What the New Law Actually Says
The National Disability Insurance Scheme Amendment (Integrity and Safeguarding) Act 2026 is now Australian law. Originally introduced as a Bill in November 2025, it passed Parliament on 1 April 2026 and received Royal Assent on 8 April 2026. It amends the NDIS Act 2013 in ten areas, focusing on two priorities: strengthening the NDIS Commission’s ability to detect and act on fraud, and raising the consequences for providers who cause harm or operate improperly.
The changes came out of the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability, and reflect years of consultation with participants, providers, families, and advocates. NDIS Quality and Safeguards Commissioner Louise Glanville described the reforms as strengthening the ability to identify and respond to risks, take timely enforcement action, and drive better practice across providers.
For compliant providers, the message is clear: your obligations are not changing, but the scrutiny applied to them is intensifying.
The Seven Changes That Matter Most
The Act introduces changes across ten areas of the NDIS Act 2013. Here are the seven with the most direct impact on registered providers.
Criminal offences for unregistered service delivery
Providing supports that require registration without being registered is now a criminal offence, carrying a maximum sentence of 5 years imprisonment. This was previously a civil matter. If any part of your service delivery requires registration under the NDIS Act, you must hold and maintain that registration.
Criminal penalties for breaching a banning order
If the NDIS Commission bans someone from working in the scheme, defying that order is now a criminal offence, also carrying up to 5 years imprisonment. Providers are responsible for checking that anyone they engage is not subject to a banning order.
Fines increased up to 40 times
The financial penalties for serious code of conduct breaches have risen dramatically. Where serious misconduct leads to the death or serious injury of a participant, the maximum fine for a corporation goes from $412,500 to more than $15 million. These are civil penalties; courts determine exact amounts based on the severity of the conduct.
Mandatory electronic claim forms
The Act modernises NDIS claiming by mandating electronic claim forms across the scheme. The NDIA also gains a new power to request evidence from providers before claims are paid. Providers who still submit claims via PDF or paper processes need to migrate to digital systems that generate a proper audit trail.
Expanded banning order powers
The NDIS Commission can now ban auditors, consultants, and business advisors from the scheme, not just service providers. This matters for providers who rely on third-party consultants to manage their compliance. Check that your compliance consultant is not operating under a conflict of interest: under the new law, an auditing firm that also offers consultancy to the same provider it is scheduled to audit is at regulatory risk.
Anti-promotion orders
The Commissioner gains a new power to restrict or prohibit promotional activities that undermine the NDIS’s integrity. This targets misleading marketing about what NDIS funding covers, such as claims that participants can use their plans for holidays, or SDA investment promotions promising guaranteed returns. Review any service agreements or marketing materials that make claims about funding scope.
Faster information requests from the Commission
Under previous rules, the Commission had to give providers 14 days to respond to information requests. The Act allows the Commissioner to shorten this deadline in urgent safeguarding situations. If the Commission raises a concern about your service delivery, you may now have much less time to produce documentation. Your records need to be retrievable on short notice.
$15M+
Maximum fine for serious misconduct leading to death or injury
5 years
Maximum prison term for operating without required registration
40x
Increase in maximum financial penalties vs. previous law
What This Means for Compliant Providers
The legislation is designed to target fraudsters and bad actors. Parliament’s framing was direct: if you are operating without proper registration, or exploiting participants, the scheme is no longer a soft target. If your organisation delivers quality supports with sound documentation practices, you are not the target.
But the law’s operational effect lands on every provider, regardless of intent. Three specific mechanisms will change how you work day-to-day.
Scrutiny is now continuous, not periodic. The Commission’s new ability to request documents urgently means you cannot maintain a different standard between audits and outside them. If a participant incident triggers a rapid investigation, your shift notes and records from six weeks ago need to be as clean as last week’s.
The claims process is changing. Mandatory electronic claims and the new power to request evidence before payment will introduce friction into billing if your current process lacks a clear, traceable record from shift delivery to invoice. Providers who already capture GPS clock-ins, link shift notes to participant records, and generate clean timesheets will find the transition straightforward. Those running manual workflows will not.
Your third-party relationships are now part of your compliance picture. Auditors and consultants can be banned from the NDIS. If you use third-party compliance consultants, confirm they are in good standing with the Commission. An auditor working under a conflict of interest doesn’t just fail your audit: under the new law, that auditor can be banned from the sector.
Key Finding
The NDIS Commission can now request documents on a shortened timeline in urgent safeguarding situations: potentially days, not the previous 14-day standard. If your records live in paper files, shared drives, or disconnected spreadsheets, retrieving them under time pressure is a direct operational risk.
Why Mandatory Electronic Claims Changes Your Workflows Now
Of all the changes in the Act, mandatory electronic claim forms have the most immediate operational impact on day-to-day agency management. The NDIA also now has new power to request evidence before claims are paid. Taken together, these two changes mean the connection between your shift delivery record and your billing claim needs to be tight, traceable, and digital.
In practice, that means:
- ✓Every claim needs to trace back to a verifiable service delivery record: which support worker delivered the shift, when, to which participant, under which NDIS support category.
- ✓GPS clock-in and clock-out data, shift notes, and timesheet records become your claim’s audit trail, not just internal records.
- ✓If the NDIA requests supporting documentation before releasing payment, you need to produce it quickly, ideally from the same system that generated the claim.
Providers still emailing PDFs to submit invoices, or manually reconciling shift records against billing runs, face the most adjustment. The electronic claims mandate effectively requires that your rostering, timesheets, and invoicing are either integrated or can be exported in a standardised electronic format.
