CPS 230 commenced on 1 July 2025. The transitional grace for pre-existing service provider contracts runs out on the earlier of the next renewal date or 1 July 2026.
That second date is now weeks away.
So the question has moved from "what does the standard say" to "what must we be able to show APRA we operate." Those are different questions. The first is a reading exercise. The second is an evidence exercise, and it is the one the first full-cycle reviews will test.
This is a control-level walk through what APRA CPS 230 actually binds, how the material service provider register works, and why the register is the artefact most entities are still treating as an annual filing rather than a live state.
Who does APRA CPS 230 actually bind — and where do material service providers sit in scope?
CPS 230 applies to all APRA-regulated entities. The standard names them: authorised deposit-taking institutions including foreign ADIs and authorised banking NOHCs; general insurers including Category C insurers; life companies including friendly societies and eligible foreign life insurance companies; private health insurers registered under the PHIPS Act; and registrable superannuation entity licensees under the SIS Act.
For a foreign ADI, a Category C insurer, and an EFLIC, the obligations apply only to Australian branch operations.
Where an APRA-regulated entity is the Head of a group, the standard must be complied with in its own capacity, applied appropriately throughout the group including non-regulated entities, and on a group basis. That last clause matters. References to "an APRA-regulated entity" are read as "Head of a group" and "entity" as "group." Operational resilience is assessed at the consolidated level, not entity by entity.
Material service providers do not "fall under" CPS 230 directly. APRA does not regulate them. The standard binds the regulated entity to manage them. The entity remains accountable for meeting its prudential obligations in full; it cannot rely on a service provider unless it can ensure it continues to meet those obligations and effectively manage the associated risks.
That is the design principle to hold onto. Outsourcing the operation never outsources the accountability.
What counts as a material service provider, and how do you build the register APRA will examine?
A material service provider is one the entity relies on to undertake a critical operation, or that exposes it to material operational risk. Materiality can arise from a single arrangement or from multiple arrangements in aggregate, and a material service provider may be a third party, a related party, or a connected entity.
CPS 230 requires the entity to identify and maintain a register of its material service providers and to manage the material risks of using them. The register is submitted to APRA on an annual basis.
The standard sets a floor. Unless the entity can justify otherwise, certain providers must be classified as material:
- For an ADI: credit assessment, funding and liquidity management, and mortgage brokerage.
- For an insurer (general, life, private health): underwriting, claims management, insurance brokerage, and reinsurance.
- For an RSE licensee: fund administration, custodial services, investment management, and arrangements with promoters and financial planners.
- For all APRA-regulated entities: risk management, core technology services, and internal audit.
APRA may also require an entity, or a class of entities, to classify a particular service, provider, or arrangement as material.
The register cannot stop at the immediate provider. The service provider management policy must address the risks associated with fourth parties — the parties a material service provider itself relies on to deliver a critical operation. Your concentration risk does not live only in your direct contracts. It lives in the cloud region your three "independent" administrators all run on.
This is third-party risk modelled as a dependency graph, not a vendor list. Building it once is straightforward. Keeping it accurate as contracts renew, services get re-scoped, and providers change their own subcontractors is where most registers decay.
How do you set and defend operational-risk tolerances rather than just document them?
CPS 230 frames operational risk management around a defined risk appetite supported by indicators, limits, and tolerance levels. As part of the risk management framework required under CPS 220 and SPS 220, the entity must develop governance for operational risk oversight, an assessment of its operational risk profile, internal controls designed and operating effectively, monitoring and escalation, business continuity plans, and processes for managing service provider arrangements.
The full range of operational risk is in scope: legal, regulatory, compliance, conduct, technology, data, and change management risk. Senior management is responsible across the end-to-end process for all business operations.
The defensibility gap shows up here. A risk appetite statement that recites the risk categories is documentation. A defensible tolerance is one tied to a specific critical operation, expressed as a measurable limit, monitored against live indicators, and escalated when breached.
