Essential Eight Maturity Levels (ML1–ML3), Explained
Maturity Level Zero through Three sounds like a grading system, but it's really about how well and how consistently you apply each of the eight. Here's what each level means and where to start.
The short version
- What it is: The Essential Eight maturity model from the ACSC defines four levels (Maturity Level Zero through Three) describing how completely and consistently you apply each of the eight strategies.
- It's adversary-based: Each level above ML0 is built around mitigating a tougher class of attacker, from commodity tools (ML1) up to adaptive, well-resourced adversaries (ML3). It isn't a score to game.
- Start at ML1: For most Australian small businesses, Maturity Level One is the sensible target. It blocks the opportunistic attacks that hit smaller organisations most often.
- Whole package, weakest link: The ACSC recommends reaching the same maturity level across all eight before moving higher, so a single neglected strategy can hold your overall maturity back.
If you’ve started reading about the Essential Eight, you’ve almost certainly hit the phrase “maturity level” and wondered whether it’s a grade, a score, or a hurdle you have to clear. The good news: the Essential Eight maturity model is more straightforward than it sounds, and understanding it makes the whole framework far less intimidating.
This piece explains what Maturity Level Zero through Three actually mean, who realistically needs which level, and why Maturity Level One is the sensible starting point for most Australian small businesses. We’ll keep it plain. We won’t pretend the work is effortless, but you’ll come away knowing exactly where to aim.
What is the Essential Eight maturity model?
The Essential Eight maturity model is the ACSC’s way of describing how completely and consistently an organisation applies each of the eight mitigation strategies, using four levels: Maturity Level Zero, One, Two and Three.
The Essential Eight itself is a set of eight mitigation strategies published by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC). (If you want a refresher on the eight strategies themselves, our companion guide explains all eight in plain English.)
The maturity model sits on top of those eight. Rather than treating each strategy as simply “done” or “not done”, it recognises that there’s a difference between, say, patching your software occasionally and patching it within strict timeframes, every time, across every device. The maturity levels capture that difference. They describe how well you do each thing: how thoroughly, how consistently, and across how much of your environment.
That’s the first thing to understand: maturity is about the quality and consistency of your implementation, not a tick-box count.
What do the four maturity levels mean?
Maturity Level Zero means a strategy isn’t meaningfully in place; Maturity Levels One, Two and Three each describe stronger implementation built to defend against a progressively more capable class of attacker.
One insight makes the model click into place, and it’s straight from the ACSC. With the exception of Maturity Level Zero, the levels are based on mitigating increasing levels of tradecraft (the tools, tactics, techniques and procedures attackers use) and targeting. In other words, the model is adversary-based: each level is defined by the kind of attacker it’s designed to stop.
- Maturity Level Zero (ML0). Captures cases where the requirements of Maturity Level One aren’t met. It signifies that there are weaknesses in your overall cyber security posture which, if exploited, could compromise the confidentiality of your data or the integrity and availability of your systems. This is simply the starting line, not a label to be ashamed of.
- Maturity Level One (ML1). Built to mitigate attackers who are content to use commodity tradecraft: widely available tools and techniques that anyone can pick up. This is the world of opportunistic, largely untargeted attacks, the spray-and-pray emails and the automated scans for unpatched software.
- Maturity Level Two (ML2). Steps up to address more capable attackers willing to invest additional time and effort to bypass controls. They might actively target login credentials through phishing and social engineering rather than relying purely on off-the-shelf tools.
- Maturity Level Three (ML3). Aimed at highly adaptive, skilled adversaries who use advanced tradecraft, are less reliant on public tools, and are willing and able to invest serious time, money and effort to get in.
ML3 is not a force field
The ACSC is refreshingly honest about this: Maturity Level Three will not stop malicious actors that are willing and able to invest enough time, money and effort to compromise a target. No maturity level is a guarantee. The point of the model is to make an attack progressively harder and more expensive, reducing your risk rather than promising you can never be breached.
