Cyber Security. 14.10.25

Horizon 2 of Australia’s cyber security strategy: What to do before 2026

If you lead risk, technology, or security, Horizon 2 is your signal to scale.

The Australian Cyber Security Strategy 2023–2030 moves into its second phase from 2026, shifting from building foundations to embedding and operationalising maturity across people, process and technology.

The Government’s latest Charting New Horizons paper outlines three clear priorities for Horizon 2 (2026–2028):

  • Embed cyber standards and literacy across society
  • Empower SMBs, NFPs and citizens with practical, low-cost controls
  • Harmonise regulation, uplift workforce capability and improve whole-of-government response

The goal is a safer, more resilient economy by 2028, with clearer expectations, better incident response, and visible security maturity across sectors.

The urgency is real: a cybercrime is reported every six minutes, and the projected impact of cyber attacks in Australia is $25.4 billion in 2025–26 alone, rising to $215 billion over the next decade.

If you haven’t started preparing, now is the time.

What’s changing in Horizon 2 (2026-2028)

The Australian Cyber Security Strategy 2023–2030 outlines a vision for Australia to become a world leader in cyber security by 2030. Horizon 2 marks a turning point, from building to scaling, with clear expectations across all sectors.

It’s structured around six "Cyber Shields" that reflect where government effort, funding, and policy will focus over the next three years.

Figure: Cyber shields, Charting New Horizons 2 Policy Discussion Paper

Shield 1 – Strong businesses & citizens

Expect stronger national messaging, improved school cyber literacy, and a baseline standard for SMBs and NFPs with a potential certification pathway.

There’s also increasing emphasis on identity crime and victim support, signalling that incident response and recovery planning are no longer optional.

Shield 2 – Safe technology

Horizon 2 expands the focus to cover edge devices, consumer energy resources (CER) (like rooftop solar and smart meters), and operational technology, all now recognised as fast-growing attack surfaces.

You’ll also see more scrutiny around vendor risks, especially in supply chains affected by Foreign Ownership, Control or Influence (FOCI). There is also more focus on Digital ID initiatives that aim to reduce data retention and lower identity fraud risk.

Shield 3 – Threat sharing & blocking (whole-of-economy defence)

Horizon 2 pushes for active threat blocking at scale beyond information sharing. The National Cyber Intel Partnership (NCIP) and CTIS pilots will support this whole-of-economy posture.

The CrowdStrike 2024 outage was a turning point, now used in Horizon 2 as a case study for crisis coordination, response testing, and executive-level playbooks.

There is also a push to understand the barriers around vulnerability disclosures and incentives to encourage their operation.

Shield 4 – Protected critical infrastructure

Horizon 2 will provide opportunities to improve cyber security of critical infrastructure through iterations of monitoring and enforcement frameworks under the SOCI Act. It will continue to evolve, with tighter regulatory oversight and likely independent audits of your Critical Infrastructure Risk Management Program (CIRMP).

Resilience planning, detection coverage, and supply chain assurance are now explicit regulatory expectations, not long-term goals.

Shield 5 – Sovereign capabilities

Horizon 2 calls out sustainable and diverse workforce ecosystems, collaboration with academia, and nurturing growth and development of sovereign capabilities. This is as much about delivery capacity as it is about resilience.

Shield 6 – Regional & global leadership

Australia’s leadership now includes regional incident response (RAPID), sanctions and attribution, and deeper alignment with EU, UK and US frameworks.

This shift supports a future where compliance is no longer local and your controls need to stand up to global expectations.

Cybersecurity strategy planning

What Horizon 2 means for you (by organisation type)

Horizon 2 affects each sector differently but all must prove maturity, resilience and responsiveness. Here's how that plays out across three key groups:

  • Small & Mid-Market Organisations (Including NFPs)

Horizon 2 signals tailored, low-cost minimum standards for SMBs and NFPs with practical support to strengthen resilience and bounce back after incidents. Expect simplified guidance, stronger scam-blocking at scale, and a shift toward measurable cyber hygiene.

Why it matters: It’s time to formalise your baseline controls, tidy your identity stack, and ensure you can demonstrate due care to insurers, funders, and regulators.

