Most of the commentary on CPS 230 has focused on the regulated entity - the bank, insurer, or superannuation fund that APRA supervises directly. That makes sense. But if you are a technology provider, data processor, or operational service company supplying services to an APRA-regulated organisation, CPS 230 applies to you too. Not through APRA directly - but through the contract you are about to sign, renegotiate, or be asked to demonstrate compliance with.

The 1 July 2026 deadline marks the end of APRA's transitional period for material service provider (MSP) contractual obligations under CPS 230. From that date, every APRA-regulated entity must have enforceable written agreements in place with their material service providers - covering notification requirements, business continuity obligations, access and audit rights, and documented exit strategies.

If you are the MSP on the other side of that contract, the question is whether you are ready.

APRA released final targeted amendments to CPS 230 on 30 April 2026, providing additional clarity on MSP classification, notification timelines, and what direct access rights APRA can exercise during supervisory reviews. Those amendments reinforce one thing: the 1 July deadline is firm, and the obligations on the supply side are real.

This guide covers what regulated entities and their MSPs need to have in place - and gives both sides a practical checklist to work from.

What CPS 230 Phase 2 Actually Requires

CPS 230 - Operational Risk Management - became effective on 1 July 2025. The core standard placed immediate obligations on APRA-regulated entities around operational risk management, critical operations, and business continuity. The transitional period for material service provider contractual requirements extended that timeline to 1 July 2026.

From 1 July 2026, APRA-regulated entities must have written agreements in place with all classified material service providers that include, at minimum:

APRA's April 2026 amendments added specificity around notification timelines - with the expectation that regulated entities receive prompt notification (ideally within hours, not days) of any disruption affecting a critical operation - and strengthened the language around APRA's direct access rights to MSP systems during supervisory reviews.

Are You a Material Service Provider?

CPS 230 definition: A material service provider is a third party that provides a service that, if disrupted, would have a significant impact on a regulated entity's ability to conduct a critical operation or meet its obligations to depositors, policyholders, or beneficiaries.

The regulated entity is responsible for classifying its service providers. But if your services support anything considered a critical function - core banking, payments processing, data storage, claims management, fund administration - you are almost certainly classified as material.

In practice, we are seeing three categories of technology companies getting caught off-guard by CPS 230 MSP requirements:

If you have a client in financial services, insurance, or superannuation and they have not yet raised CPS 230 with you, expect that conversation to arrive before June. The question to ask yourself now is: if they send a compliance questionnaire tomorrow, are you ready to respond?

The MSP Readiness Checklist

Here is a practical, area-by-area checklist for technology and operational service providers supplying APRA-regulated clients. This mirrors what your regulated clients will be asking you to demonstrate before 1 July 2026.

1. Contract Review and Preparation

  • Review all service agreements with APRA-regulated clients. Identify which contracts need to be updated or replaced with CPS 230-compliant terms before the deadline.
  • Engage legal counsel familiar with APRA requirements to review or draft clauses covering notification, BCP, audit rights, and exit arrangements.
  • Proactively contact regulated clients to confirm their MSP classification for your services and what contract updates they require. Do not wait for them to chase you.
  • Document your position on audit and access rights - including what APRA direct access looks like in practice for your operating model.
  • Agree and document exit and transition timelines that are realistic for your service type, and ensure these are reflected in contract terms.

2. Business Continuity Planning

  • Produce or update a written Business Continuity Plan (BCP) that addresses disruption scenarios relevant to the services you provide to regulated clients.
  • Define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) that align to what your clients' critical operations require - not just what is convenient for your infrastructure team.
  • Test your BCP annually at minimum and retain test evidence. Regulated clients will ask for this. Untested plans are not accepted as evidence of capability.
  • Map dependencies - including your own upstream suppliers and subcontractors - that could affect your ability to deliver services during a disruption.
  • Ensure your BCP covers your own fourth-party risk - if you rely on a cloud provider, what is your continuity position if that provider experiences an outage?

3. Incident Notification Obligations

  • Define what constitutes a notifiable incident from your perspective - including security events, service disruptions, data breaches, and material changes to your own risk posture.
  • Establish internal escalation paths that can produce a client notification within the timeframes your contracts will require. For critical disruptions, APRA expects prompt notification - build the process before the incident, not during it.
  • Maintain a contact register for each regulated client with the right escalation contacts for incident notification - not just the account manager.
  • Draft notification templates for different incident types so the first notification goes out quickly and with the right level of detail.
  • Include subcontractor and supply chain incidents in your notification scope. If a key vendor you rely on has an incident that affects your service delivery, that is a notifiable event.

4. Audit and Access Rights Readiness

  • Understand what audit rights your clients will require - including the right for APRA to conduct direct reviews of your systems during a supervisory visit. This is now in the standard.
  • Maintain an audit-ready evidence pack - policies, control documentation, test results, and certification evidence - so you can respond to audit requests without disrupting operations.
  • If you hold ISO 27001 certification or are pursuing it, make this a central part of your CPS 230 readiness response. It demonstrates your security management system has been independently verified.
  • Document and review sub-contractor and fourth-party arrangements. Your regulated clients will ask whether you have assurance over the suppliers you rely on to deliver their services.
  • Establish a clear process for responding to audit requests including who is responsible, what records are accessible, and how confidentiality obligations are managed alongside access rights.