Why is the maturity model “risk-based” rather than a score?
Because each level targets a specific class of adversary, the right level for you depends on who realistically wants to attack you — so the model is about matching your defences to your risk, not climbing to the top.
This is where a lot of small-business owners get the wrong end of the stick. It’s tempting to assume that ML3 is the “A grade” and everyone should be racing towards it. But that misreads what the levels are for.
The ACSC’s guidance is that organisations should identify and plan for a target maturity level suitable for their environment, using a risk-based approach. A small accounting firm, a local trades business, or a community not-for-profit faces a very different threat picture from a defence contractor or a major bank. The adversaries who target a 12-person business are overwhelmingly the opportunistic kind, exactly the ones ML1 is designed to stop.
Maturity is something you match to your risk, not a leaderboard you climb.
Pushing for ML2 or ML3 when your actual risk doesn’t warrant it means spending time and money on protections beyond what you need. There’s nothing wrong with aiming higher if your circumstances justify it. Handling sensitive client data, working in a regulated supply chain, or having been targeted before are all good reasons. But “higher is automatically better” isn’t how the model is meant to be read.
Why ML1 is the right starting point for most small businesses
Maturity Level One blocks the commodity, opportunistic attacks that smaller Australian businesses encounter most, which makes it both the most relevant target and the most achievable one to start with.
For the vast majority of Australian small businesses, ML1 is the place to begin, and often the right place to settle, at least initially. There are two practical reasons.
First, relevance. The attacks that actually reach small businesses are dominated by the commodity tradecraft ML1 is built to counter: phishing emails sent to thousands of inboxes, automated scanning for software that hasn’t been patched, password-guessing against accounts without multi-factor authentication. Reaching ML1 across all eight strategies addresses the bulk of what you’re realistically up against.
Second, achievability. ML1 describes a sensible baseline rather than a gold-plated standard. Getting the controls in place to reach it is a meaningful project, but it’s one a small business can genuinely work through, and each strategy you bring up to ML1 delivers real protection straight away.
One important rule shapes how you get there. The ACSC recommends reaching the same maturity level across all eight strategies before moving on to a higher level, because the eight are designed to complement one another. In practice that means your overall position is held back by your weakest strategy. If seven are at ML1 but one is languishing at ML0, you can’t honestly claim ML1 overall. That’s deliberate — attackers look for the gap, not the average. Bring all eight up together rather than perfecting one while another sits neglected.
A realistic way to begin
Work across all eight strategies at once, aiming for ML1 on each, rather than driving a single strategy to ML3 while others lag. Our plain-English self-assessment checklist walks through each strategy so you can see where you stand today and what "good enough for ML1" looks like in practice.
Putting the levels in perspective
The maturity model gives you a clear, honest way to talk about cyber security progress — where you are now, where you’re aiming, and why.
Step back from the ML0-to-ML3 labels for a moment. What the maturity model really gives a small business is a shared language. Instead of a vague sense that “we should do something about cyber security”, you can say: we’re aiming for Maturity Level One across all eight strategies, because that’s the level matched to the attacks we actually face. That clarity is genuinely useful for planning, for budgeting, and for explaining your position to clients, insurers or partners who ask.
It also helps to know the Essential Eight isn’t the only path for an Australian SME. The newer SMB1001 standard offers a tiered approach (Bronze through to Diamond) designed specifically with smaller businesses in mind, and some organisations find it a more natural starting point. We compare the two, and help you work out which suits you, in our guide on the Essential Eight versus SMB1001.
Wherever you land, the principle behind the maturity model holds: match your effort to your risk, bring all eight up together, and treat ML1 as a solid, worthwhile achievement rather than a consolation prize. If you’d like the bigger picture first, our Essential Eight topic guide ties all of this together.
SecurSentry is building tools to help Australian small businesses understand frameworks like the Essential Eight and work steadily towards a maturity level that fits them. But the model itself is freely published by the ACSC, and you can start making sense of where you stand today, for free, right now.