Keeping up with compliance and regulatory requirements

Ami Hofman – Managing Director, Cutting Edge Security Services.Compliance

The Compliance Treadmill

Meeting compliance obligations in Australia often starts with one question: “How are we tracking against the Essential Eight?” For many, it’s become the benchmark. The problem is, Essential Eight was never designed to be a complete framework. It’s a baseline, a valuable one but only covers a fraction of what organisations need to truly manage cyber risk.

The risk is that companies tick the Essential Eight boxes, declare victory and assume they’re safe. In reality, attackers don’t stop at the edges of the Essential Eight. They look for the gaps. Those gaps are where organisations get hurt.

Why NIST CSF 2.0 Matters

This is where NIST’s updated Cybersecurity Framework (CSF) comes in. Version 2.0 expands beyond critical infrastructure, giving organisations a comprehensive blueprint for managing risk across governance, operations, supply chains, and technology.

Some key advantages over relying solely on Essential Eight:

  • Broader scope: NIST CSF covers governance, risk, compliance, resilience, and supply chain security — areas Essential Eight barely touches.

  • Scalable maturity: Essential Eight is prescriptive. NIST CSF allows organisations to align maturity with their size, industry, and risk appetite.

  • Alignment to global best practice: Essential Eight is Australia-specific. NIST CSF provides a global framework, making it easier to align with international regulators and partners.

  • Outcome-driven: NIST focuses on resilience and measurable outcomes, not just implementation of controls.

Used together, Essential Eight provides a strong tactical baseline, while NIST CSF 2.0 delivers the strategic architecture to build a lasting program.

Anecdote: The Tick-Box Trap

A few years ago, I worked with an organisation that proudly told its board, “We’re compliant with Essential Eight, we’re good.” Six months later, they faced a major breach through a third-party vendor. Essential Eight had nothing to say about supply chain risk. The board’s question was simple: “Why weren’t we prepared for this?”

That incident reshaped their approach. Essential Eight remained part of their baseline, but they adopted NIST CSF as the framework to map out risks more holistically. The shift moved them from compliance reporting to resilience building.

From Box-Ticking to Business Value

The message is clear:

  • Essential Eight = a good start, but not the finish line

  • NIST CSF 2.0 = the strategic foundation for long-term resilience

The two should work together, not in isolation. Australian organisations that succeed will be those that stop treating compliance as the ceiling and start using frameworks to build business value and resilience.

Final Word

Compliance pressures won’t ease up. Essential Eight will remain central in Australia, but on its own it won’t protect you from tomorrow’s threats. NIST CSF 2.0 provides the structure and strategy to tie compliance into genuine risk reduction.

The treadmill isn’t slowing down, but with the right foundation, you can run further without burning out.

👉 Here’s the full update from NIST: NIST CSF 2.0 Release

← Back to all articles