Maturity Level 2 (ML2) is the intermediate maturity level in the ACSC Essential Eight Maturity Model. It is calibrated for organisations facing adversaries with moderate capability — actors who specifically target the organisation rather than acting opportunistically against any vulnerable target.
ML2 raises the bar across the eight controls. Specific examples: application control extends from workstations to servers and covers scripts, installers and libraries; office productivity, browsers, email and PDF apps must be patched within one month; multi-factor authentication must cover all internet-facing services, privileged users and important data repositories; backups must be restoration-tested quarterly with privileged accounts unable to modify or delete them.
ML2 is the level most APRA-regulated and government-adjacent mid-market firms target. APRA does not mandate ML2 but explicitly references the Essential Eight in CPS 234 reviews. Cyber-insurance underwriters increasingly use ML2 as an underwriting checklist. An ML2-aligned environment with documented evidence makes a CPS 234 review materially easier.