How we help: Our ASD Essential Eight as a Service delivers baseline security controls with modular uplift mapped to ASD maturity levels and fast to implement.

  • Large Enterprises & Regulated Sectors (Finance, Legal, Health)

Horizon 2 emphasises security by design, harmonised regulation, and accountable recovery. Coupled with ransomware reporting obligations and “no-fault” CIRB reviews, the bar for transparency, maturity and executive accountability is rising.

Why it matters: Now is the time to align your controls to business outcomes, prove detection and response capability, and rehearse board-level incident playbooks.

How we help: Our Security Maturity Model benchmarks your posture across identity, data, endpoint, and detection, then builds a costed, staged roadmap with managed services to support it.

  • Critical Infrastructure Operators

Regulators will increase oversight on SOCI compliance, resilience planning, and supply chain security. Horizon 2 makes it clear: operators must move beyond basic controls to demonstrate real-world preparedness and response maturity.

Why it matters: Non-compliance will no longer go unnoticed and recovery capability is now part of your risk equation.

How we help: We combine security architecture, incident response consulting, and Adversarial Simulation (Red/Purple/Gold Team) to test and uplift your detection and response under pressure.

The practical playbook: How to start scaling cyber maturity

Before 2026, you’ll need to show that cyber controls are working, maturity is visible, and response is rehearsed. Here’s a practical roadmap to get you there fast.

1. Start with security basics
  • Assess maturity against the Essential Eight.
  • Prioritise quick wins: patching, MFA, admin rights, backups.
  • Sequence remaining uplift into a 12–24 month roadmap.
2. Secure the identity layer
  • Enforce MFA for all remote access, privileged actions, and sensitive systems.
  • Harden conditional access and eliminate stale service accounts.
  • Centralise and test privileged access management (PAM).
3. Prove detection and response capability
  • Validate telemetry against MITRE ATT&CK.
  • Tune alerting and conduct Adversarial Simulation to uncover detection gaps.
  • Document “first 72 hours” incident roles, including ransomware response triggers.
4. Update your reporting & review workflows
  • Add ransomware reporting to your runbooks.
  • Nominate CIRB-facing executives and prepare “learn and share” evidence flows.
5. Test your recovery (not just backups)
  • Prove restoration speed and failover ability.
  • Validate RTO/RPO across critical systems.
6. Lock down the network and workplace
  • Secure Wi-Fi, internet gateways, and core infrastructure.
  • Align M365, Teams, and endpoint configuration to security best practice.
7. Turn it into a managed roadmap
  • Convert findings into a roadmap with budget guardrails.
  • Blend internal teams with managed services where it’s faster, safer, and more cost-effective.

What “good” looks like under Horizon 2

Horizon 2 sets a clear direction: maturity must be measurable, recovery must be tested, and uplift must be sustained not ad hoc.

By 2028, here’s what success will look like:

  • Clear minimums: Simpler, harmonised standards with security by design across sectors
  • Faster blocking at scale: Greater threat sharing and proactive defence across government and industry
  • Accountable recovery: Tested, reportable ransomware processes with CIRB reviews driving national learning
  • Visible maturity: Boards link cyber controls to business outcomes, and regulators see continuous, structured improvement

How The Missing Link can help

At The Missing Link, we help organisations assess where they stand, improve control maturity, and manage cyber resilience over time. Whether you're just getting started or scaling to meet Horizon 2 expectations, we bring the expertise, tools and on-shore support to make it happen, pragmatically and at pace.

Ready to get started? Book a cyber security readiness session with us to map your priorities and build a plan you can stand behind.

 

Author

David Bingham

David Bingham is Security Sales Manager for The Missing Link’s Southern Region, where he leads with energy, empathy and a love of complex problem-solving. Known for blending strategic thinking with a passion for people, David creates space for his team—and clients—to thrive. He’s all about building trust, tackling cyber security challenges head-on, and keeping the conversation real (and fun). Whether he’s in a high-rise talking strategy or behind the decks as Melbourne techno DJ Obsessive Behaviour, David brings the same sharp focus, infectious energy and creative spark to everything he does.