5. Exit and Transition Planning

  • Document an exit strategy for each regulated client relationship. This should cover: transition timelines, knowledge transfer obligations, data return or destruction procedures, and handover to an alternative provider.
  • Ensure your systems and processes support clean data portability. Regulated clients need to be able to exit cleanly. If your platform creates lock-in that would make exit costly or complex, that is a risk your clients must document - and it may affect whether they can continue the relationship.
  • Agree on exit notice periods that balance commercial interests with what is operationally safe. Twelve weeks is a common baseline for technology services supporting critical operations; some arrangements require longer.
  • Include exit planning in client relationship reviews, not just as a contract clause. Clients need to believe the plan is real and executable - not just a box ticked in procurement.

What APRA-Regulated Entities Need to Do on Their Side

If you are the regulated entity, your obligations are clear: classify your service providers, update contracts, and ensure your MSPs have the capability to meet what those contracts require.

In practice, many organisations approaching the 1 July deadline have completed the classification exercise and are now in the middle of contract renegotiations. The more common gap we see is on the assurance side - regulated entities have accepted representations from MSPs without verifying whether the underlying capability exists. A BCP that has never been tested is not a BCP. Audit rights that have never been exercised are not reliable.

The recommended approach is to prioritise your tier-one MSPs - those supporting the most critical operations - and conduct a proportionate due diligence review of their readiness before the contracts are signed. An MSP that cannot answer basic questions about their BCP, their incident notification process, or their exit capability is a risk that needs to be managed, not just contractually papered over.

Key deadline: 1 July 2026 is the end of the transitional period for material service provider contractual requirements under CPS 230. Regulated entities that have not completed contract updates by this date will be in breach of the standard. APRA has signalled it will be actively reviewing compliance with MSP obligations as part of its supervision program in the second half of 2026.

Why Most MSPs Need a Fractional CISO - Not Just a Lawyer

The CPS 230 MSP challenge has two distinct components, and they are easy to confuse.

The first is legal - getting the contract terms right. That needs a lawyer who understands APRA obligations. But getting the contract signed is not the same as having the capability the contract describes.

The second is operational security and governance - building and documenting the BCP, the incident response process, the audit evidence pack, and the exit strategy so they are real and defensible, not just paper representations.

That second component is where most MSPs are underinvested. They have IT managers and lawyers. They do not have security leadership that understands how to translate regulatory requirements into documented, tested, auditable programs.

A fractional CISO - working one or two days per week across a 12 to 16 week engagement - can close that gap. The deliverables are concrete: a BCP that has been tested, an incident notification process that has been documented and rehearsed, an evidence pack that survives an audit, and a security roadmap that positions the MSP for the ongoing assurance obligations CPS 230 creates.

At Logic Weave, we have worked with technology suppliers on exactly this - building the governance and operational resilience capability that their regulated clients now require. The engagement model is the same as our ISO 27001 and GRC work: we own the outcome, not just the advice. If your regulated client sends a CPS 230 compliance questionnaire after the engagement, you should be able to answer every question with evidence, not just assertions.

The practical reality: Most MSPs supplying APRA-regulated clients have 30 days or less to get compliant contracts in place. The contract is the easy part - the harder work is building the operational capability behind it. If you have not started, start this week. A fractional CISO engagement can be mobilised in days, not months, and the first deliverable - a gap assessment against CPS 230 MSP requirements - gives you a clear picture of where you stand.

Frequently Asked Questions

What is CPS 230 and when does it apply?

APRA Prudential Standard CPS 230 - Operational Risk Management - applies to authorised deposit-taking institutions, general insurers, life insurers, and registrable superannuation entity licensees. It became effective on 1 July 2025, with a transition period for material service provider contractual obligations running to 1 July 2026. APRA released final targeted amendments on 30 April 2026 that clarified MSP obligations and APRA's direct access rights during supervisory reviews.

What is a material service provider under CPS 230?

A material service provider is a third party whose services, if disrupted, would have a significant impact on a regulated entity's ability to operate a critical function or meet its obligations. The regulated entity makes the classification decision - but if you supply IT, data, payments, or operational services to a bank, insurer, or super fund, you are very likely classified as material. The 30 April 2026 amendments provided additional guidance on what constitutes a critical operation for classification purposes.

What does CPS 230 actually require from MSPs directly?

CPS 230 does not impose direct obligations on MSPs - APRA only supervises the regulated entities. But the standard requires regulated entities to impose specific obligations on their MSPs through contract. In practice, that means your APRA-regulated clients will require you to: maintain and test a BCP, notify them promptly of disruptions and incidents, accept audit and access rights (including APRA's right to conduct reviews), and document a workable exit and transition plan. If you cannot contractually commit to these, you are at risk of being removed from the approved supplier list.

How does ISO 27001 certification help with CPS 230 compliance?

ISO 27001 is not a direct substitute for CPS 230 compliance, but it significantly accelerates the assurance journey. An ISO 27001-certified MSP has already built the documented security management system, risk register, policy framework, and audit evidence that CPS 230 assurance requirements call for. The BCP, supplier management, and incident management controls required under ISO 27001 Annex A map directly to CPS 230 MSP obligations. For an MSP serious about supplying regulated clients over the long term, ISO 27001 certification is the most commercially durable way to demonstrate ongoing operational resilience.