Penalties & enforcement
NDIS civil penalties - the full schedule
A comprehensive table of civil-penalty provisions under the NDIS Act 2013, the penalty units attached to each, and the dollar maximums at the current November 2024 penalty unit value of $330.
In plain English
Civil penalties under the NDIS Act 2013 (Cth) are calculated in penalty units. One penalty unit became $330 on 7 November 2024 under the Public Governance, Performance and Accountability (Penalty Unit) Amendment regulations. The body-corporate maximum is five times the individual maximum.
The schedule below lists the principal civil-penalty provisions in the NDIS Act and the corresponding maximums. These are per contravention ceilings, not annual caps. A single audit, complaint, or investigation can uncover multiple contraventions assessed separately.
What gets glossed over in most published summaries: the Federal Court rarely imposes the absolute maximum on a single contravention. Reported penalties typically scale from $20,000 to $500,000 per matter, weighted to the provider's size, conduct history, cooperation, and remediation. The maximums are deterrents.
Registration-related contraventions
These provisions sit at the front of the Act and govern who can hold themselves out as an NDIS provider, the conditions attached to registration, and the consequences of operating outside that framework.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73F | Providing supports while not registered, where registration is mandatory (e.g. SIL from 1 July 2026) | 1,000 | $1,650,000 |
| s 73G | Failing to comply with a condition of registration (e.g. screening, reporting, conduct) | 1,000 | $1,650,000 |
| s 73J | Operating as a registered provider while a registration is suspended | 1,000 | $1,650,000 |
| s 73Q | Holding out as a registered NDIS provider when not registered | 1,000 | $1,650,000 |
Conduct and Code of Conduct contraventions
The NDIS Code of Conduct applies to every NDIS provider and every NDIS worker — registered or unregistered. Breaches are civil penalty provisions enforceable against the provider, the worker, or both.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73V (Code of Conduct - provider) | Failing to act with integrity, honesty, and transparency; abuse, neglect, or sexual misconduct | 250 (worker) / 1,000 (provider) | $1,650,000 |
| s 73V (Code of Conduct - worker) | Individual worker conduct breaches - applies to every NDIS worker, including contractors | 250 | $82,500 (individual) |
| s 73T (auditor obligations) | Approved Quality Auditor failing to notify the Commission of major or severe non-conformance | 1,000 | $1,650,000 |
Reporting and information obligations
The Reportable Incidents scheme, information-sharing obligations, and cooperation requirements all sit here. Failure to report is one of the most commonly enforced categories because non-reporting is often discovered through other channels — complaints, coroner data, hospital records.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73Z (Reportable Incidents) | Failing to notify the Commission of a Reportable Incident within the prescribed time | 1,000 | $1,650,000 |
| s 73U (compliance notices) | Failing to comply with a compliance notice issued by the Commissioner | 1,000 | $1,650,000 |
| s 55A (compelled information) | Failing to provide information or documents in response to a formal Commission request | 60 | $99,000 |
| s 55A (false / misleading information) | Providing false or misleading information to the Commissioner | 200 | $330,000 (also criminal offence under Criminal Code) |
Restrictive practice contraventions
Restrictive practices — chemical, mechanical, physical, environmental, and seclusion — require authorisation under a current behaviour support plan and (in most states) authorisation under state law as well. Unauthorised use is a Reportable Incident and a standalone civil-penalty contravention.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73N (registered NDIS behaviour support) | Use of a restrictive practice not authorised under the participant's current behaviour support plan | 1,000 | $1,650,000 |
| s 73P (unregistered providers) | Provider not registered for specialist behaviour support engaging in behaviour support practice | 1,000 | $1,650,000 |
Worker screening contraventions
Worker screening is regulated by the NDIS Worker Screening Rules 2018 and the corresponding state legislation that actually issues the clearance. Letting a worker deliver supports without a current clearance is a registration condition breach.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73G via Worker Screening Rules | Engaging a person in a risk-assessed role without a current NDIS Worker Screening Check | 1,000 | $1,650,000 |
| s 73G via Worker Screening Rules | Continuing to engage a worker after notification that their clearance has been suspended or revoked | 1,000 | $1,650,000 |
Key personnel and disqualification
A provider's “key personnel” (directors, executive officers, controllers) are individually liable for certain conduct, and a provider cannot have key personnel who have been disqualified by the Commission.
| Section | Conduct | Penalty units | Body corporate max |
|---|---|---|---|
| s 73L (key personnel changes) | Failing to notify the Commissioner of a change in key personnel within the prescribed period | 60 | $99,000 |
| s 73ZS (banned worker provisions) | Engaging a worker subject to a banning order | 1,000 | $1,650,000 |
How fines are calculated in practice
The Federal Court treats the maximum as a ceiling. Recent precedent (e.g. NDIS Commissioner v Australian Foundation for Disability [2024]) shows the court weighing:
- Deterrent value — both specific (to this provider) and general (to the sector).
