JULY 8, 2026
6 MIN READ

Drata Now Supports APRA CPS 230: Built for Both Sides of the Relationship

Drata Now Supports APRA CPS 230: Built for Both Sides of the Relationship
Image
Max DePina
Senior Audit Alliance Manager for APAC
Drata's APRA CPS 230 framework is purpose-built for regulated entities and material service providers. Here's what's live and why the July 2026 deadline was only the beginning of CPS 230.

APRA's Prudential Standard CPS 230 came into force on July 1st, 2025. 

As of 1 July 2026, pre-existing service provider contracts must be uplifted to meet CPS 230, and the deferred business continuity requirements now apply to non-significant financial institutions.. Organizations that haven't started are already behind — and for most, the honest answer to "are we ready?" exposes a familiar set of problems: risk programs running separately from business continuity, third-party contracts that haven't been uplifted, and no single source of truth for which vendors are material and what happens if one goes down.

Drata's APRA CPS 230 framework is now live. Developed alongside one of Drata's leading Australian audit alliance partners, the framework is purpose-built to help both APRA-regulated entities and the material service providers (MSPs) they rely on meet CPS 230 requirements.

The Compliance Challenge CPS 230 Creates

CPS 230 consolidates three previously separate compliance programs — operational risk management, business continuity, and third-party/outsourcing risk — into one integrated, Board-accountable standard. That scope is what makes it genuinely difficult to implement well. It's not enough to check each area separately. APRA expects organizations to connect all three into a coherent operational risk profile, with a single auditable evidence trail.

Most organizations trying to get ready are confronting a version of the same structural problem: risk in a spreadsheet, a BCP that lives in a document, third-party management in a separate platform, and no audit-ready evidence linking any of it. When APRA reviews compliance, they're looking for a coherent operational risk profile,not three disconnected programs.

CPS 230 also creates obligations on both sides of the service provider relationship. Regulated entities must hold their MSPs to the standard; MSPs must demonstrate assurance to their regulated customers. A compliance program that only addresses one side leaves the other exposed.

What's Live in Drata

Drata's CPS 230 framework covers all five requirement areas — Governance, Operational Risk Management, Incident Management, Business Continuity, and Service Provider Management — with two complementary configurations designed to work together:

For APRA-Regulated Entities 

Pre-built requirements and controls mapped to all five CPS 230 areas, connected to integrated risk management, TPRM, and business continuity workflows. CPS 230 controls are cross-mapped to SOC 2, ISO 27001, Essential Eight, and NIST CSF from day one — evidence collected for existing frameworks reuses automatically for CPS 230, with no separate compliance silo.

For Material Service Providers 

A purpose-built MSP configuration that maps exactly which obligations apply to providers, not just to regulated entities. MSPs can operationalize their requirements, generate audit-ready evidence, and share their posture directly with regulated customers via the Drata Trust Center.

Additional capabilities live in the framework:

  • TPRM / MSP Register — a single source of truth for MSP registration, supporting the annual register submission requirement to APRA

  • TPRM AI Agent — streamlines third-party risk reviews and direct vendor data collection for MSP oversight

  • Policy templates aligned to CPS 230, including Business Continuity, Third-Party Management, Risk Assessment, and Information Security

  • Audit Hub — centralized evidence and reviewer collaboration for APRA reviews and internal audit assurance

  • Continuous control monitoring — automated evidence collection and monitoring for key CPS 230 controls

APRA screenshot

Who This Is Built For

Directors of Compliance and GRC Managers at regulated entities are are now past the July 2026 deadline with a set of still-open items: legacy vendor contracts not yet uplifted to CPS 230 minimum provisions, a BCP that exists in documents but isn't linked to critical operations or tolerance levels, and no centralized MSP register. Drata's framework connects the BIA, critical operations register, tolerance levels, and BCP under one platform with the audit trail APRA expects.

CISOs at regulated entities own both the security and operational risk programs — and CPS 230 makes Board accountability explicit. CISOs need to surface the right evidence to the Board, not just pass an audit. Drata's integrated operational risk and TPRM gives them real-time visibility into MSP concentration risk, incident notification readiness tied to the 72-hour and 24-hour APRA obligations, and cross-framework control coverage from existing programs.

MSP compliance and security leaders are often blindsided by CPS 230. If an APRA-regulated customer has designated you as a material service provider — which they determine based on whether you support a critical operation, not whether you volunteer for it — their CPS 230 obligations flow downstream to you through contract requirements. 

As of 1 July 2026, those contracts must already reflect CPS 230 provisions, and any that don’t are a live gap.. Providers with CPS 230 assurance ready will win and retain business; those without will face contract renegotiation. Drata's MSP configuration gives providers a fast path from their existing SOC 2 or ISO 27001 to a defensible CPS 230 posture, with Trust Center sharing for direct customer assurance.

What Makes Drata's Approach Different

Having a framework name in a GRC platform is a starting point, not a finish line. The quality of the implementation is what determines whether organizations can actually use it to meet their CPS 230 obligations — and three things set Drata's framework apart.

Built with Australian Auditors Who Understand How APRA Assesses Compliance 

The framework was developed alongside one of Drata's leading Australian audit alliance partners and reflects CPG 230 guidance on how APRA supervisors actually review compliance in practice — including evidence expectations for  controls and common supervisory findings. That matters when the reviewer asks for evidence on a specific requirement rather than just a control list.

Both Sides of the Relationship, in One Platform 

CPS 230 creates accountability obligations on both regulated entities and their MSPs. Drata built two complementary configurations that map exactly which obligations belong to which party — eliminating the accountability gap that creates compliance risk when each side is operating in isolation.

Test Once, Satisfy Many 

CPS 230 controls are cross-mapped to SOC 2, ISO 27001, Essential Eight, and NIST CSF. Organizations that already have other frameworks in Drata can reuse a significant portion of existing evidence for CPS 230, rather than running a separate compliance program from scratch.

Get Started

The CPS 230 framework is available now in the Drata GRC platform. For APRA-regulated entities and material service providers now subject to CPS 230, the time to close remaining gaps is now.

Request a demo or log in to your Drata account to add the CPS 230 framework.

Image
Max DePina
Senior Audit Alliance Manager for APAC

Max DePina is Senior Audit Alliance Manager for APAC at Drata.

Based in Australia, Max works at the intersection of trust, compliance, and continuous assurance, helping organizations strengthen audit readiness, manage third- and fourth-party risk, and adopt AI with the right guardrails in place.

Before joining Drata, Max held leadership roles across risk, audit, and advisory at Protiviti Australia and Deloitte Australia. He brings a practical, market-informed perspective to building strong audit alliances and helping companies turn compliance into a competitive advantage.

category + topics

Product Updates
GRC
Compliance
Subscribe to the Trusted Newsletter
Get biweekly expert insights so you never miss what’s next.

Chart Your Course

Navigate to new worlds of trust with Drata.