ML0 to ML3, in plain English

Essential Eight Maturity Levels Explained (ML0 to ML3)

The Essential Eight is measured on a maturity model with four levels. Here is what ML0, ML1, ML2 and ML3 mean and how organisations move up.

The Essential Eight Maturity Model describes how well each of the eight strategies is implemented, on a scale of four levels. Higher levels are aligned to increasingly capable adversary tradecraft.

The four maturity levels

Assessed as a set

The ACSC recommends implementing all eight strategies to the same target maturity level as a package, rather than reaching a high level on one strategy while others lag. Your target level should be based on the threats your organisation faces; many organisations aim for ML1 or ML2 as a baseline.

How to move up a level

Moving up means meeting more of the specific requirements the model sets for each strategy at the next level. The practical path is to assess your current position control by control, identify the gaps to your target, and remediate them one at a time. The Essential Eight assessment tool does exactly this - scoring each strategy, showing the gaps to your target, and tracking progress over time.

Note: Cyber Compliance is a self-assessment and reporting aid, not a certification, audit or legal advice. Outputs help you prepare and track gaps; confirm your position with a qualified auditor, certification body or legal adviser before relying on it.

Frequently asked questions

What are the Essential Eight maturity levels?

Four levels: Maturity Level Zero (ML0), One (ML1), Two (ML2) and Three (ML3). Higher levels are aligned to mitigating increasingly capable and targeted adversary tradecraft.

What maturity level should we target?

It depends on the threats you face. The ACSC recommends choosing a target level and implementing all eight strategies to it as a set; many organisations aim for ML1 or ML2 as a baseline.

Start your free trial