A practical guide to CPS 230

A practical guide to CPS 230

Insights • July 14, 2026 • 20-minute read

Key Takeaways

  • CPS 230 is APRA's new prudential standard for operational risk management, requiring organisations to ensure critical operations continue during disruptions.
  • The standard mandates identifying material service providers, establishing tolerance levels for operations.
  • Compliance with CPS 230 requires ongoing operational evidence rather than mere documentation, emphasising practical implementation and continuous assessment.

What is CPS 230?

If your organisation is regulated by APRA, CPS 230 changes how you manage operational risk. The focus is no longer simply on having policies and plans in place. You must be able to demonstrate that your critical operations can continue through disruption, that your service providers are appropriately governed and that your controls work in practice. 

CPS 230 is APRA’s prudential standard for operational risk management. It requires APRA-regulated entities to identify and manage operational risk, keep critical operations running through disruption, and control the risks created by the service providers they depend on. 

That may sound straightforward, but CPS 230 represents one of the most significant shifts in APRA regulation for more than a decade. It brings operational resilience, business continuity and third-party risk management together under a single prudential standard, placing greater emphasis on governance, testing and evidence rather than documented intent. 

The standard took effect on 1 July 2025, replacing five older prudential standards. A transitional period applies for certain pre-existing contractual arrangements, with full application, including to contracts entered into before commencement, from 1 July 2026. 

For many organisations, the biggest challenge isn’t understanding the regulation. It’s translating it into practical action across operations, technology, suppliers and governance.  

That’s where this guide is designed to help. It’s aimed at helping you move from understanding the standard to implementing it. It explains who CPS 230 applies to, the three things every regulated entity must do, how APRA is likely to assess compliance, what to do if you’ve breached the standard, and what the 2026 amendments mean in practice.  

Whether you’re building a CPS 230 program from scratch or closing the final compliance gaps, you’ll find practical guidance for every stage of the journey.  

 

Does CPS 230 apply to me?

In short, yes if you’re regulated by APRA. If you’re not regulated by APRA, but provide critical services to an APRA-regulated organisation, CPS 230 may still affect you because your customer is required to manage the operational risks you introduce. 

Use the guide below to determine where you fit. 

You are in scope if: 

  • You are an APRA-regulated bank, authorised deposit-taking institution (ADI), insurer or superannuation trustee. In scope directly. CPS 230 applies to you. 
  • You provide a critical service to an APRA-regulated organisation, such as fund administration, custody, investment management, core technology, cloud, cyber security or claims processing. In scope indirectly, through your client’s contract. CPS 230 doesn’t regulate you directly, but your customer must govern your services under the standard. 
  • You are part of a corporate group whose parent entity is regulated by APRA. Likely in scope via the group. Depending on your role within the group, CPS 230 obligations may extend to your operations. 
  • You are the Australian branch of a foreign bank or insurer. In scope for your Australian operations. CPS 230 applies to your Australian business. 
  • None of the above? CPS 230 does not apply to you directly. However, many organisations now use it as the benchmark for operational resilience and third-party risk management. Increasingly, organisations outside APRA’s remit are adopting its principles because customers, boards and regulators expect the same level of operational resilience across the broader supply chain. 

Notably, the important point is this: CPS 230 reaches further than many organisations first expect. Even if APRA doesn’t supervise your organisation directly, you may still need to demonstrate resilience, governance and operational capability because your customers are required to evidence theirs. 

 

How is CPS 230 getting stricter, and what are the key dates?

CPS 230 is the latest step in a decade-long change in APRA regulations governing operational risk and operational resilience. The direction has been consistent: from guidance to enforceable standards, from documented policies to tested evidence, and from focusing on the regulated entity alone to examining the resilience of its entire supplier ecosystem. 

Indeed, that progression matters because it shows where APRA’s expectations are heading. Organisations shouldn’t simply build for today’s minimum requirements. They should be building an operational resilience capability that can adapt as APRA regulations continue to evolve and regulatory scrutiny increases over time. 

How APRA’s expectations have evolved

  • 2013: APRA publishes guidance on information security risk (later renamed CPG 234). It provides good practice, but is not enforceable. 
  • 1 July 2019: CPS 234 comes into effect, making information security an enforceable prudential standard and introducing mandatory breach notification requirements. 
  • 1 July 2025: CPS 230 takes effect, extending APRA’s evidence-based approach to operational resilience, business continuity and third-party risk. 

