What is Essential Eight Maturity Level 2?

Essential Eight Maturity Level 2 is a compliance tier defined by the Australian Signals Directorate (ASD). It requires businesses to have managed, semi-automated security controls across eight key areas, providing protection against more persistent and slightly more sophisticated threats than …

Understanding Essential Eight Maturity Level 2

The Essential Eight is the Gold Standard for cybersecurity in Australia. It is divided into three “Maturity Levels” (ML1, ML2, and ML3).

Maturity Level 2 is currently the target for most mid-sized Queensland businesses and a key requirement for cyber insurance.

Key Requirements of Maturity Level 2

To achieve Maturity Level 2, your business must go beyond basic compliance. The ASD specifies requirements across eight strategies, with the following being most critical for insurance:

1. Application Control

You must use a managed solution (like Microsoft Intune or AppLocker) to prevent unapproved software from running. ML2 requires that you block users from bypassing these controls.

2. Patching Applications

Critical security vulnerabilities in applications (like browsers or Office) must be patched within 48 hours. ML2 requires a centralized management system to verify that patches are actually applied.

3. Multi-Factor Authentication (MFA)

MFA must be enforced for all users when accessing internet-facing services, third-party cloud services, and for any administrative access. ML2 explicitly requires that MFA be “enforced” rather than just available.

4. Restricted Administrative Privileges

You must limit the number of users with “God mode” access. ML2 requires that administrators use separate, non-privileged accounts for daily tasks like email and web browsing.

Why Level 2 is the New Baseline

In 2024 and 2025, Australian insurers significantly tightened their criteria. While Maturity Level 1 was once enough, the prevalence of ransomware means insurers now look for the centralized management and automation present in Level 2.

The Compliance Gap

If you tell your insurer you are at ML2, but an incident reveals that you weren’t patching within 48 hours or that MFA was bypassed due to legacy protocols, your claim may be denied for misrepresentation.

Need an Essential Eight assessment? Read our guide on Cyber Insurance Denials in Queensland or Contact our technology team for a legal compliance audit.