On the same April day, APRA released two documents, not one
On 30 April 2026 the Australian Prudential Regulation Authority released two documents, not one. The market read the first and filed the second under housekeeping. Read together they do exactly what the other letters do. They describe the exposure with precision and stop one word short of naming it, the same word missing from everything else.
The first document was the letter to all regulated entities setting out what APRA found when it ran a targeted supervisory review across the large banks, insurers and superannuation trustees. Four themes. Cyber and information security, AI governance, assurance, and third party and supply chain risk. Of the four, APRA placed the widest gap between what entities actually do and what it expects squarely in the last one. In plain terms, the regulator told the largest institutions in the country that the most material risk they now carry sits inside their suppliers, buried in vendor platforms whose upstream dependencies stay invisible until something fails. It also signalled where its own supervision is heading next, which is to look through the entity in front of it and engage the vendors underneath directly.
That letter got the attention. The firms wrote it up as a wake up call on third party risk, and they were right to.
The amendment that carved a narrow exemption
The second document looked like housekeeping, and almost nobody outside the policy teams read it closely. It was the final set of targeted amendments to CPS 230, the operational risk standard, signed by an APRA Board member. On its face it does something small and generous. It carves a narrow exemption from certain contractual requirements for a defined set of what APRA calls non traditional service providers, the bodies you genuinely cannot sit across a table and negotiate with. Read the attachment and you see exactly who qualifies. Central banks. Regulators. Government agencies. Financial market exchanges. Clearing and settlement operators. Payment systems. Financial messaging infrastructure. Sovereign plumbing, all of it. The pipes the system runs on, owned or governed by the state or by the market itself.
Now read the part nobody quotes, the consultation summary, where APRA records what industry asked for and what it decided.
Industry asked to add the cloud to the exempt list
Industry asked APRA to widen that exempt list. Submissions asked, specifically, for information technology and cloud infrastructure to be added, along with communications providers and a handful of others. The stated reason was candid. Entities said they cannot realistically negotiate bespoke terms with the large international providers, so those providers should be treated like the central banks and let off the contractual hook.
APRA said no.
Not with drama. With a paragraph. It made minor adjustments to the definitions and left the scope where it was. The reasoning is the whole story. Exemptions, APRA said, are reserved for providers where the contract gap is universal and negotiation is genuinely impossible. Cloud and IT infrastructure did not meet that test. Then the line that matters most. APRA said it is already seeing the largest regulated entities drive contractual uplift with these providers, and that the uplift then cascades down to the rest of the industry. In other words, the hyperscalers are not unnegotiable. They are merely hard, and APRA expects the biggest players to go and do the hard thing, on a clock, because the deadline for bringing pre existing arrangements into line is 1 July.
Two messages, one regulator, one day
Hold the two documents side by side and the shape appears.
On the same day, from the same regulator, two messages. The foreign commercial supply chain is the biggest gap you have, and we are coming to look through you to it. And, separately, the foreign commercial providers you most wanted us to excuse are precisely the ones we will not excuse, so go and master them contractually before July. One document names the exposure. The other shuts the most obvious exit from it. Neither names the reason those particular providers are the hard ones.
This is the part I want to be careful about, because it would be cheap to call it a contradiction. It is the opposite of a contradiction. It is coherence. APRA has been precise and deliberate. It identified the foreign supply chain as the material gap, and on the same day it refused to let entities treat that supply chain as something beyond their control. The two moves rhyme on purpose. There is only one word missing, and the absence is beginning to look deliberate too.
Why the missing word is jurisdiction
The missing word is jurisdiction.
Here is why it is missing, and why it matters. CPS 230 is an operational resilience standard. Its contractual requirements are built to deliver the things resilience needs. Audit rights. Notification when something changes underneath you. The ability to exit, and to take your data and your function somewhere else. APRA's bet, stated plainly in that consultation response, is that enough commercial leverage will pull those terms out of even the largest provider. On the operational axis that bet is reasonable. A big enough customer can, over time, win audit rights and an exit clause.
