Read your offshoring definition again
If you run operational risk at an APRA regulated entity, you have spent this year building a material service provider register and working out which arrangements trip the offshoring obligations, with the transition for existing arrangements closing on 1 July. So you know the offshoring requirement well. Read its definition again, slowly, because it decides more than it appears to.
CPS 230 requires you to notify APRA before entering a material offshoring arrangement, including where data relevant to the service will be located offshore. Sensible. Then the standard defines what offshoring actually means. A material offshoring arrangement is one where the service is undertaken outside Australia. It expressly includes the case where the provider is incorporated in Australia but the service is physically performed offshore. And then the line that matters: offshoring does not include arrangements where the service is performed within Australia but the provider is not incorporated in Australia.
Where the service sits, not who holds it
Sit with that last sentence, because it is doing something quiet and large. The trigger is keyed entirely to where the service is physically performed. The nationality of the provider is set aside on purpose. A provider incorporated overseas, performing the service onshore in an Australian region, is carved out of the offshoring regime. No notification. No trigger. As far as the offshoring obligation is concerned, that arrangement is domestic.
What the trigger looks past
Now hold that definition against the exposure that actually matters, because they do not measure the same thing. The risk in a foreign provider is not only where the bytes rest. It is that the provider, by virtue of where it is incorporated, can be lawfully compelled by its home government to disclose or act on data in its custody, wherever that data physically sits. The clearest case is the US CLOUD Act, which reaches a US incorporated provider regardless of whether the data is held in Sydney or San Francisco. That exposure follows the company across the border. It does not care about the data centre.
So look at what the offshoring definition does to that. The one place CPS 230 operationalises geography with a hard notification trigger is keyed to physical location, and it explicitly excludes the foreign incorporated, onshore case. That excluded case is precisely where reachability lives. A US incorporated provider hosting your workload in an Australian region trips no offshoring obligation, can sit comfortably in your register, and carries an unassessed exposure that the standard's geographic trigger was structurally built to look past. The definition tests where the service is performed. The exposure follows who can be compelled. Those are different axes, and the standard's trigger is pointed at the wrong one.
The standard is not blind
Be careful here, because the loose version of this argument is wrong and a good risk officer will say so. CPS 230 is not blind to legal risk. The standard requires you to manage your full range of operational risks, naming legal risk, regulatory risk, compliance risk and data risk among them. Your service provider agreements must address ownership and control of data and your ability to meet your legal and compliance obligations. Your due diligence must weigh risks associated with geographic location. So the raw material to consider reachability is in the standard. The point is narrower and sharper than the standard ignores it. The point is that the standard provides no named trigger for reachability, the one place it makes geography a hard obligation looks the wrong way, and the tool it hands you to control providers cannot bind the exposure anyway.
A contract cannot bind it
That last part deserves its own beat. The standard's instrument for managing a material service provider is the formal, legally binding agreement, with its clauses on data control, audit, liability and termination. But reachability operates above the contract. A foreign lawful order compels the provider regardless of what the provider promised you. No clause in an agreement between an Australian entity and its provider overrides the provider's obligations to its own government. So even a flawless CPS 230 service provider agreement does not close the exposure, because the exposure does not run through the contract. It runs through the provider's incorporation, which the contract cannot touch.
Resilience is not reachability
None of this is a flaw to mock, and naming it that way would miss the point. CPS 230 measures operational resilience, whether a provider might fail and whether you could continue through the failure, and it does that well. Reachability is a different question on a different axis: the provider functioning perfectly, and being lawfully compelled to act. A framework built to measure failure does not see a risk that involves no failure at all. The offshoring definition is simply the place where that blind spot becomes visible in the text, because it is the place the standard decided that geography means where the service sits, not who can reach it.
Which is the whole of it. Residency is the wrong test for this exposure, and the offshoring definition is residency written in as the test. Data on Australian soil, in an Australian region, performed onshore, is not domestic in any sense that matters if the provider holding it answers to a foreign government. The honest move is not to assume the offshoring trigger has captured the question. It is to assess reachability as its own line, on its own axis, because nothing in the standard will do it for you.
What it looks like done
We have run exactly that assessment over an Australian critical infrastructure provider, tracing every claim to a primary source and naming every contestable step. The worked record is public, linked below, for anyone who wants to see what the reachability line item looks like when it is actually done.
Sources
Australian Prudential Regulation Authority 2025, Prudential Standard CPS 230 Operational Risk Management, APRA, in force 1 July 2025, https://handbook.apra.gov.au/standard/cps-230
Clarifying Lawful Overseas Use of Data Act 2018, Pub L No 115-141, div V, 132 Stat 1213 (US), codified at 18 USC 2713
AustraliaOS 2026, Verification Record AOS-TEL-2026-001 Telstra CLOUD Act Assessment, https://australiaos.com.au/verify/AOS-TEL-2026-001