Who needs to comply with Essential Eight?

The Essential Eight is mandatory for all non-corporate Commonwealth entities under the Australian Government's Protective Security Policy Framework (PSPF).

For private sector organisations, it is not legislated, but it is increasingly expected. Evidence of Essential Eight compliance is now a common requirement in government and defence procurement processes, and organisations in regulated industries such as financial services, healthcare, and critical infrastructure are under growing pressure to adopt it as a baseline standard.

Even outside regulated sectors, the framework represents the ASD's best-practice recommendation for any Australian organisation running internet-connected systems.