PENALTIES
NDIS penalties explained - what providers actually risk in 2026.
$330,000 individual. $1,650,000 body corporate. Per contravention. Plus banning orders that survive the entity, and a new tier of criminal offences landing through 2026. This guide breaks down what is in force today, what is coming, and how providers reduce the risk in practice.
Last updated 15 May 2026 · 14 min read
Get started
See how Checkbase keeps your team audit-ready.
The headline numbers
An NDIS civil penalty is measured in penalty units. One penalty unit is set by section 4AA of the Crimes Act 1914 (Cth) and stepped up to $330 from 7 November 2024. The NDIS Act sets a maximum number of penalty units for each contravention, and the Federal Court awards an amount within that maximum on the evidence.
For the most-cited contraventions - false or misleading claims under section 73J, providing supports while unregistered, and breaches of conditions on registration - the standard maximum is 1,000 penalty units for an individual and 5,000 penalty units for a body corporate. At the November-2024 unit value, that is the $330,000 / $1,650,000 pair that providers most often see quoted.
These numbers are per contravention. A single audit can surface multiple contraventions tied to the same factual root - one expired worker screening on three participant rosters can read as three separate breaches in the Commission's enforcement action. The aggregate quickly outruns the headline.
$330,000
Individual - per contravention
1,000 penalty units at the post-November-2024 rate of $330/unit. Applied per breach, not per provider. A single audit can surface multiple contraventions.
$1.65M
Body corporate - per contravention
5,000 penalty units - five times the individual maximum. Applied to the registered provider entity. Director liability provisions can also reach individuals.
Indefinite
Banning order - duration
The NDIS Commissioner can issue a banning order with no fixed end date. Published on the public register. Survives the entity it was issued against.
The penalty isn't the whole exposure. Registration suspension, banning orders, public listing, and the loss of NDIA-funded participants are usually larger commercial losses than the fine itself.
What counts as a contravention
Contraventions fall into four practical categories. They overlap - a single incident can sit in more than one - and the Commission is not constrained to charge under just one section. Detail on each row links to the relevant resource entry in our Group F cluster.
Worker screening and conduct
Using an unscreened worker, failing to verify a current NDIS Worker Screening, or breaching the NDIS Code of Conduct. The most common contravention surfaced at audit.
- Active worker without a current NDIS Worker Screening clearance
- WWCC expired between application and audit, worker still on shift
- Code of Conduct breach not investigated within the required timeframe
Reportable incidents
Failure to notify the Commission of a reportable incident within the prescribed window - five business days for most categories, 24 hours for serious harm.
- Death or serious injury of a participant not notified within 24 hours
- Use of a restrictive practice not authorised under a behaviour support plan
- Allegations of abuse, neglect or sexual misconduct not escalated
Registration conditions
Operating outside the registration groups granted, delivering supports without a Practice Standards-aligned system, or failing to maintain conditions imposed at certification.
- Delivering SIL services without the SIL registration group
- Failure to maintain audit cycle (no mid-cycle surveillance evidence)
- Breach of a specific condition placed on the registration at decision
Quality and Safeguards obligations
Not meeting the Practice Standards in practice. Most common at certification re-audits and after a complaint-triggered compliance review.
- No live continuous-improvement register supported by evidence
- Risk and emergency plans systematically older than 12 months
- Complaint process exists on paper but no closure or notification trail
Deep-dive resources on each contravention type ship over the next seven days - see How much is an NDIS provider fine?, Reportable incident requirements and The full civil penalties schedule.
Banning orders
A banning order is a written notice from the NDIS Commissioner under section 73ZN of the NDIS Act. It prohibits the named person or entity from working in, providing or being involved in NDIS supports. The order can be indefinite, time-limited, or scoped to specific roles - for example, banned from a participant-facing role but not from administration.
Banning orders are published on the public NDIS banning order register and remain searchable indefinitely. Every registered provider has a continuing obligation to check the register before engaging a worker and to remove a worker who appears on it.
The order survives the entity it was issued against. Closing a company or trading under a new ABN does not lift it - the Commission specifically targets that conduct, and re-emergence under a new structure is itself enforcement-prone.
The register is the source of truth. A worker's name being on it is enforceable - a clean check is not optional. See What is an NDIS banning order? and Real banning orders 2024–2026 for case-study detail.
See Checkbase in action
Book a personalised demo or start your free 14-day trial today.
The investigation process
Most contraventions surface through one of two paths: a complaint to the Commission or a reportable incident. Either trigger can land outside the scheduled audit cycle. Once an investigation opens, the response window - and the quality of the response - often matters more than the underlying conduct.
Step 1
Trigger
A complaint to the NDIS Commission, a reportable incident, audit finding referral, or a market-monitoring signal. The Commission is not required to give advance notice before opening an investigation.
Step 2
Notice and information request
The Commission issues a notice under section 55A of the NDIS Act requiring documents, records or attendance. Response windows are typically 14–28 days. Ignoring or partially complying is itself a contravention.
