SecurSentry
← Essential Eight hub
Essential Eight

Essential Eight Maturity Levels (ML1–ML3), Explained

Maturity Level Zero through Three sounds like a grading system, but it's really about how well and how consistently you apply each of the eight. Here's what each level means and where to start.

The short version

If you’ve started reading about the Essential Eight, you’ve almost certainly hit the phrase “maturity level” and wondered whether it’s a grade, a score, or a hurdle you have to clear. The good news: the Essential Eight maturity model is more straightforward than it sounds, and understanding it makes the whole framework far less intimidating.

This piece explains what Maturity Level Zero through Three actually mean, who realistically needs which level, and why Maturity Level One is the sensible starting point for most Australian small businesses. We’ll keep it plain. We won’t pretend the work is effortless, but you’ll come away knowing exactly where to aim.

What is the Essential Eight maturity model?

The Essential Eight maturity model is the ACSC’s way of describing how completely and consistently an organisation applies each of the eight mitigation strategies, using four levels: Maturity Level Zero, One, Two and Three.

The Essential Eight itself is a set of eight mitigation strategies published by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). (If you want a refresher on the eight strategies themselves, our companion guide explains all eight in plain English.)

The maturity model sits on top of those eight. Rather than treating each strategy as simply “done” or “not done”, it recognises that there’s a difference between, say, patching your software occasionally and patching it within strict timeframes, every time, across every device. The maturity levels capture that difference. They describe how well you do each thing: how thoroughly, how consistently, and across how much of your environment.

That’s the first thing to understand: maturity is about the quality and consistency of your implementation, not a tick-box count.

What do the four maturity levels mean?

Maturity Level Zero means a strategy isn’t meaningfully in place; Maturity Levels One, Two and Three each describe stronger implementation built to defend against a progressively more capable class of attacker.

One insight makes the model click into place, and it’s straight from the ACSC. With the exception of Maturity Level Zero, the levels are based on mitigating increasing levels of tradecraft (the tools, tactics, techniques and procedures attackers use) and targeting. In other words, the model is adversary-based: each level is defined by the kind of attacker it’s designed to stop.

ML3 is not a force field

The ACSC is refreshingly honest about this: Maturity Level Three will not stop malicious actors that are willing and able to invest enough time, money and effort to compromise a target. No maturity level is a guarantee. The point of the model is to make an attack progressively harder and more expensive, reducing your risk rather than promising you can never be breached.

Why is the maturity model “risk-based” rather than a score?

Because each level targets a specific class of adversary, the right level for you depends on who realistically wants to attack you — so the model is about matching your defences to your risk, not climbing to the top.

This is where a lot of small-business owners get the wrong end of the stick. It’s tempting to assume that ML3 is the “A grade” and everyone should be racing towards it. But that misreads what the levels are for.

The ACSC’s guidance is that organisations should identify and plan for a target maturity level suitable for their environment, using a risk-based approach. A small accounting firm, a local trades business, or a community not-for-profit faces a very different threat picture from a defence contractor or a major bank. The adversaries who target a 12-person business are overwhelmingly the opportunistic kind, exactly the ones ML1 is designed to stop.

Maturity is something you match to your risk, not a leaderboard you climb.

Pushing for ML2 or ML3 when your actual risk doesn’t warrant it means spending time and money on protections beyond what you need. There’s nothing wrong with aiming higher if your circumstances justify it. Handling sensitive client data, working in a regulated supply chain, or having been targeted before are all good reasons. But “higher is automatically better” isn’t how the model is meant to be read.

Why ML1 is the right starting point for most small businesses

Maturity Level One blocks the commodity, opportunistic attacks that smaller Australian businesses encounter most, which makes it both the most relevant target and the most achievable one to start with.

For the vast majority of Australian small businesses, ML1 is the place to begin, and often the right place to settle, at least initially. There are two practical reasons.

First, relevance. The attacks that actually reach small businesses are dominated by the commodity tradecraft ML1 is built to counter: phishing emails sent to thousands of inboxes, automated scanning for software that hasn’t been patched, password-guessing against accounts without multi-factor authentication. Reaching ML1 across all eight strategies addresses the bulk of what you’re realistically up against.

