Build · CPS 230 Compliance

CPS 230 Readiness for Material Service Providers - 1 July 2026 Deadline.

APRA's 1 July 2026 deadline for material service provider contractual compliance is approaching. If you provide IT, cloud, payments, or managed services to a bank, insurer, or super fund, your clients will need compliant arrangements in place - or they will need to find providers who can. We assess your current position, identify gaps, and deliver the documentation and evidence your regulated clients need. Read the CPS 230 readiness guide for MSPs →

Book a Free 30-Min Call → View all services

1 Jul²⁰²⁶

MSP contractual compliance deadline

4-6^wks

Typical readiness assessment timeline

24⁺

Years across FinTech, regulated sectors

APRA CPS 230 (Prudential Standard CPS 230 - Operational Risk Management) is the Australian Prudential Regulation Authority's standard governing operational risk, business continuity, and material service provider management. It requires APRA-regulated entities - banks, insurers, and super funds - to ensure their critical service providers meet defined contractual, continuity, and access requirements. While CPS 230 places obligations directly on regulated entities, the practical impact falls on material service providers who must demonstrate compliance to retain their contracts.

Who Needs to Act

Who is Affected by CPS 230 and Why Does It Matter?

CPS 230 creates obligations for APRA-regulated entities, but the compliance burden flows directly to their material service providers. If you can't demonstrate readiness, your regulated clients may be forced to restructure or exit the arrangement.

📋

Your APRA-regulated clients are asking about CPS 230 compliance

Regulated entities must have compliant written agreements with all material service providers by 1 July 2026. If your contracts don't meet the requirements, your clients face supervisory risk.

🔄

Your business continuity plans don't meet APRA expectations

CPS 230 requires material service providers to maintain and test business continuity and disaster recovery plans. APRA expects documented evidence, not assertions.

📄

Your contracts haven't been reviewed against CPS 230 requirements

Material service provider agreements must include specific provisions for notification, access rights, audit rights, and exit arrangements. Standard commercial contracts rarely cover these.

🔍

You're unsure whether you're classified as a material service provider

Your regulated clients determine materiality, but if you support a critical operation - IT infrastructure, payments, data processing, core platforms - you likely qualify.

Key Requirements

What Does CPS 230 Require from Material Service Providers?

CPS 230 places obligations on APRA-regulated entities to manage their material service provider arrangements. In practice, these requirements flow through to you as the service provider.

📝

Contractual Compliance

Written agreements must include provisions for service levels, notification obligations, confidentiality, and data handling aligned with APRA expectations.

🔄

Business Continuity

Documented and tested business continuity and disaster recovery plans that demonstrate your ability to maintain critical services during disruptions.

🔎

Access and Audit Rights

Contractual provisions granting APRA and the regulated entity the right to access your systems, data, and premises for supervisory and audit purposes.

🔔

Notification and Escalation

Defined procedures for notifying regulated clients of service disruptions, security incidents, and material changes that could affect critical operations.

🚪

Exit and Transition

Documented exit strategies and transition arrangements that enable the regulated entity to move services to an alternative provider without disruption.

📊

Ongoing Monitoring

Support for your regulated clients' obligation to monitor service provider performance, risk, and compliance on an ongoing basis.

How We Get You Ready

How Does CPS 230 Readiness Work?

Five phases. One accountable partner. We deliver the assessment, remediation, and documentation your regulated clients need to see.

Wk 1 - 2

Materiality and Scope Assessment

Determine which of your regulated client relationships fall under CPS 230 material service provider arrangements. Map your services to critical operations and establish the scope of compliance work required.

Clear picture of which arrangements need attention

Wk 2 - 3

Contractual Gap Analysis

Review existing service agreements against CPS 230 contractual requirements - notification obligations, access and audit rights, business continuity provisions, confidentiality, and exit arrangements.

