The Bill broadens the NDIS Commission’s enforcement toolkit: it converts a cluster of behaviours into civil penalty and criminal offences, creates new banning and antipromotion orders, establishes an NDIS Provider Register, and ties provider oversight to the Regulatory Powers Act to allow monitoring, entry and enforcement measures. It also strengthens the Agency’s administrative tools by allowing electronic forms, imposing a 90‑day cooling-off process for withdrawal from the Scheme, enabling shorter information deadlines where participant safety is at risk, and making Commissioner-signed certificates prima facie evidence in proceedings.
The practical effect is a material increase in legal and operational risk for providers and other market participants: the Bill creates tiered civil-penalty maxima (including very large penalties for “serious contraventions” by providers), criminal exposure for certain breaches, and the capacity for the Commissioner to publicise banning orders and compliance actions. For compliance officers and risk teams this shifts the focus from remediation to proof-ready systems, faster document flows, and tighter controls on advertising and staff conduct.
At a Glance
What It Does
The Bill creates new civil-penalty and criminal offences (including for false or misleading information and breaches of banning orders), elevates penalties for specified breaches, authorises antipromotion and banning orders, requires an NDIS Provider Register and links key parts of the Act to the Regulatory Powers Act for monitoring and enforcement. It also modernises Agency processes for claims, withdrawals and evidentiary certificates.
Who It Affects
Registered and unregistered NDIS providers, applicants for registration, approved quality auditors, marketers and promoters of disability services, the NDIS Commission and the National Disability Insurance Agency (NDIA), and participants whose safety may trigger accelerated investigatory powers.
Why It Matters
This Bill formalises an aggressive compliance posture: large, tiered penalties and non-judicial intervention tools allow the Commission to act quickly and publicly. That matters to risk, legal and operations teams because compliance failures can now carry both reputational costs through the public register and significant pecuniary or criminal exposure.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
At its core the Bill creates a two-tiered enforcement regime targeted at providers and those who interact with the NDIS Commission. It inserts a statutory test for a “serious contravention” — conduct that either represents a significant failure or is part of a systematic pattern — and ties much higher civil penalties to that label when the offender is an NDIS provider.
The text also converts a number of previously civil-only behaviours into fault-based, strict-liability and absolute-liability criminal offences depending on the element (for example, providing supports without required registration carries both imprisonment and large pecuniary penalties). These changes mean regulators can pursue both penalty orders and criminal prosecutions from the same factual base.
The Bill gives the Commissioner standalone administrative interventions. Antipromotion orders can prohibit or restrict specified promotional conduct after a short notice process; the Commission must give the recipient an opportunity to make submissions and normally wait seven days, but may make the order effective immediately where there is a reasonable belief that delay would materially increase the risk of serious harm to a participant.
Banning orders can now be applied to registration applicants, approved quality auditors and people involved in services that enable or advise on registration, and may be used where the Commission has revoked registration, reasonably believes a person has contravened or will contravene the Act, or where the person has been convicted of fraud, is insolvent, or otherwise considered unsuitable.Operational and evidentiary changes are significant. The Commissioner must establish an NDIS Provider Register that records registrations, suspensions, banning orders, compliance notices and enforceable undertakings and which may be published (fully or partly) under rules.
The Act is explicitly linked to the Regulatory Powers Act so monitoring powers — including powers of entry, inspection and information verification — apply to Part 3A and related privacy provisions. The Bill also allows the Commissioner to require faster information production and to shorten statutory timeframes where there is a reasonable belief that delay would significantly increase the risk of serious harm to a participant.
Finally, Commissioner-signed certificates are made prima facie evidence of a range of administrative facts in prosecutions and civil proceedings, reducing the evidentiary burden for regulators in many cases.For the NDIA the Bill modernises administration of claims and participant choices: approved forms must be published online, the CEO can require additional documents for claims (with a minimum 14‑day period to comply) and may withhold payments where requested information isn’t provided, and a participant may request withdrawal from the Scheme subject to a CEO‑administered notice and a statutory cooling-off period of at least 90 days. These changes speed up investigative action and centralise formal administrative control with the Commissioner and CEO, while creating new procedural obligations for providers and claimants.