Key CPS 230 dates

The CPS 230 effective date was 1 July 2025, but the next milestone is just as important. 

  • 17 July 2023: Final CPS 230 released. 
  • 13 June 2024: Final Prudential Practice Guide (CPG 230) released. 
  • 17 October 2024: Material Service Provider (MSP) Register template released. 
  • 1 October 2025: First MSP registers due to APRA. 
  • 27 June 2025: APRA notification forms for paragraphs 33, 42 and 59 become available. 
  • 1 July 2025: CPS 230 comes into effect for all APRA-regulated entities. 
  • 30 April 2026: APRA’s amendments to CPS 230 and CPG 230 commence. 
  • 1 July 2026: Transitional arrangements end, bringing pre-existing service-provider contracts into full scope under the standard. 

Importantly, the 1 July 2026 deadline is particularly significant because two major changes take effect together. Transitional arrangements for contracts entered into before the commencement of CPS 230 come to an end, while APRA’s 30 April 2026 amendments also begin to apply. For many regulated organisations, this financial year is about identifying and closing any remaining contract, governance and evidence gaps before both milestones converge. 

 

How to identify CPS 230 critical operations

 

Identify your critical operations

Your first task under CPS 230 is to identify your critical operations. These are the services so important that, if disrupted beyond their tolerable limits, they would materially harm your members, policyholders or customers, or the stability of the financial system. Everything else under CPS 230 is built on this list, so getting it right is the foundation of your implementation. 

Start with the customer, not the technology 

The most effective way to identify CPS 230 critical operations is to work from the outside in. 

Start by asking: What services do our customers rely on most? 

For a superannuation fund, that might include paying member benefits, processing contributions or switching investments. For an insurer, it could be processing claims. Once you’ve identified those customer-facing services, trace backwards through the business processes, applications, infrastructure and suppliers that support them. 

This approach helps ensure you’re identifying the operation that matters, rather than simply the technology behind it. 

The mistake many organisations make

One of the most common mistakes is defining CPS 230 critical operations at the system level instead of the service level. 

For example, “our payments platform” isn’t a critical operation. Paying a member their benefit is. 

Technology will almost always change over time. Systems are upgraded, applications are replaced and infrastructure evolves. What’s more, the service delivered to the customer remains the constant. That’s what APRA is ultimately interested in protecting. 

Two things to lock in

So before moving to the next step, make sure you have two things in place: 

  • Board approval. Your board must approve the list of critical operations because it underpins your operational resilience framework. 
  • Regulatory oversight. APRA can require an organisation to classify a particular operation as critical, even if it hasn’t been identified internally. 

Getting this first step right makes every other part of CPS 230 implementation more straightforward. Critical operations determine the tolerance levels you set, the service providers you govern and the evidence you’ll ultimately need to demonstrate operational resilience. 

 

How to set tolerance levels under CPS 230

Set your tolerance levels

Your second task under CPS 230 is to set tolerance levels for each of your critical operations. A tolerance level defines the maximum disruption your organisation can withstand before material harm occurs, including maximum downtime, maximum data loss and the minimum level of service that must be maintained during a disruption. Under CPS 230, a tolerance level that hasn’t been tested is one you can’t rely on. 

Start with the customer impact

Many organisations already work with Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). That’s a valuable starting point, but CPS 230 asks a different question. 

Rather than beginning with technology, start with the customer. How long could members, policyholders or customers realistically tolerate an interruption before the consequences become unacceptable? Once you’ve answered that question, you can work backwards to establish the technology, people, suppliers and recovery capabilities needed to support it. 

This ensures tolerance levels reflect business outcomes rather than technical assumptions. 

The mistake many organisations make

Indeed, the most common mistake is treating tolerance levels as a documentation exercise rather than an operational one. 

Setting a recovery objective on paper isn’t enough. Your organisation needs to demonstrate that it can achieve that outcome under realistic disruption scenarios. That’s why testing is so important. Scenario exercises, disaster recovery testing and operational simulations provide the evidence that your tolerance levels are achievable, not simply aspirational. 

This is also where many CPS 230 implementation programmes fall short. Organisations spend considerable time defining tolerance levels but much less time validating them. 

One trigger you need to know

If a critical operation is disrupted beyond its approved tolerance level, APRA must be notified as soon as possible and no later than 24 hours after the organisation becomes aware of the breach (paragraph 42). We’ll explain exactly what that notification requires in Step 8: What to do if you’ve breached CPS 230. 