Step 3
Investigation
Investigators review evidence, interview workers, participants and management, and may request follow-up information. Typical duration ranges from a few weeks (single incident) to several months (systemic concerns).
Step 4
Finding
The Commission can issue a compliance notice, an infringement notice, a banning order, an enforceable undertaking, suspend or revoke the registration, or apply to the Federal Court for civil penalty orders.
Step 5
Remedy or penalty
Civil penalty proceedings happen in the Federal Court. Banning orders and registration variations are administrative - appeal lies with the Administrative Review Tribunal. Public outcomes are published on the Commission register.
Deeper detail in The NDIS Commission complaint process and Investigation timelines.
New 2025 criminal offences
The civil-penalty framework above sits in the NDIS Act as it stands today. On top of that, the NDIS Integrity and Safeguards reforms announced in late 2025 - responding to the NDIS Review and the Joint Standing Committee - introduce a tier of criminal offences aimed at the most serious conduct. These are not replacing the civil regime; they sit on top of it.
Three categories are most consequential for registered providers.
Aggravated false or misleading claims
Knowingly submitting false claims to the NDIA, where the conduct is committed intentionally or recklessly and causes financial loss to the scheme. Custodial sentences contemplated for the most serious cases.
Use of a provider while banned
Working in an NDIS provider in a role covered by a banning order - or causing another to do so - is being elevated to a criminal offence. Aimed at the small minority of operators who reincorporate under a new ABN after a ban.
Reckless harm to participants
A new offence framework targeting providers and individuals whose conduct knowingly or recklessly exposes a participant to serious harm. Sits alongside the existing reportable incident regime, not in place of it.
Commencement is staged through 2026. Track the Commonwealth register entry for the Integrity and Safeguards Bill 2025 for the in-force date applying to each schedule.
How providers reduce risk
The pattern across every published enforcement action is the same: the underlying conduct is rarely a single catastrophic event. It is a slow accumulation of small lapses that an audit or a complaint eventually surfaces. The same pattern in reverse is the mitigation - continuous, evidence-backed compliance is far cheaper than a corrective-action sprint after a notice.
Continuous worker screening
Every active worker checked against the NDIS Worker Screening register and the banning order register on engagement, on expiry, and on every roster change. Not annual. Not on-demand.
Living evidence pack
Service Agreements, risk assessments, emergency plans, training records, incident close-outs, continuous-improvement entries - all current, dated, and reachable in under sixty seconds. The same pack the auditor will read at Stage 1 is the pack you keep weekly.
Documented incident close-out
Every reportable incident notified inside the prescribed window, the Commission notification archived, the participant communication recorded, the post-incident review completed and signed. Open loops become findings.
Once an information notice arrives, the controllable surface shrinks. The day before the notice, the controllable surface is almost everything. The trade is to invest a small ongoing effort in the controllable side, in exchange for losing the panic-sprint on the day a notice arrives.
Ready to get audit-ready?
Book a demo to see how Checkbase tracks every artefact the NDIS Commission asks for.
How Checkbase helps
Checkbase is built around the same evidence schema the NDIS Commission's approved auditors use at Stage 1. Every worker screening, every participant file, every governance record, and every incident close-out is tracked continuously - so the same pack you keep on a normal Tuesday is the pack the auditor reads at certification.
The compliance score on the dashboard updates the moment a document expires, a worker is added, or a participant's plan rolls over. The SIL audit lens filters every list to exactly what the auditor asks for at certification. The evidence pack export produces a single branded PDF organised by audit category, plus a time-boxed magic link with a 6-digit OTP for the auditor.
The point isn't the software. The point is that providers who run on a system like Checkbase get a notice and reply in days. Providers who don't get a notice and reply in months - often with documents that don't exist yet.
Frequently asked questions
These are the questions providers most often search ahead of an audit or a Commission notice. Each one is also the seed for a standalone resource entry in our Group F cluster - published over the seven days following this guide.
Sources and further reading
Numbers and process detail in this guide are sourced from the primary legislation and the NDIS Commission's public materials. Where reforms are still in the bill stage rather than in force, that is noted in-line. This is general information, not legal advice - for a specific notice or matter, engage a lawyer with NDIS-regulatory experience early.
- NDIS Commission - Compliance and enforcement ↗
- NDIS Commission - Banning orders register ↗
- NDIS Act 2013 (Cth) - Compilation including amendments to 2024 ↗
- NDIS Amendment (Getting the NDIS Back on Track No. 1) Act 2024 ↗
- Crimes Act 1914 (Cth) - section 4AA (penalty unit value) ↗
- Administrative Review Tribunal - NDIS decisions ↗
Be the provider whose evidence is ready before the notice arrives.
Checkbase tracks every worker screening, participant file, and governance record continuously. 14-day free trial, plus 50% off for 3 months with code SIL2026.