The standard requires the entity to monitor compliance with its tolerance levels and to report any failure to meet them, together with a remediation plan, to the Board. A tolerance you do not measure cannot be breached on paper, which is exactly why a reviewer will ask for the breach log before the policy.
The Board approves the BCP and the tolerance levels for disruptions to critical operations, reviews testing results, and oversees execution of findings. Accountability sits at the top by design.
What does critical-operations identification and tolerable disruption look like in practice?
Critical operations are processes undertaken by the entity or its service provider which, if disrupted beyond tolerance levels, would have a material adverse impact on depositors, policyholders, beneficiaries, or other customers, or on the entity's role in the financial system.
The standard mandates a minimum set, classified as critical unless the entity can justify otherwise:
- For an ADI: payments, deposit-taking and management, custody, settlements, and clearing.
- For an insurer: claims processing.
- For an RSE licensee: investment management and fund administration.
- For all entities: customer enquiries and the systems and infrastructure that support critical operations.
APRA can require an entity, or a class of entities, to classify a business operation as critical.
For each critical operation, the entity must establish tolerance levels across three dimensions:
- The maximum period of time it would tolerate a disruption.
- The maximum extent of data loss it would accept.
- The minimum service levels it would maintain while operating under alternative arrangements during a disruption.
That triad is the operational definition of tolerable disruption. It is not a single RTO number. It is time, data, and degraded-service floor, set per critical operation and approved by the Board.
The entity must define and maintain a register of critical operations, take reasonable steps to minimise the likelihood and impact of disruptions, maintain a credible BCP that holds critical operations within tolerance through disruptions including disaster recovery for critical information assets, activate the plan when needed, and return to normal operations promptly.
The notification clocks are where this becomes concrete:
- An operational risk incident likely to have a material financial impact or a material impact on the ability to maintain critical operations: notify APRA as soon as possible and not later than 72 hours.
- A disruption to a critical operation outside tolerance: notify APRA as soon as possible and not later than 24 hours, covering the nature of the disruption, action taken, likely impact, and the timeframe for return to normal.
The 24-hour clock is the tighter one, and it is the one that depends on having defined tolerances in the first place. You cannot recognise an out-of-tolerance event if you never set the tolerance.
What will the first full-cycle compliance reviews landing in 2026 actually test?
The reviews will not test whether you have a policy. They will test whether the artefacts the standard requires are real, current, and consistent with each other.
Expect the examination to follow the dependency chain the standard builds:
The register of critical operations and associated tolerance levels is required to be inside the BCP itself. A reviewer will check that the operations classified as critical match the mandated minimum set, that each has the three tolerance dimensions populated, and that the tolerances are the ones the Board approved — not a later, quieter revision.
The testing program must cover all critical operations and include an annual business continuity exercise, tailored to the entity's material risks, using a range of severe but plausible scenarios. Critically, those scenarios must include disruptions to services provided by material service providers and scenarios requiring contingency arrangements. APRA may require a specific scenario to be included. The BCP must be updated at least annually, and the internal audit function must provide assurance to the Board that the plan is credible and that testing has been conducted satisfactorily.
For service providers, internal audit must review any proposed material arrangement involving the outsourcing of a critical operation and report regularly to the Board or Board Audit Committee on compliance with the service provider management policy.
The reviewer's leverage is cross-consistency. The critical-operations register, the material service provider register, the tolerance levels, the test scenarios, and the breach log should all reference the same operations and the same dependencies. When the BCP names a critical operation that does not appear in the test scenario set, or a material provider whose disruption was never tested, that is the finding.
This is the practical reason the registers cannot live as disconnected spreadsheets. The review tests the joins.
How does CPS 230 compare to DORA, and what can multi-jurisdiction finservs reuse?
CPS 230 is an APRA prudential standard for Australia, in force since 1 July 2025. DORA is an EU regulation with its own scope, timelines, and supervisory architecture. They are not the same instrument and should never be cited interchangeably. But for a finserv operating in both, the structural overlap is real enough to reuse the work.
Both are built on the same backbone: identify the operations that matter, set the resilience expectations for them, manage the third parties they depend on, test under severe scenarios, and notify the supervisor on a clock.