Getting this second step right gives your organisation confidence that its resilience objectives are realistic, tested and capable of standing up to regulatory scrutiny. 

 

How to manage material service providers under CPS 230

Manage your material service providers

Your third task under CPS 230 is to identify and govern your material service providers. A CPS 230 material service provider is an organisation you rely on to deliver a critical operation or one whose services introduce material operational risk. CPS 230 requires these providers to be identified, governed through appropriate contractual arrangements and reported to APRA. For many organisations, this becomes the largest single piece of work in their CPS 230 implementation. 

Start with the register

Your first priority is building and maintaining a complete Material Service Provider (MSP) Register. 

APRA released the MSP Register template on 17 October 2024, with the first registers due on 1 October 2025. An updated template applies to 2026 submissions. 

Some providers are considered material because of the services they perform. For superannuation funds, these include: 

  • Fund administration 
  • Custodial services 
  • Investment management 
  • Arrangements with promoters and financial planners 

Across all APRA-regulated entities, commonly material providers include: 

  • Risk management services 
  • Core technology services 
  • Internal audit 

The mistake many organisations make

Many organisations treat the register as the end goal. But it isn’t. 

The register is simply a record of your material service providers. The real challenge is governing them throughout the life of the relationship. 

Your contracts should include appropriate rights to audit, notification obligations and exit provisions. The April 2026 amendments also introduce limited exemptions for certain provider categories where particular contractual provisions are not reasonably practicable. 

Just as importantly, organisations need to manage change across their supplier ecosystem. A mid-sized superannuation fund may rely on 70 to 130 suppliers, each introducing new technology, services and operational dependencies over time. APRA increasingly expects organisations to demonstrate how those changes are identified, assessed and governed, and not just within their own operations, but across their broader supplier environment. 

Two things to lock in

Before moving to the next step, make sure you have two things in place: 

  • Keep your MSP Register current. It should be treated as a living governance document, not something updated once a year. 
  • Understand your notification obligations. CPS 230 includes notification requirements for new or materially changed service provider arrangements and certain offshoring activities (paragraph 59). Managing supplier change is now an ongoing governance responsibility, not a one-off compliance exercise. 

Getting this third step right strengthens operational resilience well beyond compliance. It provides a clear understanding of who supports your critical operations, how those relationships are governed and how risk is managed as your supplier environment evolves. 

 

How will APRA audit your CPS 230 compliance?

The biggest change under CPS 230 isn’t the regulation itself. It’s how APRA is likely to assess CPS 230 compliance. 

For many years, organisations could demonstrate compliance by showing they had policies, frameworks and documented controls in place. Today, APRA’s focus has shifted to operational evidence. The question is no longer, “Do you have a control?” It’s “Can you demonstrate that it works?” 

That’s an important distinction. A business continuity plan is only valuable if it has been tested. A disaster recovery capability is only meaningful if recovery has been demonstrated. A supplier governance framework only provides assurance if the organisation can produce evidence that it is operating as intended. 

 

What evidence will APRA expect to see? 

While every review is different, organisations should expect to provide evidence such as: 

  • Tested disaster recovery and restore results 
  • Business continuity and failover testing outcomes 
  • Process documentation and governance records 
  • Evidence from material service providers 
  • Control testing, scenario exercises and assurance artefacts 

Every request is designed to answer the same question: 

Show me it worked, not that you intended it to. 

 

Remember the layers of assurance

One of the realities of operating in an APRA-regulated environment is that evidence rarely stops with a single review. 

Typically, operational evidence flows through multiple layers of assurance: 

  • First line: Operational teams responsible for delivering the controls. 
  • Second line: Risk and compliance functions reviewing those controls. 
  • Third line: Internal and external auditors providing independent assurance. 
  • APRA: The regulator reviewing the organisation’s overall governance, resilience and evidence. 

Each layer asks the one below for proof. Organisations that build evidence continuously are far better prepared than those trying to assemble it immediately before an audit. 

That’s one lesson Interactive has seen repeatedly while operating as a material service provider to APRA-regulated organisations. The strongest operational resilience programs don’t create evidence for an audit; if anything, they create it as part of everyday operations. By the time APRA asks the question, the evidence is already there. 

 

What to do if you’ve breached CPS 230

If you think you’ve breached CPS 230, the first thing to know is this: the standard recognises that operational disruptions can occur. What matters most is how your organisation responds. Acting quickly, preserving evidence and meeting your notification obligations are just as important as resolving the incident itself. 

