Key Takeaways — CPS 230 APRA Compliance
  • CPS 230 came into force on 1 July 2025 and applies to all APRA-regulated entities. Banks, insurers, and superannuation trustees must comply now.
  • Boards are personally accountable for approving tolerance levels, business continuity plans, and material service provider governance.
  • Every IT provider supporting a critical operation must be classified as a material service provider, with mandatory contract clauses and APRA audit access rights.
  • Pre-existing service provider contracts must be uplifted to CPS 230 requirements by the earlier of the next renewal date or 1 July 2026.
  • If your IT provider cannot demonstrate annual BCP testing and 72-hour incident reporting, that is a direct compliance gap, not a vendor performance issue.

CPS 230 APRA compliance is no longer a future consideration. The Australian Prudential Regulation Authority's Prudential Standard CPS 230 Operational Risk Management took effect on 1 July 2025, and every APRA-regulated entity must demonstrate compliance now. The standard does not distinguish between entities that planned ahead and those that did not.

CPS 230 consolidates and replaces three earlier standards: CPS 231 (Outsourcing), CPS 232 (Business Continuity Management), and CPG 233 (Operational Risk). APRA designed it to address specific, documented failures seen across the sector: controls that existed on paper but had never been tested, BCPs that excluded third-party provider failures, and outsourcing arrangements where regulated entities had no meaningful visibility into their suppliers. CPS 230 closes all three gaps simultaneously.

What CPS 230 Actually Requires: The Five Core Obligations

  1. 01

    Identify and Document Critical Operations

    An APRA-regulated entity must formally identify each process that, if disrupted beyond defined limits, would cause material adverse impact to depositors, policyholders, beneficiaries, or the financial system. The definition is deliberately broad and includes processes operated by a service provider on the entity's behalf. Outsourced IT infrastructure, cloud platforms, and managed security services all potentially fall within scope.
  2. 02

    Set Board-Approved Tolerance Levels

    For every critical operation, the entity must define a Recovery Time Objective (maximum acceptable downtime) and a Recovery Point Objective (maximum acceptable data loss). These are not technical parameters set by the IT team. They require board approval. Any IT provider supporting a critical operation must then align their delivery and recovery capabilities to those board-approved tolerances.
  3. 03

    Maintain and Annually Test a Business Continuity Plan

    CPS 230 requires a credible, tested BCP. The testing programme must run at least annually and include scenario exercises covering cyber-attacks, system outages, and service provider failures. If your BCP has never been tested with your IT or security provider simulating a failure scenario, it does not satisfy the standard. APRA will specifically look for evidence of third-party BCP participation in supervisory reviews.
  4. 04

    Identify, Register, and Govern Material Service Providers

    A service provider is "material" if the entity relies on it for a critical operation, or if the arrangement poses material operational risk. Entities must maintain a comprehensive register of all material service providers. The initial register was due to APRA by 1 October 2025. Critically, the standard extends oversight to fourth parties: the vendors your MSPs rely on. Existing contracts must be uplifted by the earlier of the next renewal date or 1 July 2026.
  5. 05

    Report Significant Operational Incidents to APRA Within 72 Hours

    When a material operational disruption occurs, including a cyber incident, the entity must notify APRA promptly. APRA's guidance references a 72-hour operational planning window. The notification must cover the nature of the disruption, actions taken, likely business impact, and the expected timeline to normal operations. This requirement integrates with the Cyber Security Act 2024's mandatory ransomware reporting obligations.
⚠️

The Financial Accountability Regime (FAR) raises the personal stakes: Under FAR, individual executives are now personally accountable for CPS 234 (information security) obligations that flow through to CPS 230's operational risk requirements. Non-compliance is no longer purely an institutional risk. APRA has signalled increased enforcement from 2025 onward, and the Medibank capital charge confirmed that consequences are real and material.

1 Jul
2025 — CPS 230 in force for all APRA entities
72 hrs
Operational window to notify APRA of significant incidents
1 Jul
2026 — deadline to uplift pre-existing service contracts
4th
Party oversight required for your providers' vendors

Regulated entities that treat CPS 230 as a documentation exercise will not survive their first supervisory review. APRA wants evidence of tested resilience, not policies that describe resilience in theory.

Robert Kirtley, Head of Cyber Security, Virtuelle Group
Free Discovery Call
Is Your IT Setup CPS 230-Ready?
In 30 minutes, our security team will review your IT and cybersecurity arrangements against CPS 230's material service provider and BCP testing requirements. No commitment, no sales pitch. We support APRA-regulated clients from Sydney, Melbourne, Auckland, Singapore, and Chicago.
Book a Free Discovery Call

5 Signs Your IT Provider Is Not Taking CPS 230 Seriously

Most mid-market managed services providers were built around infrastructure uptime and helpdesk response times. CPS 230 demands something fundamentally different: documented, tested operational resilience that can withstand APRA supervisory scrutiny. These are the five signs your current IT provider does not meet that standard.

