What changed
APRA CPS 230 now applies in full (Australia). CPS 230, the Prudential Standard on Operational Risk Management, commenced on 1 July 2025. The transitional relief for pre-existing contractual arrangements with material service providers ended on 1 July 2026. From that date the standard applies without the transition carve-out: APRA-regulated banks, insurers and superannuation trustees are expected to have operational risk management, business continuity and material service provider management, including the material service provider register, fully in line with CPS 230. Targeted amendments to the standard also commence 1 July 2026. Our companion piece, CPS 230's grace period has ended, has the full close-out checklist.
The EU AI Act Digital Omnibus is now adopted (EU, reaches AU exporters). After the provisional political agreement of 7 May 2026, the European Parliament formally endorsed the package on 16 June 2026 by 423 votes in favour, and the Council of the EU gave its final approval on 29 June 2026. The amendments defer the high-risk obligations: standalone Annex III systems move from 2 August 2026 to 2 December 2027, and AI embedded in regulated products (Annex I) from 2 August 2027 to 2 August 2028. The narrower Article 50(2) content-marking duty moves to 2 December 2026 for systems already on the market at 2 August 2026, new systems must comply when placed on the market, and two new Article 5 prohibitions (AI nudification tools and AI-generated child sexual abuse material) take effect 2 December 2026. One step remains: the amending regulation takes legal effect on the third day after publication in the EU Official Journal, still pending as at 7 July 2026 and expected before 2 August 2026. Until that publication, 2 August 2026 remains the legally live high-risk date on paper, though adoption itself is complete. The broader Article 50 transparency obligation, telling people when they are interacting with AI, is unchanged and still applies from 2 August 2026. See our dated EU AI Act timeline for every milestone in one place.
Context: Australia's primary AI guidance is AI6. The National AI Centre Guidance for AI Adoption, published 21 October 2025, is the current primary guidance for Australian organisations: six essential practices, governance and accountability, impact assessment, risk management, transparency, testing and monitoring, and human oversight, often shortened to AI6. It supersedes the 2024 Voluntary AI Safety Standard as the main business reference, but the ten voluntary guardrails are retained and integrated, so organisations already aligned to them do not start over. It is voluntary, but government procurement and enterprise buyers increasingly reference it.
Who it touches
APRA-regulated entities (banks, insurers, RSE licensees) and their material service providers. CPS 230 now bites in full. Any AI system that supports a critical operation, or any AI vendor that is a material service provider, sits squarely inside the standard: it must appear in the process maps and the material service provider register, with monitoring that reaches the board.
Any AU organisation exporting AI-enabled products or services into the EU, or with EU users. The EU high-risk dates give more runway, but the inventory and classification work does not get easier with time. Article 50 transparency and, from December 2026, synthetic content marking still apply to anyone shipping generative features into the EU.
All AU organisations adopting AI. AI6 is the reference good practice. Boards and risk teams are expected to be able to show an AI inventory, clear ownership per system and human oversight, which is exactly what the December 2026 Privacy Act automated decision disclosure duty will also require.
What to do in the next 30 days
APRA entities: close the CPS 230 gap now, do not wait for an examination. Confirm the material service provider register is current and includes AI vendors; confirm AI that touches a critical operation is in the end-to-end process maps; confirm monitoring and reporting reach the board; and confirm business continuity plans have been tested. Have your own advisers review the binding positions.
EU-exposed organisations: keep building the inventory. Inventory and classify every AI system, standalone, embedded, built or procured. The sixteen-month high-risk deferral is runway, not a pause. If you ship any generative feature into the EU, plan synthetic content marking for the December 2026 date.
Everyone: map to AI6. Nominate an accountable executive for AI, write down who owns and monitors each system, add AI risks to the enterprise risk register, and record a human oversight checkpoint per system. If you already aligned to the ten guardrails, map them across rather than restart.
Prepare for the December 2026 automated decision disclosure duty. Begin the privacy policy review now. The OAIC consultation closed 15 June 2026 and its formal guidance is expected by September 2026, not yet released as at early July 2026. The window between guidance landing and the 10 December 2026 commencement is short, so mapping automated decisions should not wait for it.
A free way to see which of these apply to you: the AIRA AI Governance Health Check maps your answers to the specific Australian obligations that are triggered.
What we are watching next
EU Official Journal publication of the now-adopted Digital Omnibus, the final procedural step that locks the 2 December 2027 high-risk date in force, and the OAIC formal guidance on transparency in automated decision-making, due by September 2026 ahead of the 10 December 2026 commencement. Both will feature in the next issue.
Related reading
- Regulator Watch: Australia, June 2026
- CPS 230's grace period has ended
- EU AI Act timeline
- ADM transparency: the 10 December 2026 obligations
- Australia AI governance tracker
General information, not legal advice; verify against the primary sources linked above and your own advisers.