Background Introduction of Prudential Standard CPS 230 Operational Risk Management About this user guide

AWS User Guide to Financial Services Regulations and Guidelines in Australia

Publication date: July 2025 (Document revisions)

This document provides information to assist financial services institutions in Australia that are regulated by the Australian Prudential Regulation Authority (APRA) as they accelerate their use of Amazon Web Services (AWS) Cloud services.

Background

APRA is the primary financial regulator in Australia. APRA oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies, and most members of the superannuation industry (APRA regulated institutions or ARIs).

Introduction of Prudential Standard CPS 230 Operational Risk Management

On July 17, 2023, APRA published the Prudential Standard CPS 230 Operational Risk Management (CPS 230) aimed at ensuring that ARIs effectively manage their operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers. In effect from July 1, 2025, CPS 230 replaces five existing standards, including Prudential Standard CPS 231 Outsourcing (CPS 231) and Prudential Standard CPS 232 Business Continuity (CPS 232).

On February 19, 2025, APRA rescinded its 2018 Information Paper "Outsourcing Involving Cloud Computing Services". Instead, APRA expects all regulated entities to comply with CPS 230 requirements when using cloud services to appropriately manage associated risks and maintain operational resilience.

The introduction of CPS 230 has not impacted ARIs' need to comply with Prudential Standard CPS 234 on Information Security (CPS 234), which requires ARIs to maintain information security capabilities commensurate with information security vulnerabilities and threats.

About this user guide

The following sections provide considerations for ARIs as they assess their responsibilities with regard to the following guidelines and requirements:

Prudential Standard CPS 230 Operational Risk Management (CPS 230) – this Prudential Standard states APRA's requirements relating to operational risk.
Prudential Practice Guide CPG 230 Operational Risk Management (CPG 230) – this Prudential practice guide provides APRA's guidance relating to operational risk management.

Prudential Standard CPS 234 Information Security (CPS 234) – this Prudential Standard states APRA's requirements relating to information security.
Prudential Practice Guide CPG 234 Information Security (CPG 234) – this Prudential practice guide provides APRA's guidance to ARIs on safeguarding IT assets.

Taken together, ARIs can use this information for their due diligence and implementation of an appropriate information security, risk management, and governance program for their use of AWS.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Operational resilience, AWS and the Shared Responsibility Model