- Size of the provider — turnover, participant numbers, workforce.
- Number of contraventions in the matter.
- Prior compliance history — both with the Commission and earlier sector regulators.
- Cooperation with the investigation — voluntary disclosure, admissions, remediation taken before proceedings.
- Harm caused — actual harm to a participant attracts substantially higher penalties than documentation gaps without harm.
Enforceable undertakings as an alternative
The Commission can accept an enforceable undertaking instead of pursuing civil penalties. The provider commits in writing to specified compliance actions (training, audit programs, appointment of independent reviewer, periodic reporting). These are public and binding for the period stated. Breaching an enforceable undertaking returns the matter to civil-penalty proceedings on the original contraventions.
What is changing
The NDIS Amendment (Getting the NDIS Back on Track No. 1) Act 2024 expanded the civil-penalty regime and added new offences. The Integrity and Safeguarding Bill staged through 2026 adds criminal offences for the most serious conduct categories — deliberately providing false information, abusing or neglecting a participant where serious harm results, and retaliating against a worker who reports a concern. Criminal offences carry imprisonment in addition to fines, and are prosecuted by the Commonwealth Director of Public Prosecutions, not by the Commission itself.
How Checkbase helps
Every civil-penalty contravention in the schedule above has a paper trail that, if it exists and is up to date, would have prevented or substantially mitigated the breach. Current worker screening, signed code-of-conduct agreements, complete Service Agreements, authorised behaviour support plans, closed-out incidents, and timely Reportable Incident notifications — that is the documentary fabric Checkbase keeps in one place, with expiries surfaced before they become contraventions.
Frequently asked questions
Has anyone actually been fined the maximum?
Not to date for a single contravention. Reported Federal Court judgments cluster in the $20,000–$500,000 range per matter, scaled to provider size and conduct severity. The $1.65M-per-contravention number is a deterrent, not a benchmark.
Are penalty unit values automatically indexed?
Yes — the Commonwealth penalty unit is indexed every three years under the Crimes Act 1914. The $330 figure has been current since 7 November 2024. The next indexed increase is expected in 2027. Older guidance materials cite $313 (pre-November 2024) or $275 (pre-2020).
Do penalties apply to unregistered providers?
Code of Conduct civil penalties apply to every NDIS provider regardless of registration status — that is the design of the post-2018 framework. Registration-related provisions (e.g. s 73G failing to comply with a condition of registration) apply only to registered providers, but unregistered providers face their own front-door risk under s 73F for operating in a category that requires registration.
Can directors be personally liable?
Yes — the Code of Conduct provisions and a number of other sections apply to individuals, including key personnel. The individual maximum is $330,000 per contravention (1,000 penalty units). Banning orders against named individuals are a separate consequence and are publicly registered.
Where do I find the authoritative current version?
The consolidated NDIS Act 2013 is at legislation.gov.au. The Commission's compliance and enforcement page is at ndiscommission.gov.au/about/compliance-and-enforcement.
Related terms
- Penalties & enforcement
How much is an NDIS provider fine?
Current civil-penalty maximums per NDIS contravention, what they apply to, and what changes with the 2025 reforms - in plain language.
Read - Penalties & enforcement
What is an NDIS banning order?
Banning orders are the NDIS Commission's most serious enforcement tool. Here's who issues them, what they cover, and where the public register lives.
Read - Penalties & enforcement
The NDIS Commission complaint process
Who can complain to the NDIS Commission, what they do with the complaint, how long it takes, and what providers should do when one lands on them.
Read - Penalties & enforcement
NDIS Reportable Incident requirements
What counts as a Reportable Incident, the 24-hour and 5-business-day reporting clocks, the categories of conduct that trigger reporting, and the penalties for not reporting.
Read - Penalties & enforcement
What happens if you fail an NDIS audit?
How NDIS auditors classify findings, the timelines and consequences for each category, and what providers can actually do when a finding lands.
Read
Track every NDIS document in one place
Checkbase keeps your worker screening, participant files, governance, insurance, and audit evidence on one continuously-updated page. Built for Australian NDIS providers, 1–50 staff.