The one term no leverage can extract
But there is one term no leverage extracts, and it is the term the whole supply chain gap actually turns on. A provider incorporated under a foreign sovereign cannot contract away its obligation to obey that sovereign. You can negotiate audit rights out of a United States cloud provider. You cannot negotiate your way out from under a United States legal order. Under the CLOUD Act, American authorities can compel a US incorporated provider to produce data in its possession, custody or control, wherever in the world that data is stored.
Microsoft said as much itself, on the record. In June 2025, before a French Senate inquiry into digital sovereignty, Microsoft France's director of public and legal affairs was asked under oath whether he could guarantee that French public sector data held in Microsoft's French data centres would never be handed to American authorities. His answer was that he could not guarantee it, because with a valid US order Microsoft is ultimately obliged to comply. Notice what he described in the same breath. Microsoft has contractually committed to resist unfounded requests, runs a rigorous process to challenge them, asks to notify the client. That is the entire machinery of contractual uplift, the very thing APRA expects entities to extract. And it still ends at the same wall, because the wall is not made of contract. That is not a gap that uplift can close. It is a feature of where the provider lives.
So the exit APRA closed and the gap APRA named meet at a single point, and at that point the contract runs out of road. You can make a US hyperscaler compliant with CPS 230 on every operational measure and still not have answered the one question the supply chain gap is really about, which is who can compel this provider, and under whose law, regardless of where our data is stored. The amendment quietly insists you bring the cloud to heel. It cannot tell you that the part of the cloud you most need to bring to heel is the part that answers to another government, because that is not an operational risk question. It is a jurisdictional one, and jurisdiction is not yet in APRA's vocabulary.
None of this is a failure of the regulator
None of this is a failure of the regulator. APRA is walking toward the question with real discipline, one careful document at a time. It has named the gap. It has closed the easy exit. It has told the biggest institutions to stop pretending the cloud is someone else's problem to carry. The only thing left is to say the word for why those providers resist being brought to heel, and on 30 April, twice, APRA came right up to the edge of it and stopped.
The institutions cannot stop where APRA stopped
The institutions do not have the luxury of stopping there. The 1 July date is real, the contractual uplift is expected, and the providers in question are exactly the ones whose home law reaches across an ocean. Every risk officer who maps their material service providers this winter is going to run a finger down the list and arrive at the same few names, and the standard will ask them whether they can exit, and notify, and audit. It will not ask the harder question sitting underneath. That one they will have to ask themselves.
Sources
Al-Bijwaie, B 2026, Three times this year, APRA described the risk without naming it, AustraliaOS, 18 June 2026, viewed 20 June 2026, https://australiaos.com.au/writing/the-unnamed-axis.
Australian Prudential Regulation Authority 2026, APRA Letter to Industry on Artificial Intelligence (AI), APRA, 30 April 2026, viewed 20 June 2026, https://www.apra.gov.au/news-and-publications/apra-letter-industry-artificial-intelligence-ai.
Australian Prudential Regulation Authority 2026, Final targeted amendments to CPS 230 Operational Risk Management, signed T McCarthy Hockey, APRA Board Member, APRA, 30 April 2026, viewed 20 June 2026, https://www.apra.gov.au/news-and-publications/final-targeted-amendments-cps-230-operational-risk-management.
Australian Prudential Regulation Authority 2025, Prudential Standard CPS 230 Operational Risk Management, APRA, in force 1 July 2025, viewed 20 June 2026, https://handbook.apra.gov.au/standard/cps-230.
Carniaux, A 2025, evidence to the French Senate Commission of Inquiry into public procurement and digital sovereignty, 10 June 2025, as reported, The Register, 25 July 2025, viewed 20 June 2026, https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/.
Clarifying Lawful Overseas Use of Data Act 2018, Pub L No 115-141, div V, 132 Stat 1213 (US), codified at 18 USC 2713.