What are the requirements for Essential Eight Maturity Level 2?

Maturity Level 2 is the target benchmark for most Australian organisations and the mandatory minimum for Commonwealth entities. Under the updated November 2023 model, reaching it requires:

• Phishing-resistant MFA for all users, including workstation login. Standard push notification or SMS-based MFA no longer qualifies.
• Critical vulnerabilities patched within 48 hours and internet-facing applications patched within two weeks.
• Application control with Microsoft's recommended application blocklist in place and rulesets reviewed annually.
• Both ASD and vendor hardening guidance applied to all systems, the more stringent requirement takes precedence where they conflict.
• Privileged access validated on first request and automatically disabled after 12 months if not revalidated.
• Centralised event logging across internet-facing infrastructure, with a documented and tested incident response plan.
• Immutable, regularly tested backups prioritised by business criticality.

If your organisation achieved Maturity Level 2 before the 2023 update, it is worth reassessing. The requirements have changed materially, particularly around MFA and privileged access governance.