CPS 230 and the 1 July 2026 Deadline: Why a Compliant Register Won’t Be Enough
On 30 April 2026, APRA finalised the targeted amendments to CPS 230 Operational Risk Management. The amendments come into effect on 1 July 2026.
For most financial organisations, this closes a significant chapter in policy. Material Service Provider registers are largely populated. Contract remediation programs have been running for months. Many organisations consider themselves ready.
But that confidence may be misplaced.
The 30 April announcement was not the only signal APRA released that day. On the same date, the regulator issued its Letter to Industry on Artificial Intelligence, warning that governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed and complexity of modern technology deployment.
Read together, these two announcements describe a regulator whose expectations have moved well beyond contracts and registers. CPS 230 is no longer about whether you have signed agreements with material service providers, but whether you can demonstrate, in operational data, that those agreements are working.
What actually changed in the final CPS 230 amendments
The final amendments are narrow in scope. APRA has introduced a limited exemption from specific contractual requirements for material arrangements with certain categories of Non-Traditional Service Providers.
These include central banks, clearing and settlement facilities, financial market exchanges, payment system operators, financial messaging infrastructures, regulators and government agencies.
The exemption applies only where two conditions are met. The arrangement must be with a provider in one of the listed categories and must use standardised terms or be documented in a formal agreement.
Critically, the exemption is targeted. It removes only the specific contractual obligations identified in the standard. Every other CPS 230 requirement continues to apply, including the broader obligations around operational risk management, business continuity, due diligence and incident response.
APRA has been explicit that the amendments do not reduce the expectation that regulated entities actively manage the operational risks arising from reliance on these service providers.
The regulator has also signalled its intent over the longer term. APRA expects the scope of exemptions to narrow rather than expand as operational resilience practices mature.
For boards, the practical message is straightforward. The amendments resolve a small set of contracting challenges. They do not soften the regulator’s overall position.
The bigger signal: a shift from compliance to assurance
The companion AI letter is, for many entities, the more consequential document.
APRA’s targeted supervisory review found that AI adoption is accelerating across all regulated industries, with use cases moving from experimentation to operationally embedded, customer-facing applications.
Governance has not matured at the same pace. Many boards lack the technical literacy required to challenge management effectively on AI-related risks.
Concentration risk is rising as entities rely heavily on a single provider for multiple AI use cases. AI functionality is increasingly embedded within broader software platforms, limiting transparency into where and how models are trained, updated, and constrained.
Existing change and assurance management approaches, APRA noted, are often fragmented and may not provide sufficient assurance.
Underlying all of this is a single point that should focus every senior leader’s attention. APRA has stated that it expects “a significant improvement in how entities are closing the gaps between the power of the technology they are using and their ability to monitor and control it.”
Translated into board language, the question is no longer whether the contract was signed. It is whether the operational data can prove the service is working as promised.
Why a static Material Service Provider register will not pass scrutiny
Many organisations approaching the 1 July deadline have built their CPS 230 response around the Material Service Provider register. The register lists providers, their material services, and the contractual provisions in place. It is the visible artefact of compliance.
A register, however, is a snapshot. It tells the board which arrangements are in place on a given day. It does not tell the board whether those arrangements are performing against the tolerance levels they were designed to protect.
It does not capture the live operational data that demonstrates resilience. It does not link service events back to contractual obligations in real time.
This is precisely the gap APRA is now scrutinising. Under the regulator’s intensified supervisory approach, the question is no longer whether a register exists, but what the register tells the board about service performance and how quickly it does so.
If the answer is that the register is reviewed quarterly and updated only when contracts change, the board lacks meaningful operational oversight. It has a record-keeping system.
Three priorities for boards before 1 July 2026
The shift in APRA’s expectations can be reduced to three practical priorities for organisations in the months ahead.
1. From static register to living assurance
The Material Service Provider register needs to be more than a list. It must connect to live operational data so boards can see whether providers are performing inside their tolerance levels, before a breach becomes an incident. Performance drift should be visible early, not reconstructed afterwards.
2. Translating complexity into board-level visibility
As supply chains adopt AI and increasingly embedded technology, the oversight gap APRA has identified will widen unless boards can see technical risk in operational terms. Senior leaders do not need access to raw telemetry. They need a translation layer that turns provider activity into clear contractual and regulatory accountability.
3. Owning the resilience of the ecosystem
APRA has signalled a clear intent to pursue formal enforcement where risk management is inadequate. Demonstrating ownership means more than naming an accountable executive. It means having evidence to show, at any moment, that the obligations associated with each material arrangement are being met.
How Ikara helps regulated organisations meet the new standard
Ikara is built for exactly this regulatory environment. Our platform connects commercial agreements with the operational data that proves those agreements are working, giving boards, executives and risk teams a single, shared view of supplier performance and compliance across the digital supply chain.
For organisations preparing for the 1 July 2026 CPS 230 deadline, this delivers three practical capabilities.
The Material Service Provider register becomes a live oversight tool rather than a static document. Performance against tolerance levels is continuously visible, with drift surfacing before it becomes a reportable event.
Operational events are directly linked to contractual and regulatory obligations, ensuring clear, continuous accountability across multiple suppliers. You can see which obligations are being met, which are at risk, and where ownership sits.
Evidence is captured as it happens, not reconstructed afterwards. When supervisors, auditors or boards ask whether the organisation can demonstrate compliance with CPS 230, the answer is supported by operational data rather than narrative.
We integrate with the systems that you already use, including Cisco, Microsoft, ServiceNow, Tenable, and Fortinet, and align with the frameworks that supervisors now expect: CPS 230, the ACSC Essential Eight, NIST, and ISO 27001.
For government agencies and large enterprise organisations that closely monitor the financial sector, the same architecture applies.
The regulatory direction APRA has set is not unique to finance. Operational resilience, third-party assurance and demonstrable accountability are becoming the standard across every sector that depends on a complex digital supply chain.
The deadline is closer than it looks
The CPS 230 amendments come into effect on 1 July 2026. Intensified supervisory activity will follow.
Organisations whose CPS 230 response stops at signed contracts and a populated register are exposed. Those whose response extends into continuous, evidence-based operational oversight will be in a materially stronger position when APRA’s supervisory approach reaches their door.
For organisations, the practical question is no longer whether the contracts are in order. It is whether the organisation can prove, in live operational data, that the obligations within those contracts are being met.
Sources
Final targeted amendments to CPS 230 Operational Risk Management
APRA calls for a step-change in AI-related risk management and governance
APRA Corporate Plan 2025-26 – Accessible infographics
CPS 230 compliance countdown: Material Service Providers and what must be fixed before 1 July 2026