When Amazon Web Services’ US-East-1 region went down recently, a long list of global apps and services went with it.
For most companies, that meant a few hours of frustration.
For APRA-regulated financial institutions in Australia, an outage like that is something much more serious — a compliance and operational-resilience test under CPS 230, which is now in force as of July 2025.
CPS 230 requires banks, insurers, and superannuation funds to prove that they can keep their critical operations running within defined tolerance levels, even during a severe disruption. In other words, downtime is no longer just inconvenient — it’s non-compliant.
CPS 230: Raising the Bar on Operational Resilience
Under CPS 230, APRA-regulated entities must:
- Identify and manage operational risks across systems and service providers.
- Maintain credible business continuity plans (BCPs) that are regularly tested.
- Set clear tolerance levels for downtime and data loss.
- Ensure they can still operate if a material service provider or cloud region fails.
That last point is key.
Many organizations now run core workloads on managed Kubernetes platforms such as EKS, AKS, or GKE. While these platforms simplify operations, they also concentrate risk. If a single cloud region goes offline, entire clusters — and the applications they host — can disappear from production.
How CloudCasa’s Any2Cloud Fit In
CloudCasa provides a Kubernetes-native, cloud-agnostic backup and recovery platform. It protects not just data, but also namespaces, configurations, and cluster metadata. CloudCasa’s Any2Cloud automates the creation of new Kubernetes clusters in other regions or even other cloud providers which can deliver the practical resilience that CPS 230 expects.
1. Cross-Region and Cross-Cloud Protection
CloudCasa makes it simple to back up clusters running in one region — say AWS Sydney— and replicate them to storage in another region or another provider.
Backups can be stored in S3-compatible object storage, Azure Blob, or Google Cloud Storage, helping reduce geographic concentration risk.
This approach supports CPS 230’s requirements for defined data-loss tolerance and business continuity across severe disruptions. If a primary cloud region fails, the data and configuration needed to rebuild your workloads are already available elsewhere.
2. Rapid Recovery Through Any2Cloud
If your production cluster becomes unavailable, Any2Cloud can deploy a new Kubernetes cluster in a secondary region or alternate provider within minutes. Once the new cluster is live, CloudCasa restores your applications, persistent volumes, and configurations automatically. Traffic can then be rerouted, allowing you to continue critical operations without missing your defined tolerance windows.
This workflow directly supports CPS 230’s intent — keeping critical operations running within acceptable limits, no matter where an outage occurs.
3. Strengthening Service-Provider Oversight
CPS 230 also raises expectations around the way organizations manage material service providers.
CloudCasa helps address these governance points by offering:
- Clear visibility of where data is stored, including region and provider.
- Full audit trails for backup and restore activity.
- Support for bring-your-own-storage models, so data can remain under your control or within approved jurisdictions.
These features make it easier for compliance and risk teams to demonstrate proper oversight and data-sovereignty management.
4. Regular Testing and Evidence for Auditors
With CPS 230 now active, APRA expects organizations to have credible, tested business continuity plans that demonstrate their ability to recover from severe but plausible scenarios. With CloudCasa, restores can be scheduled and documented as part of these tests. Reports generated from these exercises provide tangible proof that recovery objectives are being met — something auditors and boards are now specifically reviewing.
Mapping CPS 230 to Real Capabilities
| CPS 230 Expectation | CloudCasa’s Any2Cloud Capability |
| Maintain critical operations within tolerance levels | Cross-region and cross-cloud Kubernetes recovery |
| Credible, tested BCP | Automated restore testing and drill reporting |
| Manage risks from material service providers | Data-location visibility and provider independence |
| Minimise impact of disruptions | Continuous backups and geo-replication |
| Return to normal promptly | Automated cluster rebuild and restore |
From Compliance to Continuous Resilience
Now that CPS 230 is in effect, regulated organizations need to move beyond policy documentation and into proven, operational resilience. By combining CloudCasa’s multi-cloud data protection with Any2Cloud’s cluster mobility, financial and insurance institutions can:
- Recover quickly from outages or cyber events
- Demonstrate compliance through auditable tests and reports
- Avoid single-provider or single-region dependency
- Protect customers and reputation with minimal downtime
CPS 230 sets a high bar — but it’s also an opportunity to strengthen trust and reliability through technology that delivers resilience by design.
Staying Resilient in the CPS 230 Era
APRA’s new standard isn’t just another compliance checklist — it’s a framework for sustained operational integrity.
CloudCasa and Any2Cloud provide the tools to make that framework real: policy-driven backup, cross-cloud recovery, and automated continuity for your Kubernetes environments.