Worth Checking
If your agency currently submits NDIS claims via paper forms, manual PDFs, or processes that don’t generate a digital audit trail linked to each shift, this is the time to review that workflow. The NDIA will issue further guidance on electronic claim form requirements: check the NDIS website for implementation timelines as they are confirmed.
How TakeCareOS Supports Compliance Under the New Rules
TakeCareOS is an AI-native operating system built for home care, disability, and aged care agencies. Several of its capabilities directly address the documentation and operational practices that the new Act makes more important. The platform’s conversational interface, Atlas, is covered in more depth in our guide to what conversational AI means for care agencies.
On electronic claims and audit trails: Shifts, GPS clock-ins, shift notes, and participant records flow into timesheets and NDIS invoices inside a single platform. When the NDIA requests supporting evidence before payment, the data is already structured, linked, and retrievable. There is no spreadsheet to rebuild.
On rapid document retrieval: Every shift note, service agreement, incident report, and worker credential lives in one place. When the Commission requests information on an accelerated timeline, your staff aren’t moving between systems or searching shared drives. The records are where you expect them to be.
On credential tracking: Atlas verifies credential status on demand. Ask Atlas which support workers have a police check or NDIS Worker Screening Check expiring this month, and it answers instantly. Separately, the Alerts module flags expiring credentials before you go to roster the worker. A shift allocated to someone with a lapsed credential is caught before it becomes a compliance problem.
On shift note quality: Workers log notes from their phone, in text or voice, in any language. The Shift Notes Companion restructures each entry, suggests improvements, and checks it against participant goals before it is locked. Notes that are vague or inconsistent have been a primary audit failure mode for NDIS providers. The platform addresses that at the moment of capture, not during a pre-audit review.
On continuous compliance: Audit-ready is the default state of the platform, not something you prepare for. Alerts surface credential expiries, missed clock-ins, and clock-ins from outside the shift location as they happen. The goal is continuous compliance, not a scramble before audits.
TakeCareOS supports compliance practices. Every provider remains responsible for its own obligations under the NDIS Act.
What to Do This Month
The Act is now law. Here is a practical starting checklist for registered NDIS providers.
Confirm your registration status is current
Operating without required registration is now a criminal offence. Log in to the NDIS Commission portal and verify your registration scope, including your expiry date and the support classes you are registered to deliver.
Audit your claims process
Can you currently submit claims electronically? Does each claim trace back to a digital service delivery record? If not, identify the gap and begin migrating to a system that supports electronic claiming with a linked audit trail.
Review your worker credential records
Every support worker delivering registrable supports needs current, documented credentials. Build or confirm a process for tracking expiry dates before they lapse, not after.
Check your third-party auditor and consultant relationships
Under the new expanded banning powers, confirm that any compliance consultants or auditors you engage are not operating under conflicts of interest, such as auditing a provider they also consult for.
Review your marketing and service agreement language
The anti-promotion order power targets misleading claims about NDIS funding scope. Review any materials that make statements about what participants can fund through their plans.
Strengthen your records for urgent document requests
If the Commission can now demand records on an accelerated timeline, those records need to be retrievable in hours, not days. If your documentation is fragmented across multiple systems or paper files, treat this as a priority to address now.
Watch for NDIS Commission implementation guidance
Different provisions of the Act may commence at different dates. Subscribe to NDIS provider updates and NDIS Commission news to stay current as implementation timelines are confirmed.
Frequently Asked Questions
Does this law apply to all NDIS providers, or only registered ones?
The criminal offence provisions specifically target people who provide supports that require registration without holding that registration. If you are currently an unregistered provider delivering supports that do not require registration, the criminal provisions do not apply to you in that context. The other provisions, including mandatory electronic claims and enhanced Commission monitoring powers, apply more broadly. Check ndis.gov.au/providers for guidance on your registration obligations.
When do the new provisions actually come into force?
The Act received Royal Assent on 8 April 2026. Different provisions may have different commencement dates: some commence immediately on Royal Assent, others may be triggered by proclamation or require further rules to be made. The NDIS Commission and NDIA will publish implementation guidance on each provision. The official source for commencement information is the Federal Register of Legislation.
How much are the new fines exactly?
For civil penalties, the Act uses a penalty unit structure. For the most serious contraventions, where a provider’s serious misconduct leads to the death or serious injury of a participant, the maximum civil penalty is 10,000 penalty units, equating to more than $15 million for a corporation at current penalty unit rates. Courts determine the exact penalty based on the severity and circumstances of the conduct. For context, the previous maximum for the same category of breach was approximately $412,500.
What counts as “operating without registration when registration is required”?
This depends on which supports your organisation delivers. Some support types under the NDIS require the delivering provider to hold registration; others do not. The NDIS Commission maintains a registration groups page listing which support categories require registration. If you are in any doubt about your obligations, seek advice from a registered NDIS compliance professional.
Can Atlas help manage compliance obligations under the new law?
Atlas can verify credential status on demand: ask which support workers have expiring police checks or NDIS Worker Screening Checks and it answers from your live data. The Alerts module flags expiring credentials, missed clock-ins, and location exceptions before they become incidents. Atlas drafts and surfaces information; it does not replace the judgement of your compliance team.
Audit-ready is the default, not the goal
TakeCareOS is an AI-native operating system for disability, aged care, and home care agencies. Shifts, shift notes, participant records, credentials, and invoices live in one platform. Atlas keeps your compliance status visible and your records retrievable: ask it which workers have expiring checks, or which shifts are missing notes, and it answers from your live data.
See it in action