CPS 230's critical-operations-and-tolerance-levels model is conceptually close to DORA's critical-or-important-functions framing. CPS 230's material service provider register, with its fourth-party reach, parallels DORA's register of information on ICT third-party arrangements. CPS 230's 72-hour operational-incident notification and 24-hour out-of-tolerance notification sit alongside DORA's major-incident reporting cadence.
The reusable layer is the underlying facts: which operations are critical, which providers are material, what the dependency graph looks like, where data is held, and what the tolerances are. Those facts do not change per jurisdiction. What changes is which obligation each fact answers and which supervisor's threshold and timeline it must meet.
That is the case for modelling resilience facts once and mapping them to obligations, rather than maintaining one resilience program per regulator. Answer once, assess everything.
Why is the material service-provider register a standing query, not an annual project?
CPS 230 requires the register to be submitted annually. That cadence is the filing requirement. It is not the operating requirement.
The standard's surrounding obligations are continuous, not annual. The entity must notify APRA within 20 business days of entering into or materially changing an agreement for a service it relies on to undertake a critical operation. It must notify APRA before entering into any material offshoring arrangement, or when a significant change is proposed, including where data or personnel relevant to the service will be located offshore. It must monitor material arrangements and ensure senior management receives reporting on performance against service levels, control effectiveness, and both parties' compliance with the agreement.
None of that runs on an annual clock. A provider that becomes material mid-year, a subcontractor change that introduces concentration, an offshoring shift that moves data — each is a state change the entity is obligated to act on when it happens.
If the register is a document refreshed once a year, every one of those events lives outside it until the next refresh. The annual submission then reflects a state that was already stale when it was filed.
The register only does its job if it is the live answer to a standing question: who do we materially rely on, for which critical operation, through which fourth parties, under what tolerances, right now. Built that way, the annual submission is a snapshot of a continuously maintained truth. Built as a project, it is a reconstruction exercise every twelve months — and the reconstruction is where the gaps hide.
This is the same structural point across the standard. The critical-operations register, the tolerance levels, the breach log, and the service provider register are not deliverables. They are state. The review tests the state, and the state has to be current the day the reviewer arrives, not the day you last filed.
See how aegis-grc.com turns your CPS 230 material service-provider register into a standing query instead of an annual scramble — answer once, assess everything. → agrc.ai
Related reading: operational resilience, third-party risk, financial services.
FAQ: CPS 230 scope, deadlines, and service-provider obligations
When did CPS 230 commence, and what is the deadline for existing contracts? CPS 230 commenced on 1 July 2025. For pre-existing contractual arrangements with a service provider, the requirements apply from the earlier of the contract's next renewal date or 1 July 2026.
Who does CPS 230 apply to? All APRA-regulated entities: ADIs including foreign ADIs and authorised banking NOHCs, general insurers including Category C insurers, life companies including friendly societies and EFLICs, private health insurers, and RSE licensees. For foreign ADIs, Category C insurers, and EFLICs, the obligations apply only to Australian branch operations. Where an entity is the Head of a group, the standard applies on a group basis.
What makes a service provider "material"? A provider the entity relies on to undertake a critical operation, or that exposes it to material operational risk. Materiality can arise from one arrangement or several in aggregate, and the provider may be a third party, related party, or connected entity. CPS 230 also sets a minimum list of services that must be classified as material unless the entity can justify otherwise.
What are the notification timelines? An operational risk incident with likely material financial or critical-operations impact: no later than 72 hours. A disruption to a critical operation outside tolerance: no later than 24 hours. Entering or materially changing an agreement for a service supporting a critical operation: within 20 business days. A material offshoring arrangement: prior to entering it.
What tolerance levels must be set for each critical operation? Three: the maximum period of disruption the entity would tolerate, the maximum extent of data loss it would accept, and the minimum service levels it would maintain under alternative arrangements during a disruption.
Does the register cover fourth parties? Yes. The service provider management policy must address the risks associated with fourth parties — the parties a material service provider relies on to deliver a critical operation to the entity.


