Essential 8 Maturity Model: Levels 1, 2 and 3 Explained
What Maturity Level 1, 2 and 3 actually require under the ACSC Essential Eight — and how to know which level your business needs.
The Essential Eight isn't pass/fail — it's a maturity model. The ACSC defines four levels (0 through 3), and the gap between them is significant in both effort and cost. Here's what each level actually requires, and how to tell which one your business genuinely needs.
Maturity Level 0
You haven't implemented the controls, or you've done so partially with significant gaps. Most Australian SMBs sit here without realising it. If you've never measured against the Essential Eight, assume ML0 until proven otherwise.
Maturity Level 1 — defending against opportunistic attackers
This is the realistic target for most SMBs. ML1 protects you from attackers using widely available tools and techniques — phishing kits, commodity malware, credential stuffing.
- MFA on all internet-facing services and for privileged users
- Patches for internet-facing apps within 2 weeks; OS patches within 1 month
- Office macros from the internet blocked
- Admin privileges reviewed annually
- Backups retained 3+ months, restore tested annually
Most well-run MSPs can get a 20-seat business to ML1 in 30–60 days.
Maturity Level 2 — defending against targeted attackers
ML2 assumes a threat actor is specifically targeting you and is willing to invest a few hours of skilled effort. You need more proactive controls and faster response times.
- MFA using phishing-resistant methods (FIDO2 keys or Windows Hello, not SMS)
- Patches for internet-facing apps within 48 hours; OS patches within 2 weeks
- Application control implemented (allow-listing)
- Privileged access workstations for admin work
- Centralised logging with 12-month retention
ML2 is a serious investment — typically $30K–$80K in tooling and 3–6 months of engineering for a 50-seat business. Required if you handle Protected Commonwealth data or sensitive personal information at scale.
Maturity Level 3 — defending against advanced threat actors
ML3 assumes a well-resourced adversary (think state-sponsored) and shrinks every window. Patches in 48 hours including internal systems, application control with cryptographic verification, just-in-time admin access, and continuous monitoring with a security operations centre. Most ML3 implementations cost six figures annually and require dedicated security staff.
Which level do you need?
- Most SMBs: ML1 is sufficient and proportionate.
- Healthcare, legal, financial services: ML1 minimum, ML2 if you're handling regulated data at volume.
- Defence supply chain, critical infrastructure: ML2 minimum; the Defence Industry Security Program now mandates ML2 for many contracts.
- Federal government and large primes: ML2 or ML3 depending on data classification.
If you're not sure where you sit today, an Essential Eight assessment against your current Microsoft 365 tenant takes us about 4 hours and tells you exactly which level you're at and what the next-level gaps look like.