The Five Things You Need to Know
The Bill defines a “serious contravention” (significant failure or systematic pattern) and makes serious contraventions by NDIS providers subject to civil penalties of up to 10,000 penalty units.
Failing to be registered when registration is required carries multiple layers of liability: a fault‑based criminal offence (max 2 years’ imprisonment or 120 penalty units or both), a strict‑liability offence (60 penalty units), and civil penalties (10,000 penalty units for serious contraventions by providers; 250 otherwise).
Breaching a banning order is a new criminal offence with a fault-based penalty of up to 5 years’ imprisonment or 300 penalty units (or both), plus higher civil penalties (up to 10,000 penalty units for serious contraventions by providers).
The Commissioner must establish an NDIS Provider Register containing registration details, banning orders, compliance notices and enforceable undertakings, and the rules may permit publication of all or part of the register.
A participant can request to withdraw from the Scheme with the CEO—withdrawal will take effect only after a cooling‑off period of at least 90 days (which the CEO may extend), and the CEO must provide written notice explaining consequences and cancellation options.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Civil penalties for false information and misuse of Commission information
The Bill creates civil‑penalty provisions for providing false or misleading information to the Commission (up to 120 penalty units) and for recording, disclosing or otherwise using protected Commission information without authorisation (up to 120 penalty units). It also turns several conduct‑based offences that previously had only criminal labels into civil penalty options, giving regulators an administrative route to sanction behaviour without pursuing criminal prosecutions.
‘Serious contravention’ test and stepped penalty regime
This part defines key terms (conduct, serious contravention, significant failure, systematic pattern) and attaches much heavier penalties to contraventions that meet the serious‑contravention threshold when committed by providers. The drafting creates three enforcement tracks: fault‑based criminal offences with imprisonment exposure, strict or absolute liability variants for specific elements, and tiered civil penalties—allowing a regulator to choose the most appropriate remedy for the conduct and the available evidence.
Linking NDIS oversight to the Regulatory Powers Act and expanding monitoring
The Bill recharacterises Division 8 as a compliance and enforcement Part and expressly subjects privacy provisions and Part 3A (NDIS providers) to the Regulatory Powers Act. That linkage brings monitoring, entry and inspection powers, infringement notice mechanics, enforceable‑undertaking frameworks and injunction pathways to bear on provider regulation. New procedural rules dictate how civil‑penalty applications for serious contraventions are to be framed and how courts may substitute general penalties where the serious‑contravention label is not established.
New power to restrict promotional conduct about supports and providers
The Commissioner gains the ability to make antipromotion orders that prohibit or limit specified marketing, advertising or promotional conduct connected to supports, services or providers. The Bill requires a short pre‑decision process (an opportunity to make submissions and normally a 7‑day wait) but authorises earlier effect where delay would threaten participant health, safety or wellbeing. Contravention of an antipromotion order attracts a civil penalty (250 penalty units).
Banning orders extended to applicants, auditors and service enablers
Banning orders can be imposed not only on registered providers but also on registration applicants, approved quality auditors, and people involved in services that enable or advise on registration. Grounds include revocation, convictions for dishonesty, insolvency and reasonable belief of contravention or unsuitability. The changes broaden the net of persons who can be restricted from providing activity connected to NDIS business.
Faster information production where participant safety is at risk
The Commissioner’s statutory powers to require documents, statements and attendance are clarified and expanded to include documents as well as information. Importantly, where the Commissioner reasonably believes a delay would significantly increase the risk of serious harm to a participant, notices can specify shorter periods or earlier attendance times. That creates an expedited investigatory pathway but also increases urgency for compliance teams to maintain rapid‑access records.