Prioritised gap register, not a generic checklist

Wk 3 - 4

Business Continuity Review

Assess your business continuity and disaster recovery plans against what APRA-regulated entities will require from their material service providers. Identify gaps in testing, documentation, and recovery timeframes.

BCP and DRP aligned to APRA expectations

Wk 4 - 5

Remediation and Documentation

Close contractual gaps, update business continuity documentation, establish notification and escalation frameworks, and build the operational procedures your regulated clients need to see.

Compliant contracts and documented procedures

Wk 5 - 6

Readiness Evidence Pack

Prepare a structured evidence pack demonstrating CPS 230 readiness for your regulated clients' due diligence reviews. This gives your clients what they need to satisfy APRA's oversight requirements.

Evidence pack ready for client due diligence

Who We Help

Which Material Service Providers Need CPS 230 Readiness?

If you provide services that support a critical operation of an APRA-regulated entity, CPS 230 readiness is not optional - it's a condition of continued business.

Cloud and IT Infrastructure

Hosting, infrastructure, and IT services

You provide cloud hosting, IT infrastructure, or technology services to regulated entities. CPS 230 requires your clients to ensure service continuity and have audit access to your systems and operations.

Trigger: regulated client requesting CPS 230 compliance review

Payments and FinTech

Core platforms and payment processing

You process payments, provide core banking platforms, or deliver financial technology services. Your regulated clients must demonstrate that their critical operations are resilient - and that includes your services.

Trigger: contractual renegotiation citing APRA requirements

Managed Services

Outsourced operations and managed security

You provide managed security, data analytics, or outsourced business processes. If a disruption to your service would materially impact a regulated entity, CPS 230 applies to your arrangement.

Trigger: due diligence questionnaire referencing CPS 230

Common Questions

CPS 230 Readiness - Frequently Asked Questions

What is APRA CPS 230?

APRA CPS 230 (Prudential Standard CPS 230 - Operational Risk Management) is an Australian Prudential Regulation Authority standard that requires APRA-regulated entities to effectively manage operational risks, maintain business continuity, and manage material service provider arrangements. It became effective on 1 July 2025, with extended requirements for pre-existing material service provider contractual compliance by 1 July 2026.

What is a material service provider under CPS 230?

A material service provider is any third party that provides a service supporting a critical operation of an APRA-regulated entity, where a disruption could materially impact the entity's ability to meet its obligations. Common examples include cloud infrastructure providers, core banking platform vendors, payments processors, managed IT service providers, and data analytics providers. The regulated entity is responsible for classifying materiality.

What are the CPS 230 contractual requirements for 1 July 2026?

By 1 July 2026, all pre-existing material service provider arrangements must comply with CPS 230 contractual requirements. These include provisions for business continuity and disaster recovery, access and audit rights for APRA and the regulated entity, notification requirements for service disruptions, data handling and confidentiality protections, and defined exit and transition arrangements.

How does CPS 230 relate to CPS 234?

CPS 230 covers operational resilience and third-party risk management, while CPS 234 (Information Security) focuses on protecting information assets. They are complementary standards. CPS 234 requires entities to maintain information security capabilities, while CPS 230 ensures broader operational resilience including business continuity and service provider management. Material service providers often need to address requirements under both standards.

What happens if MSPs are not compliant by 1 July 2026?

APRA-regulated entities face supervisory action if their material service provider arrangements do not comply with CPS 230 by 1 July 2026. For service providers, non-compliance creates direct commercial risk. Regulated entities may need to renegotiate, restructure, or exit arrangements with providers who cannot demonstrate compliance, potentially resulting in lost contracts and revenue.

How can MSPs demonstrate CPS 230 readiness?

Material service providers can demonstrate CPS 230 readiness by completing a gap assessment against the contractual requirements, maintaining documented and tested business continuity and disaster recovery plans, establishing notification and escalation procedures, providing contractual provisions for audit and access rights, and preparing structured evidence packs for regulated entity due diligence reviews.