Sign 1: They Cannot Produce a Written BCP Covering Your IT Systems

Ask your IT provider for their business continuity plan as it relates to services they deliver to your organisation. A CPS 230-ready provider will have a documented plan, a testing schedule, and results from the most recent exercise. If the response is vague, such as "we have redundancy" or "we follow best practices," that describes infrastructure, not a BCP. CPS 230 requires your IT provider to actively participate in BCP testing, not simply acknowledge that your plan exists.

Sign 2: Their Contracts Do Not Include APRA Audit Access Rights

Contracts with material service providers must include a clause granting your auditors and APRA the right to access the provider's information and premises. This is not optional. Most IT services agreements written before 2023 do not include this clause. Ask your provider directly whether your contract grants APRA the right to audit their operations. The answer tells you how seriously they have engaged with the standard.

⚠️

The 1 July 2026 uplift deadline is firm: Pre-existing service provider contracts must meet CPS 230 requirements by the earlier of the next renewal date or 1 July 2026. If your contract auto-renews annually, the next renewal after 1 July 2025 is already the deadline. Waiting for a convenient renegotiation window may mean missing it entirely.

Sign 3: They Cannot Specify RTOs for Your Critical Systems

If your IT provider cannot tell you in writing what their committed Recovery Time Objective is for each of your critical systems, they cannot demonstrate alignment to your board's tolerance levels. Monthly uptime of 99.9% is compatible with a single outage exceeding seven hours. If your board-approved tolerance for a core banking or claims processing system is two hours, that SLA is structurally insufficient and does not satisfy CPS 230.

Sign 4: They Have No Visibility Into Their Own Subcontractors

CPS 230 requires entities to understand the extended supply chain of their MSPs, including fourth parties. When we ask IT providers to document their subcontracting arrangements, the typical response reveals no one has mapped this chain. The SOC may be run by a third party. The backup platform may be hosted offshore. If your MSP cannot provide a documented view of their supply chain and those parties' obligations, your entity cannot satisfy its fourth-party oversight requirement.

Sign 5: Cyber Incidents Reach You Days Later Rather Than Within Hours

The 72-hour notification clock starts when the incident is detected, not when your IT provider gets around to telling you. If incident communication relies on a standard helpdesk P1 queue, you do not have the escalation architecture CPS 230 requires. Material incidents need a direct path from your IT provider to your designated accountable executive, with pre-agreed communication templates containing the specific information APRA's notification forms require.

🏁

What a CPS 230-ready IT provider looks like: They hold current certifications, ISO 27001 at minimum. They produce their BCP and most recent test results on request. Their contracts include APRA audit access rights, RTO commitments mapped to your critical operations, and documented subcontracting visibility. They have a named executive accountable for your relationship and a tested incident escalation path. That is the baseline, not a premium offering.

CPS 230 Compliance Checklist

The following checklist covers the minimum actions required to demonstrate meaningful progress to APRA's supervisory team. Most organisations find material gaps in at least three of these areas on first review.

  • Critical operations identified, documented, and reviewed by the board
  • Tolerance levels (RTO and RPO) defined and board-approved for each critical operation
  • Business continuity plan updated to include service provider failure scenarios and tested within the past 12 months
  • Material service provider register completed and submitted to APRA
  • All MSP contracts reviewed against mandatory CPS 230 clauses: APRA audit access, RTO alignment, subcontracting rules, exit provisions
  • Pre-existing MSP contracts uplifted or renegotiation underway ahead of the July 2026 deadline
  • Single accountable executive assigned to each material service provider relationship
  • Incident escalation paths and APRA notification templates documented and tested
🏆

Virtuelle Group's credentials for regulated-sector engagements: We hold ISO 27001 certification and specialise in APRA CPS 230 and CPS 234 compliance, managed SOC and MDR services, and Essential Eight assessments for financial services, insurance, and superannuation clients across Australia and New Zealand. Our 90-Day Guarantee applies to every managed service engagement.

💼

Sharing this on LinkedIn? Tag your CISO, CRO, or IT Manager and ask them one question: has our IT provider participated in a BCP scenario test in the past 12 months? The answer shows exactly where your CPS 230 exposure sits. Share this article

VG
Virtuelle Group Security Practice
Microsoft-Certified MSSP · Sydney, Australia
Virtuelle Group is a Microsoft-certified Managed IT and Cybersecurity partner headquartered in Sydney with offices in Melbourne, Auckland, Singapore, and Chicago. Our security practice specialises in APRA CPS 230 and CPS 234 compliance, managed SOC and MDR services, Essential Eight assessments, DISP engagements, and operational resilience frameworks for financial services, insurance, and superannuation clients across Australia and New Zealand.