What is Essential Eight Maturity Level 2, and what does it involve?

Maturity Level 2 is the middle tier of the ASD Essential Eight. It is aimed at adversaries willing to invest more time and better tooling than the opportunistic attackers Maturity Level 1 addresses. It is the level most regulated Australian businesses target, and since 30 September 2024 it is the minimum required across ICT systems for every level of DISP membership.

What ML2 asks of your eight controls

At ML2 the eight controls are not just present, they are applied broadly, enforced, and backed by logging and evidence. In practice that means multi-factor authentication across users and remote access, application control that actually blocks unapproved software, patching of applications and operating systems within tight timeframes, restricted and monitored administrator privileges, controlled Microsoft Office macros, hardened user applications, and regular backups that are tested and can be restored. The step up from ML1 is less about new controls and more about rigour and coverage. For the authoritative, current requirements, see ASD's Essential Eight maturity model.

Who needs ML2

ML2 is not a blanket legal requirement, but it is mandatory for DISP membership and is commonly specified in government and Defence-related contracts and tenders. If you are bidding for that kind of work, or handling sensitive client data, ML2 is usually the sensible target.

What the move to the Essentials series means

ML2 is the target today, but ASD has announced the Essential Eight will move to a new Essentials series over the next two years. ASD has confirmed that existing ML2 work maps across, so this is a reason to build controls tied to outcomes and risk rather than to a checklist. See is the Essential Eight being retired? for the detail and timeline.

How Blue Arc helps

We run a gap assessment against ML2, implement and maintain the controls, and keep the evidence current. For Defence-industry businesses we deliver this through our ML2 Uplift Programme. See our DISP IT support in Canberra, managed services, or get in touch.

Frequently asked questions

How is Maturity Level 2 different from Maturity Level 1?

ML1 addresses opportunistic attackers using widely available tools. ML2 steps up to adversaries willing to invest more time and better tooling, so controls are applied more broadly, enforced more strictly, and backed by logging and evidence.

Is Essential Eight ML2 mandatory?

It is not a blanket legal requirement for every business, but it is mandatory for DISP membership and is frequently specified in government and Defence-related contracts and tenders.

Does DISP require ML2?

Yes. Since 30 September 2024, the full Essential Eight at Maturity Level 2 is the minimum for every DISP membership level, including Entry Level, across the ICT systems used to correspond with Defence.