Blog | Insicon

CPS 230 Compliance: 21 Days to Go and What You Need to Know

Written by Insicon | 10/06/25 12:37 AM

With just 21 days until July 1, 2025, the clock is ticking on CPS 230 compliance. If you're an APRA-regulated entity, this deadline isn't negotiable - and there's no more time for delays. Here's your final countdown guide to getting across the line.

The Reality Check: July 1, 2025 is ALMOST Here

Every APRA-regulated entity must be fully compliant by July 1, 2025. This includes banks, insurers, super funds, and private health insurers. If you're reading this in June 2025 and still scrambling to get ready, you're in crisis mode - but it's not too late if you act immediately.

What Must Be Done by July 1

Your organisation needs these critical elements in place:

  • Board-approved risk appetite for all critical operations
  • Robust business continuity plans that have been tested
  • Effective oversight of your material service providers
  • 72-hour incident notification procedures to APRA
  • Documentation of all critical operations and controls

The Service Provider Scramble

Many organisations underestimated the service provider challenge. If you haven't completed this yet, prioritise immediately:

  • New contracts: Must comply from July 1, 2025
  • Existing contracts: You have until renewal or July 1, 2026
  • Material Service Provider Register: Due October 1, 2025 (first submission)

The good news? You have a few extra months for existing contract renegotiations if they're not up for renewal.

How CPS 230 Works with CPS 234

If you're already dealing with APRA's cybersecurity requirements under CPS 234 (Information Security), you'll find significant overlap with CPS 230. Here's how they work together:

  • CPS 234 Focus: Information security, cyber risk management, and data protection
  • CPS 230 Focus: Broader operational resilience, business continuity, and service provider management

The Integration Opportunity: Organisations should develop a cohesive risk management framework that integrates both operational resilience and information security. Your CPS 234 cybersecurity controls can support your CPS 230 operational risk framework.

Shared Elements:

  • Third-party risk management (critical for both standards)
  • Incident response and notification requirements
  • Board-level governance and accountability
  • Risk assessment and control frameworks
  • Regular testing and validation

Key Difference: CPS 234 applies to all APRA-regulated entities for information security, while CPS 230 focuses on operational resilience. CPS 234 has been in effect since July 2019, so if you're compliant there, you have a head start on CPS 230.

Relief for Smaller Institutions

Non-Significant Financial Institutions (non-SFIs) got some breathing room:

  • Business continuity planning requirements extended to July 1, 2026
  • Core operational risk management still due July 1, 2025
  • Scenario analysis requirements also extended to 2026

But don't mistake this for a free pass - the main framework still applies.

Final Sprint Actions

If you're behind schedule, focus on these essentials:

This Week (Mid-June 2025):

  • Emergency board meeting for final approvals
  • Complete critical operations mapping
  • Finalize incident response procedures

By June 25:

  • Staff training on new procedures
  • Final compliance documentation
  • Test your 72-hour notification process

By June 30:

  • Final compliance checks
  • Prepare for APRA oversight
  • Document your implementation

What Happens After July 1?

APRA has a three-year supervision program planned:

  1. 2025-2026: Focused compliance reviews
  2. 2026-2027: Broader assessments with enhanced supervision for non-compliant entities
  3. 2027-2028: Move to business-as-usual oversight

There's also discussion of a formal reporting standard emerging by 2028, which could mean regular compliance reporting rather than just incident notifications.

The CPS 234 Integration Advantage

If you're already CPS 234 compliant, leverage that foundation:

  • Your existing cybersecurity governance can support operational risk oversight
  • Third-party security assessments align with material service provider reviews
  • Information security incident procedures can integrate with operational incident response
  • Regular training and awareness programs for staff play a critical role in both operational resilience and information security

No More Extensions

APRA has been crystal clear: July 1, 2025 is final. They've already extended the deadline once from the original 2024 date. Industry requests for further extensions throughout 2024 and early 2025 have been consistently rejected.

The Bottom Line

With 21 days to go, this is your final sprint. CPS 230 isn't just about regulatory compliance - it's about making your organisation more resilient. If you're already meeting CPS 234 requirements, you have foundational elements in place that can support your CPS 230 implementation.

The integration of CPS 230 and CPS 234 creates a comprehensive operational and cyber resilience framework. Done right, these standards work together to strengthen your entire risk management approach.

July 1, 2025 is not moving. Make these 21 days count.

Need help with last-minute compliance? Contact Insicon - but remember, the clock is ticking, and preparation time is almost over.

Contact Insicon
View full post