============================================================ TITLE: CPS 230 Compliance: 21 Days to Go and What You Need to Know TYPE: blog VERSION: 1 VERSION_ID: 48d66cb0-7a43-4a54-82a4-dc230fd359a6 GENERATED_AT: 2026-02-06T04:24:14.168Z SUMMARY: Get ready for CPS 230 compliance by July 1, 2025. Learn the key steps and integration with CPS 234 to ensure operational resilience. AUTHOR: Insicon Cyber DATE PUBLISHED: June 10, 2025 DATE MODIFIED: June 10, 2025 READING TIME: 6 min WORD COUNT: 1020 KEYWORDS: CPS 230 Compliance, What Must Be Done by July 1, How CPS 230 Works with CPS 234, Final Sprint Actions, No More Extensions SOURCE URL: https://insiconcyber.com/blog/cps-230-compliance ============================================================ KEY TAKEAWAYS: * The Reality Check: July 1, 2025 is ALMOST Here * What Must Be Done by July 1 * The Service Provider Scramble * How CPS 230 Works with CPS 234 * Relief for Smaller Institutions With just 21 days until July 1, 2025, the clock is ticking on CPS 230 compliance. If you're an APRA-regulated entity, this deadline isn't negotiable - and there's no more time for delays. Here's your final countdown guide to getting across the line. ## The Reality Check: July 1, 2025 is ALMOST Here Every APRA-regulated entity must be fully compliant by July 1, 2025. This includes banks, insurers, super funds, and private health insurers. If you're reading this in June 2025 and still scrambling to get ready, you're in crisis mode - but it's not too late if you act immediately. ## What Must Be Done by July 1 Your organisation needs these critical elements in place: * Board-approved risk appetite for all critical operations * Robust business continuity plans that have been tested * Effective oversight of your material service providers * 72-hour incident notification procedures to APRA * Documentation of all critical operations and controls ## The Service Provider Scramble Many organisations underestimated the service provider challenge. If you haven't completed this yet, prioritise immediately: * New contracts: Must comply from July 1, 2025 * Existing contracts: You have until renewal or July 1, 2026 * Material Service Provider Register: Due October 1, 2025 (first submission) The good news? You have a few extra months for existing contract renegotiations if they're not up for renewal. ## How CPS 230 Works with CPS 234 If you're already dealing with APRA's cybersecurity requirements under CPS 234 (Information Security), you'll find significant overlap with CPS 230. Here's how they work together: * CPS 234 Focus: Information security, cyber risk management, and data protection * CPS 230 Focus: Broader operational resilience, business continuity, and service provider management The Integration Opportunity: Organisations should develop a cohesive risk management framework that integrates both operational resilience and information security. Your CPS 234 cybersecurity controls can support your CPS 230 operational risk framework. * Third-party risk management (critical for both standards) * Incident response and notification requirements * Board-level governance and accountability * Risk assessment and control frameworks * Regular testing and validation Key Difference: CPS 234 applies to all APRA-regulated entities for information security, while CPS 230 focuses on operational resilience. CPS 234 has been in effect since July 2019, so if you're compliant there, you have a head start on CPS 230. ## Relief for Smaller Institutions Non-Significant Financial Institutions (non-SFIs) got some breathing room: * Business continuity planning requirements extended to July 1, 2026 * Core operational risk management still due July 1, 2025 * Scenario analysis requirements also extended to 2026 But don't mistake this for a free pass - the main framework still applies. ## Final Sprint Actions If you're behind schedule, focus on these essentials: This Week (Mid-June 2025): * Emergency board meeting for final approvals * Complete critical operations mapping * Finalize incident response procedures * Staff training on new procedures * Final compliance documentation * Test your 72-hour notification process * Final compliance checks * Prepare for APRA oversight * Document your implementation ## What Happens After July 1? APRA has a three-year supervision program planned: * 2025-2026: Focused compliance reviews * 2026-2027: Broader assessments with enhanced supervision for non-compliant entities * 2027-2028: Move to business-as-usual oversight There's also discussion of a formal reporting standard emerging by 2028, which could mean regular compliance reporting rather than just incident notifications. ## The CPS 234 Integration Advantage If you're already CPS 234 compliant, leverage that foundation: * Your existing cybersecurity governance can support operational risk oversight * Third-party security assessments align with material service provider reviews * Information security incident procedures can integrate with operational incident response * Regular training and awareness programs for staff play a critical role in both operational resilience and information security ## No More Extensions APRA has been crystal clear: July 1, 2025 is final. They've already extended the deadline once from the original 2024 date. Industry requests for further extensions throughout 2024 and early 2025 have been consistently rejected. ## The Bottom Line With 21 days to go, this is your final sprint. CPS 230 isn't just about regulatory compliance - it's about making your organisation more resilient. If you're already meeting CPS 234 requirements, you have foundational elements in place that can support your CPS 230 implementation. The integration of CPS 230 and CPS 234 creates a comprehensive operational and cyber resilience framework. Done right, these standards work together to strengthen your entire risk management approach. July 1, 2025 is not moving. Make these 21 days count. Need help with last-minute compliance? Contact Insicon - but remember, the clock is ticking, and preparation time is almost over. ------------------------------------------------------------ ABOUT THIS CONTENT ------------------------------------------------------------ Source: https://insiconcyber.com/blog/cps-230-compliance Author: Insicon Cyber Published: June 10, 2025 This content is provided for informational purposes. Please visit the original source for the most up-to-date information.