Second, achievability. ML1 describes a sensible baseline rather than a gold-plated standard. Getting the controls in place to reach it is a meaningful project, but it’s one a small business can genuinely work through, and each strategy you bring up to ML1 delivers real protection straight away.

One important rule shapes how you get there. The ACSC recommends reaching the same maturity level across all eight strategies before moving on to a higher level, because the eight are designed to complement one another. In practice that means your overall position is held back by your weakest strategy. If seven are at ML1 but one is languishing at ML0, you can’t honestly claim ML1 overall. That’s deliberate — attackers look for the gap, not the average. Bring all eight up together rather than perfecting one while another sits neglected.

A realistic way to begin

Work across all eight strategies at once, aiming for ML1 on each, rather than driving a single strategy to ML3 while others lag. Our plain-English self-assessment checklist walks through each strategy so you can see where you stand today and what "good enough for ML1" looks like in practice.

Putting the levels in perspective

The maturity model gives you a clear, honest way to talk about cyber security progress — where you are now, where you’re aiming, and why.

Step back from the ML0-to-ML3 labels for a moment. What the maturity model really gives a small business is a shared language. Instead of a vague sense that “we should do something about cyber security”, you can say: we’re aiming for Maturity Level One across all eight strategies, because that’s the level matched to the attacks we actually face. That clarity is genuinely useful for planning, for budgeting, and for explaining your position to clients, insurers or partners who ask.

It also helps to know the Essential Eight isn’t the only path for an Australian SME. The newer SMB1001 standard offers a tiered approach (Bronze through to Diamond) designed specifically with smaller businesses in mind, and some organisations find it a more natural starting point. We compare the two, and help you work out which suits you, in our guide on the Essential Eight versus SMB1001.

Wherever you land, the principle behind the maturity model holds: match your effort to your risk, bring all eight up together, and treat ML1 as a solid, worthwhile achievement rather than a consolation prize. If you’d like the bigger picture first, our Essential Eight topic guide ties all of this together.

SecurSentry is building tools to help Australian small businesses understand frameworks like the Essential Eight and work steadily towards a maturity level that fits them. But the model itself is freely published by the ACSC, and you can start making sense of where you stand today, for free, right now.

Frequently asked questions

How many maturity levels does the Essential Eight have?

Four: Maturity Level Zero, One, Two and Three (often shortened to ML0, ML1, ML2 and ML3). ML0 captures cases where the requirements of ML1 aren't met. ML1 to ML3 each describe stronger, more consistent implementation aimed at defending against progressively more capable attackers.

What maturity level should a small business aim for?

For most Australian small businesses, Maturity Level One is the right starting target. The ACSC's view is that organisations should plan for a target maturity level suitable for their environment, and ML1 is built to mitigate the commodity, widely-available tradecraft that opportunistic adversaries use most. You can step up to ML2 or ML3 later if your risk profile calls for it.

Is a higher Essential Eight maturity level always better?

Not automatically. The maturity model is based on mitigating increasing levels of tradecraft and targeting, so each level targets a tougher class of attacker. Pushing to ML3 takes real effort and is aimed at adaptive, well-resourced adversaries. Most small businesses don't face those daily, so chasing ML3 can mean spending on protections beyond your actual risk. Match the level to your situation.

Does Maturity Level Three mean you can't be hacked?

No. The ACSC is explicit that Maturity Level Three will not stop malicious actors who are willing and able to invest enough time, money and effort to compromise a target. ML3 raises the cost of an attack significantly, but no maturity level is a guarantee. That's why the model is about reducing risk, not eliminating it.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Essential Eight

The Essential Eight Checklist for Australian Small Business

28 Jun 2026 · 7 min
Essential Eight

The Essential Eight Controls, Explained Simply

28 Jun 2026 · 7 min
Essential Eight

Essential Eight vs SMB1001: Where Should You Start?

28 Jun 2026 · 7 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.