While much of the conversation around cyber security often centres on major breaches, ransomware attacks and nation-state threats, Horizon 2 focuses on something arguably more important: raising Australia's overall level of cyber maturity before the next major crisis occurs.

The question now is whether organisations are ready to make that transition.

Moving Beyond the Basics

When the Australian Cyber Security Strategy launched in 2023, the Government divided its vision into three distinct phases.

The first phase, Horizon 1, focused on strengthening Australia's cyber foundations through legislative reform, enhanced protections and the introduction of new cyber security frameworks. Horizon 2, which runs from 2026 to 2028, takes a broader approach, aiming to strengthen cyber maturity across the Australian economy, society and digital infrastructure.

According to Home Affairs, the cyber threat environment has evolved significantly since the original strategy was launched. Advances in technology, shifting geopolitical tensions and changing economic conditions have all influenced the Government's approach to the next phase of the strategy.

The result is a stronger emphasis on resilience, capability development and long-term preparedness.

Cyber Security Is Becoming Everyone's Responsibility

One of the most significant themes emerging from Horizon 2 is the idea that cyber security can no longer be viewed solely as an IT issue.

The Government's consultation process involved more than 170 public submissions, industry roundtables and stakeholder engagement sessions, highlighting the increasingly shared responsibility model that now underpins Australia's cyber ambitions.

This reflects a reality that many organisations are already experiencing.

Cyber incidents today can disrupt operations, damage reputations, impact supply chains and create significant financial consequences. As a result, cyber security is becoming a board-level issue rather than simply a technical one.

Industry groups contributing to Horizon 2 discussions have also highlighted the importance of improving cyber literacy, empowering small and medium-sized businesses, strengthening workforce capability and embedding cyber awareness across society.

The AI Challenge

The timing of Horizon 2 is particularly significant given the rapid emergence of artificial intelligence.

AI is already reshaping both cyber defence and cyber threats.

Australian regulators have recently warned organisations that frontier AI systems could accelerate the speed and sophistication of cyber attacks, potentially enabling threat actors to identify and exploit vulnerabilities faster than ever before.

At the same time, organisations are increasingly deploying AI tools within their own environments, creating new security, governance and risk management challenges.

For many businesses, improving cyber maturity will no longer be limited to patching systems and implementing multi-factor authentication. It will increasingly involve understanding how AI changes their risk profile and ensuring governance frameworks evolve alongside the technology.

Why Critical Infrastructure Remains a Priority

Another key consideration for Horizon 2 is the growing importance of critical infrastructure resilience.

Australia's broader national security environment continues to be shaped by concerns around cyber disruption, supply chain vulnerabilities and threats to essential services. Recent defence and security discussions have repeatedly highlighted cyber resilience as a critical component of national preparedness.

This means sectors such as energy, healthcare, telecommunications, transport and financial services are likely to face continued scrutiny as governments seek to strengthen national resilience.

For security leaders, the message is becoming increasingly clear: cyber security is no longer just about protecting systems. It is about protecting operations, customers and national capability.

The Next Three Years

The Government has indicated that further details regarding Horizon 2 initiatives will be announced in the coming months, with continued consultation and collaboration remaining central to the strategy's implementation.

For organisations, however, the direction of travel is already evident.

The next phase of Australia's cyber strategy is not focused solely on responding to incidents. It is focused on creating a more resilient digital ecosystem capable of withstanding increasingly complex threats.

The organisations that succeed over the next three years are unlikely to be those that simply meet compliance requirements.

They will be the organisations that view cyber security as a business capability, invest in resilience before it is needed and recognise that cyber maturity is becoming a competitive advantage rather than just a regulatory obligation.

As Horizon 2 begins, Australia's cyber security conversation is shifting from protection to preparedness.

And for many organisations, that shift may prove to be the most important development of all.

 ICYMI Australian News: Why Australia's Undersea Cables Have Become a National Security Priority

Register your interest for The Security Event 2027  

Subscribe to The Security Briefing for monthly updates!