Commissioner certificates as prima facie evidence
A certificate signed by the Commissioner becomes prima facie evidence in prosecutions for offences under the Act, related Criminal Code offences that concern the Commission, and civil penalty proceedings. The certificate can specify administrative facts such as dates of registration, revocation or variation, which reduces the regulatory evidentiary burden but shifts the burden of rebuttal to respondents.
Administrative reforms: 90‑day withdrawal, online forms, claim conditions
The Agency must publish approved forms online and may approve different forms or manners for different classes of claims. The CEO can require additional information for claims with a minimum 14‑day compliance window and may withhold payments where required documents are not supplied. A participant’s request to withdraw is governed by a CEO‑issued notice with at least a 90‑day cooling‑off period (which the CEO may extend) and mandatory information explaining consequences and cancellation options.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- People with disability and their representatives — the bill creates faster investigatory tools, stronger banning powers and marketing restrictions intended to reduce harm and scams, and a statutory path to remove or restrict harmful providers.
- NDIS Commission and NDIA officials — gain broader monitoring, entry and evidence tools (via the Regulatory Powers Act linkage and prima facie certificates), enabling quicker regulatory action and lower evidentiary friction in enforcement.
- Compliant registered providers — benefit reputationally from clearer public registration and sanctioning mechanics; a public register and structured enforcement can distinguish law‑abiding providers in procurement and referral decisions.
Who Bears the Cost
- Registered and unregistered NDIS providers — face higher pecuniary and criminal exposure (including penalties up to 10,000 penalty units for serious contraventions and potential imprisonment), increased monitoring and information‑production duties, and reputational risk from register publication.
- Registration applicants and approved quality auditors — may be subject to banning orders prior to final determination of applications and therefore face business interruption or exclusion from market activity.
- NDIA/NDIS Commission — will bear increased administrative and operational costs to run the register, manage expedited investigations, process enforceable undertakings, and handle more contested administrative decisions and litigation.
- Marketers, media and referral partners — promotional activity about supports and services will face new constraints; antipromotion orders and regulated‑promotional‑conduct rules increase compliance risk for advertising and outreach.
Key Issues
The Core Tension
The central dilemma is between two legitimate objectives: the public interest in rapid, decisive protection of people with disability (which pushes toward broad, swift regulatory tools and public sanctions) and the interest in fairness, proportionality and procedural safeguards for providers (which argues for careful thresholds, clearer definitions, and more judicial oversight before imposing severe pecuniary or reputational penalties). The Bill privileges speed and publication as instruments of deterrence and protection, but that comes at the cost of increased legal risk and potential reputational harm to providers before contested facts are finally determined.
The Bill stacks powerful, primarily administrative remedies on top of criminal and civil routes. The practical consequence is a lower threshold for regulator action combined with large penalties and reputational measures (publication on a register).
That increases speed and reach of enforcement but raises questions about proportionality and the adequacy of procedural safeguards where consequences—especially reputational and commercial—are imposed before full judicial determination. The prima facie evidentiary role for Commissioner certificates reduces regulatory proof costs but shifts the burden of rebuttal to providers and may lengthen, not shorten, litigation as parties contest certificate foundations.
Operationally, linking the Act to the Regulatory Powers Act both strengthens investigatory capacity and imports intrusive powers (entry, inspection, monitoring) that will require clear protocols to protect privacy and privileged material. The bill’s expedited information timeframes and immediate‑effect options for antipromotion or banning orders are defensible on participant‑safety grounds but risk unintended service disruption if applied without calibrated thresholds.
Finally, the very large civil penalties for “serious contraventions” raise enduring drafting risks: the definitions of significant failure and systematic pattern are necessarily fact‑sensitive, and regulators will need robust internal guidance to apply them consistently and to avoid over‑criminalising operational or record‑keeping errors.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.