Penalties & enforcement
How much is an NDIS provider fine?
An NDIS contravention can attract civil penalties up to $330,000 per breach for individuals and $1,650,000 per breach for body corporates from January 2025.
In plain English
Civil penalties under the National Disability Insurance Scheme Act 2013 (Cth) are calculated in penalty units. Each penalty unit increased to $330 on 7 November 2024 under the Public Governance, Performance and Accountability (Penalty Unit) Amendment regulations. Maximum penalties for an NDIS contravention are 1,000 penalty units for an individual and 5,000 penalty units for a body corporate - which works out to $330,000 and $1,650,000 per contravention respectively.
The headline numbers are what most providers see quoted online. What gets glossed over: these are per contravention maximums, not per-incident or per-year caps. A single audit finding can include multiple contraventions, each one assessed separately.
What counts as a contravention
The NDIS Act lists civil-penalty provisions across registration, conduct, conditions of registration, and information-handling. The four most-commonly-cited categories:
- Operating without registration when the registration is mandatory (e.g. SIL from 1 July 2026, platform providers, behaviour-support practitioners) - section 73G.
- Holding out as registered when you're not - section 73Q.
- Failing to meet a condition of registration (e.g. not maintaining required worker screening, not lodging required reports, breaching the Code of Conduct) - section 73J.
- Failing to comply with an NDIS Commissioner notice - including requests for information, banning order terms, or compliance notices.
How fines are calculated in practice
The Federal Court considers the maximum as a ceiling, not a starting point. Recent precedent (e.g. NDIS Commissioner v Australian Foundation for Disability, 2024) shows the court weighing the deterrent value, the size of the provider, the number of contraventions, prior compliance history, and any cooperation with the Commission. Penalties in the high-five to low-six-figure range have landed on small-to-medium providers for combinations of conduct breaches and recordkeeping failures.
The Commission can also accept enforceable undertakings instead of pursuing penalties - a written commitment from the provider to take specified compliance actions. These are public and binding.
What changes in 2026
The NDIS Amendment (Getting the NDIS Back on Track No. 1) Act 2024 expanded the civil-penalty regime. The 2025 Integrity and Safeguarding Bill (staged through 2026) adds criminal offences for the most-serious conduct categories - including deliberately providing false information to the Commission, abusing or neglecting a participant, and retaliating against a worker who reports a concern.
For SIL providers specifically, the 1 July 2026 mandatory registration deadline means continuing to operate as an unregistered SIL provider after that date is itself the contravention. There's no warning shot - the contravention starts on day one of unregistered operation.
How Checkbase helps
Checkbase keeps the records the Commission asks for when it investigates. Worker screening with timestamps, training certificates, signed code-of-conduct agreements, incident reports with close-out evidence, participant consents, audit findings + remediation tasks - all stored with a clean audit trail and exportable as an evidence pack. The fastest path to a reduced penalty (or no penalty at all) is being able to show continuous compliance documentation when the Commission asks.
Frequently asked questions
Is the $1.6M figure per year or per breach?
Per contravention. A single audit can document multiple contraventions - there's no annual cap. The $1,650,000 maximum applies to body corporates per individual breach; individuals are capped at $330,000 per breach. Both numbers reflect the 1,000 / 5,000 penalty unit ceilings multiplied by the current $330 penalty unit value.
When did penalties go up?
The penalty unit was $313 until 7 November 2024, when it increased to $330. That's why older articles cite $313,000 / $1,565,000 - those numbers were correct under the previous unit value but are now superseded.
Do unregistered providers face the same fines?
Yes - the Code of Conduct applies to every NDIS provider regardless of registration status. Civil penalties for Code breaches apply equally to registered and unregistered providers. Where unregistered providers differ: they can't be hit with a "breach of registration condition" charge, but they can be hit with "operating without registration" charges if they deliver supports in a category that requires registration.
Has anyone actually been fined the maximum?
No reported case to date has imposed the absolute maximum for a single contravention. Reported penalties typically fall in the $50,000–$500,000 range per matter, scaled to the provider's size and the egregiousness of the conduct. The maximums are deterrents, not benchmarks.
Where do I find the official figures?
The NDIS Commission publishes its compliance and enforcement actions and policies online. The penalty unit value is set by the federal Attorney-General's Department and published on legislation.gov.au.
Related terms
- Penalties & enforcement
What is an NDIS banning order?
Banning orders are the NDIS Commission's most serious enforcement tool. Here's who issues them, what they cover, and where the public register lives.
Read - Penalties & enforcement
The NDIS Commission complaint process
Who can complain to the NDIS Commission, what they do with the complaint, how long it takes, and what providers should do when one lands on them.
Read - Penalties & enforcement
What happens if you fail an NDIS audit?
How NDIS auditors classify findings, the timelines and consequences for each category, and what providers can actually do when a finding lands.
Read
Track every NDIS document in one place
Checkbase keeps your worker screening, participant files, governance, insurance, and audit evidence on one continuously-updated page. Built for Australian NDIS providers, 1–50 staff.