The reporting clock starts when your organisation becomes aware of the breach, so having clear escalation processes in place before an incident occurs is essential. 

 

Know your notification obligations

There are two notification requirements under CPS 230, and they apply in different circumstances. 

  • 24-hour notification (paragraph 42): If a critical operation is disrupted beyond its approved tolerance level, you must notify APRA as soon as possible and no later than 24 hours after becoming aware of the disruption. The notification should outline the nature of the disruption, the actions taken, the likely impact and the expected timeframe for returning to normal operations. 
  • 72-hour notification (paragraph 33): If you become aware of an operational risk incident that is likely to have a material financial impact, or materially affect your ability to maintain critical operations, you must notify APRA as soon as possible and no later than 72 hours after becoming aware of the incident. 

One important exception applies. If an information security incident has already been reported under CPS 234, a separate CPS 230 notification is generally not required. 

Focus on the response, not just the reporting

Meeting the notification deadlines is only one part of managing a CPS 230 breach. Organisations should also: 

  • Contain the disruption and restore critical operations as quickly as possible. 
  • Preserve evidence of what happened, how the organisation responded and the decisions made throughout the incident. 
  • Keep the board and second-line risk function informed as the situation develops. 
  • Capture lessons learned to strengthen operational resilience and demonstrate continuous improvement. 

One of the biggest mistakes organisations can make is assuming the incident ends once services are restored. APRA is likely to be just as interested in how the organisation responded, what evidence was retained and what changed afterwards to reduce the likelihood of the same event occurring again. 

Not sure whether your organisation is ready? Book a free CPS 230 readiness assessment to identify potential gaps before an incident or regulatory review puts them to the test. 

 

How does CPS 230 apply during a merger or major change?

Major organisational change is when CPS 230 is most heavily tested. A merger is the clearest example, but the same challenges arise during large technology migrations, restructures, divestments and other significant transformation programs. As environments become more complex, APRA still expects organisations to demonstrate one consistent approach to operational resilience, governance and supplier management. 

For many superannuation funds, consolidation has become one of the biggest drivers of CPS 230 implementation. The surviving organisation often inherits multiple technology platforms, supplier ecosystems, governance processes and business continuity arrangements. While those environments may have operated effectively on their own, they now need to function as a single operational model. 

Build a complete picture

The first challenge is visibility. You can’t govern what you haven’t mapped, and you can’t evidence what you can’t see. 

Before organisations can identify critical operations, set tolerance levels or review material service providers, they need a current understanding of the environment they’ve inherited. That means identifying business services, supporting systems, operational dependencies, supplier relationships and recovery capabilities across the combined organisation. 

Without that foundation, every subsequent decision becomes more difficult. 

Then follow the same three steps

Once current-state discovery is complete, the process follows the same framework outlined throughout this guide: 

  • Step 1: Build a single, organisation-wide view of critical operations. 
  • Step 2: Establish consistent tolerance levels that reflect the combined organisation’s operational resilience objectives. 
  • Step 3: Consolidate supplier registers and governance processes into a single view of material service providers, contracts and operational risk. 

Each of these steps is more challenging than it appears because inherited environments rarely align. Different systems, suppliers, recovery objectives and governance practices all need to be brought together under one operational resilience framework. 

Whether the change involves a merger, a cloud transformation, a major outsourcing program or a business restructure, the principle remains the same: understand the current environment first, then build a single, governed view of operations, resilience and supplier risk before making further change. 

 

How do ISO 22301 and CPG 230 fit alongside CPS 230?

If your organisation already follows ISO 22301 or uses CPG 230, you’re not starting from scratch. Both provide a strong foundation for CPS 230 implementation, but neither replaces the standard. They support different parts of the operational resilience journey and are most effective when used alongside CPS 230. 

ISO 22301: A strong foundation for operational resilience

ISO 22301 is the international standard for business continuity management. Organisations that already operate an ISO 22301-aligned program are well positioned because many of the disciplines APRA expects, including business continuity planning, testing, exercising and management review, are already embedded. 

However, ISO 22301 doesn’t address every CPS 230 obligation. It doesn’t require organisations to define CPS 230 tolerance levels, maintain a material service provider register or meet APRA’s notification requirements. Think of it as a strong foundation rather than a complete solution. 

