With the Australian Prudential Regulation Authority (APRA) enforcing CPS 230 – Operational Risk Management – as of July 1, 2025, material service providers (MSPs) supporting APRA-regulated entities are facing new expectations.
Whether you deliver core technology services, credit assessments, or other business-critical operations, understanding your role under CPS 230 is essential.
Here’s what you need to know.
What Is CPS 230?
CPS 230 replaces APRA’s earlier standards on outsourcing (CPS 231) and business continuity (CPS 232). Its goal is to improve the operational resilience of regulated entities—banks, insurers, and superannuation (pension) funds—by strengthening how they prepare for and respond to disruptions, including cyberattacks, system failures, and third-party breakdowns.
CPS 230 applies directly to APRA-regulated entities. However, the obligations flow downstream to MSPs via updated contracts, requiring providers to meet specific operational risk expectations.
By July 1, 2026, or the next contract renewal, APRA-regulated entities must ensure all agreements with MSPs reflect CPS 230 requirements. That makes now the right time for service providers to assess their position and engage proactively.
Which Organizations Need to Comply With CPS 230?
CPS 230 applies to vendors classified as “material service providers” by their APRA-regulated customers. APRA defines MSPs as vendors:
- Supporting a critical operation, or
- Introducing material operational risk
Examples include IT infrastructure providers, mortgage brokers, credit assessors, claims processors, and others delivering core services.
Important note: Your customers—not your organization—decide whether your services are material. Once designated, your role in supporting critical operations and aligning with recovery time expectations must be clearly understood.
If Your Organization Is a Service Provider To Apra-Regulated Entities, Where Should You Start?
Review and Align Contracts
Once designated an MSP, review your contracts with APRA-regulated customers to ensure they reflect CPS 230 requirements. These include:
- Audit rights for APRA
- Subcontractor transparency and accountability
- Service levels aligned with customer-defined tolerance levels, such as uptime guarantees and recovery time objectives (RTOs)
Business Continuity Planning
Your business continuity plan (BCP) must support your customers’ ability to maintain critical operations during disruptions. This includes:
- Participating in customer-led BCP testing for severe but plausible scenarios
- Ensuring your recovery capabilities align with customer-defined tolerance levels
(e.g., if a customer tolerates a four-hour outage, your Recovery Time Objective (RTO) must be four hours or less)
Subcontractor Management
CPS 230 requires regulated entities to understand their extended supply chain. As an MSP, you’ll need to:
- Identify and disclose material subcontractors
- Accept accountability for subcontractor performance
This “fourth-party” visibility is a key element of operational risk mapping under CPS 230.
For MSPs, CPS 230 isn’t just a compliance exercise. It’s a chance to improve operational maturity, strengthen customer trust, and become a preferred partner for APRA-regulated organizations.
Understanding your status, updating contracts, aligning continuity strategies, and mapping supply chain risks will set you apart as a CPS 230-ready provider.
What Are Tolerance Levels Under APRA?
APRA defines tolerance levels as:
- The maximum outage period a customer will tolerate
- The maximum data loss allowed during a disruption
- The minimum service levels to be maintained under alternate arrangements
Your RTOs, backup strategies, and contractual SLAs must reflect these thresholds.
How We Can Help
We help service providers streamline compliance with both SOC 2 and CPS 230 requirements. Our SOC 2+ report covers traditional security, confidentiality, and availability controls—plus key CPS 230-specific elements for MSPs.
This means you can deliver a single SOC 2+ report to your APRA-regulated customers, addressing multiple assurance needs with one engagement.
To understand how CPS 230 may affect your organization—and how to prepare—contact us. We’re here to help you navigate the changes and build a compliance strategy that creates long-term value.
