight.

Maturity Level 0: You Have Gaps That Put You at Risk

ML0 isn’t a level you aim for. It means your organisation has not met the requirements of Maturity Level 1 for at least one of the eight strategies.

In practice, ML0 looks like this: no formal patching schedule, staff with local admin rights on their computers, no multi-factor authentication on email or cloud apps, and backups that have never been tested. These are not rare situations. Many small and mid-sized Australian businesses operate at ML0 without realising it.

The risk at ML0 is significant. A single phishing email, a compromised password, or an unpatched vulnerability can cascade into a full business disruption. Ransomware groups and cybercriminals actively target businesses at this level because the barriers to entry are low.

If you’re at ML0, the priority is to move to ML1 as quickly as possible.

Maturity Level 1: You’re Covering the Basics

ML1 is designed to protect against opportunistic attacks. These are the broad, automated campaigns that scan the internet for easy targets and exploit known weaknesses.

At ML1, your business has implemented each Essential Eight strategy in a basic but consistent way. Patches are applied within one month. Multi-factor authentication is active on internet-facing services. Macros are restricted. Administrative privileges are limited to accounts that genuinely need them.

This is meaningful protection. ML1 stops the majority of low-sophistication attacks that make up the bulk of cybercrime. But it doesn’t protect against attackers who are specifically targeting your business or willing to invest real effort to get in.

What ML1 Looks Like Day-to-Day

Your IT team or managed service provider patches operating systems and applications within 30 days of release. Staff use MFA to log into Microsoft 365 or Google Workspace. New employees don’t automatically get admin rights on their machines. Backups run automatically and are stored separately from your main systems.

The effort to reach ML1 is achievable for most businesses with a good IT partner. It doesn’t require building a security operations centre or hiring a dedicated CISO. What it does require is consistency and someone accountable for keeping the controls active.

Maturity Level 2: The Right Target for Most Businesses

ML2 is where the ACSC expects most Australian businesses to operate. It’s designed to protect against attackers who are more persistent and more capable than opportunistic criminals.

At ML2, the controls are tighter and the requirements more specific. Patches for internet-facing services must be applied within two weeks of release, not 30 days. Application control is active on workstations, not just servers. Privileged accounts are strictly managed and subject to additional authentication requirements.

The difference between ML1 and ML2 is depth of implementation. ML1 says “we have MFA on internet-facing systems.” ML2 says “we have MFA on internet-facing systems, it uses phishing-resistant methods where possible, and it covers a wider range of systems including privileged access.”

Why ML2 Is the Right Benchmark

The ACSC has been clear that ML2 represents a meaningful threshold for businesses that hold sensitive data or are part of critical supply chains. A professional services firm managing client financial records, a healthcare practice with patient data, or a technology business supporting government clients would all benefit significantly from operating at ML2.

ML2 also aligns with the expectations many enterprise clients and government departments are starting to set for their suppliers. If you’re involved in procurement or tender processes, having documented ML2 compliance is increasingly relevant.

The effort involved is real. Moving from ML1 to ML2 typically requires more automation, better tooling, and tighter processes around access management and patch deployment. But it’s achievable with the right support, and the protection it provides is substantially greater than ML1 alone. We go into detail on what ML2 implementation actually involves in our Essential Eight Maturity Level 2 deep dive.

Maturity Level 3: For High-Value Targets and Regulated Industries

ML3 is designed for organisations facing sophisticated, targeted attacks. Government agencies, defence contractors, financial institutions, and critical infrastructure operators are the primary audience.

At ML3, controls are implemented to their fullest extent. Patches for internet-facing services are applied within 48 hours of release. All privileged actions are logged and monitored. Application control is applied across all systems, including servers. MFA is phishing-resistant across the board.

The operational overhead of ML3 is substantial. It requires dedicated security staff, mature processes, and tooling that goes well beyond what most SMBs can justify. The security benefits are significant, but so is the investment.

Is ML3 Right for Your Business?

Most private sector businesses with 20 to 200 staff have no reason to target ML3. The additional protection is real, but so is the cost, and the risk profile for most businesses simply doesn’t justify it.

Where ML3 becomes relevant is when you’re directly handling classified government data, operating under specific regulatory obligations that require it, or managing infrastructure where a compromise would have cascading consequences.

If you’re unsure whether your business needs ML3, the answer is almost certainly no. Businesses that genuinely need ML3 usually know it because someone has told them so.

How to Know Which Level Your Business Needs

There’s no single right answer for every business. The appropriate maturity level depends on a combination of factors: the sensitivity of your data, your regulatory environment, your supply chain relationships, and your risk appetite.

That said, a useful starting framework is this:

• Small businesses with limited sensitive data: ML1 is a reasonable floor, ML2 is a smart target.
• Professional services firms managing client data: ML2 is the right goal.
• Businesses supplying government or handling regulated data: ML2 is the minimum, and ML3 may be required.
• Critical infrastructure or defence supply chain: ML3 is likely expected or mandated.

The honest reality is that most businesses don’t have a clear picture of where they currently sit. Before setting a target maturity level, you need to know your baseline. An Essential Eight assessment gives you that baseline — a mapped view of where your controls are strong, where the gaps are, and what it would take to move to your target level.

Our managed cyber security services include Essential Eight assessments and ongoing support to help businesses reach and maintain their target maturity level.

Common Mistakes Businesses Make with Maturity Levels

The most common mistake is treating the Essential Eight as a one-time project. Maturity levels aren’t a badge you earn and keep permanently. Patch schedules, access controls, and backup processes all need ongoing management. A business that achieves ML2 in January and doesn’t revisit it until December may find it has slipped back toward ML1 by mid-year.

The second common mistake is focusing on the level rather than the outcome. ML2 is a target because of what it delivers in terms of real protection, not because of the label itself. Chasing a number without understanding what each control actually does puts you at risk of ticking boxes without improving your security posture.

Third, businesses often underestimate the importance of the weakest link. Your overall maturity is determined by your lowest-performing control. A business that has everything at ML2 except backups (which haven’t been tested) is not at ML2. That gap needs to be addressed before the maturity level means anything.

Frequently Asked Questions

Does my business have to comply with the Essential Eight?

The Essential Eight is mandatory for non-corporate Commonwealth entities under certain frameworks. For private sector businesses, it is not legally required. However, it is increasingly expected by enterprise clients, government partners, and cyber insurers.

How long does it take to reach Maturity Level 2?

The timeline depends heavily on your current baseline. A business starting from scratch with good IT support in place might reach ML2 within six to twelve months. A business with significant legacy systems or gaps in basic hygiene may take longer. An assessment is the most reliable way to get a realistic timeline.

What happens if we can’t reach ML2 right away?

Progress matters. Moving from ML0 to ML1 is a meaningful improvement. Documenting your roadmap and showing consistent improvement over time is valuable, particularly if you need to demonstrate due diligence to clients or insurers.

Can a managed IT provider help us achieve and maintain a maturity level?

Yes. Most businesses that reach and sustain ML2 do so with the help of a managed service provider that has Essential Eight expertise. The controls involved require consistent tooling, monitoring, and process management that is difficult to maintain without specialist support.

What’s the difference between the Essential Eight and ISO 27001?

The Essential Eight is a focused set of eight prioritised controls designed for Australian businesses. ISO 27001 is a broader international information security management standard. They are not mutually exclusive. Many businesses use the Essential Eight as a practical starting point and progress toward ISO 27001 as their maturity grows.

Ready to find out where your business sits? Book an Essential Eight Assessment with the Otto IT team and get a clear picture of your current maturity level and what it will take to reach your target.