One additional advantage is that an independently audited ISO 22301 program provides the kind of operational evidence APRA increasingly expects to see. Organisations with mature business continuity Australia and disaster recovery Australia capabilities often have a significant head start when preparing for CPS 230. 

CPG 230: Practical guidance for applying the standard

Unlike ISO 22301, CPG 230 isn’t another framework. It’s APRA’s prudential practice guide explaining how the regulator expects organisations to meet the requirements of CPS 230. 

The final CPG 230 was released on 13 June 2024 and updated on 30 April 2026. While it doesn’t introduce new requirements, it provides valuable guidance on how APRA expects organisations to interpret and apply the standard in practice. 

For most organisations, the best approach is to read CPG 230 alongside CPS 230. The standard explains what must be achieved. The practice guide provides context and examples that help organisations implement those obligations more effectively. 

The strongest operational resilience programs don’t rely on a single framework. They combine CPS 230 with proven business continuity, disaster recovery and governance practices to build resilience that is practical, tested and ready for regulatory scrutiny. 

 

Where do organisations fall short on CPS 230 compliance?

A year into CPS 230, the same CPS 230 compliance gaps continue to appear. They aren’t usually caused by a lack of effort. They’re the areas that are genuinely difficult to implement because they require organisations to move beyond documentation and demonstrate operational resilience in practice. 

But the good news is that most of these gaps are predictable, and, therefore, avoidable. 

The five most common CPS 230 compliance gaps

  • Critical operations are defined at the system level rather than the service level.
    The fix: Start with the customer-facing service and work backwards to the technology, people and suppliers that support it. (See Step 1.) 
  • Tolerance levels are documented but never tested.
    The fix: Validate tolerance levels through realistic disruption scenarios and retain the results as evidence. (See Step 2.) 
  • The Material Service Provider Register is completed once and then forgotten.
    The fix: Treat the register as a living governance document with clear ownership and regular review. (See Step 3.) 
  • Supplier contracts are updated, but there is little evidence providers can actually deliver during disruption.
    The fix: Ask for independently tested evidence, not contractual assurance alone. Review disaster recovery testing, operational resilience exercises and supplier assurance documentation regularly. 
  • There is no governance process for managing change across the supplier ecosystem.
    The fix: Establish clear oversight for new suppliers, contract changes, technology changes and operational dependencies before they become operational risks. 

Notably, none of these gaps are solved by more documentation. Instead, they’re addressed through stronger governance, better visibility and continuous evidence that operational controls work as intended.  

What’s more, organisations that treat CPS 230 compliance as an ongoing operational discipline, rather than a one-off implementation project, are far better prepared for regulatory reviews and future change. 

 

How Interactive helps with CPS 230

Many organisations help clients prepare for CPS 230 from the outside as advisers or consultants. Interactive supports organisations from inside the operational resilience framework itself. As a material service provider to APRA-regulated organisations, Interactive is governed under the same supplier management obligations its customers are required to meet and is audited alongside them. 

That perspective shapes how Interactive approaches operational resilience. Rather than simply advising on the standard, it provides the operational evidence organisations increasingly need to demonstrate CPS 230 compliance. 

In practice, that includes: 

  • Supporting material service provider governance with documented operational controls and supplier evidence. 
  • Providing the evidence auditors expect, including process documentation, tested disaster recovery outcomes, demonstrated restores and operational assurance artefacts. 
  • Embedding resilience into contractual arrangements, including documented exit provisions, notification obligations and participation in operational resilience and scenario-testing activities. 
  • Supporting operational resilience through integrated capabilities, including business continuity, disaster recovery, managed infrastructure, cloud services and cyber security. 

The result is a provider that fits naturally into an organisation’s operational resilience framework rather than creating another governance challenge. Evidence is available when procurement, risk, auditors or APRA ask for it, which means helping organisations spend less time gathering assurance and more time strengthening resilience. 

Whether you’re building a new CPS 230 implementation program or validating an existing one ahead of regulatory review, understanding where the gaps are is the best place to start. 

Book a free CPS 230 readiness assessment and we’ll help you identify potential gaps before APRA or your auditor does.  

[wpforms id="15231"]
[wpforms id="14210"]
FORM HEADINF
Search by industry
  • All
  • Automotive and Logistics
  • Consumer Packaged Goods
  • Corporate
  • Financial Services
  • FMCG
  • Government
  • Healthcare
  • IT, Data and Software
  • Manufacturing
  • Media and Entertainment
  • Real Estate
  • Retail
  • Superannuation
  • Travel