NDIS Unregistered Providers 2026: The Compliance Obligations You Still Have

Key Takeaways

• The NDIS Code of Conduct applies to every NDIS provider and worker, registered or not. Unregistered providers serving self-managed and plan-managed participants are fully bound by all seven obligations in the Code.
• A breach of the Code of Conduct carries a civil penalty of up to 250 penalty units per incident. At the current federal penalty unit value of $330 (in effect from 7 November 2024), that is $82,500 per breach for an individual, and up to $412,500 for a body corporate.
• The NDIS Amendment (Integrity and Safeguarding) Act 2025 increased civil penalties for serious contraventions to 10,000 penalty units, equivalent to $3.3 million for an individual and $16.5 million for a corporation. These maximums apply to unregistered providers.
• Providing supports that legally require registration without holding registration is now a criminal offence under the NDIS Act, carrying up to 5 years imprisonment. This is new since the 2025 amendments.
• The NDIS Commission named unregistered providers as a specific enforcement priority for 2025-26. Unregistered providers account for more than 90% of the NDIS market by number, and the Commission has stated they are not beyond its reach.
• From 1 July 2026, Supported Independent Living (SIL) providers and platform providers must hold NDIS registration. Continuing to deliver SIL without registration after that date is a criminal offence.
• Worker screening is not legally mandated for most unregistered providers, but participants increasingly require it, and sole traders operating as unregistered providers must hold an NDIS Worker Screening Check for themselves.

Being unregistered with the NDIS is not a compliance-free zone. It is a different regulatory position with a narrower set of formal obligations, but the obligations that do apply carry the same enforcement consequences as they do for registered providers. The Commission can investigate, issue compliance notices, ban workers and directors, pursue civil penalties, and now refer matters for criminal prosecution.

In 2025-26, the Commission made unregistered enforcement a stated priority. Unregistered providers represent more than 90% of the NDIS market by number, and many operate without any awareness that the Code of Conduct governs their work. That combination of market scale and compliance ignorance is exactly what the Commission is targeting.

This guide covers what unregistered NDIS providers are genuinely required to do, what changed when Parliament passed the NDIS Amendment (Integrity and Safeguarding) Act 2025, which services can no longer be delivered without registration from 1 July 2026, and where the enforcement risk concentrates.

The Core Misconception

The compliance failure driving most problems for unregistered providers is straightforward: being unregistered is mistaken for being unregulated.

Registration is a gateway requirement for certain support types and for accessing the NDIS portal as a provider. It determines whether a provider is subject to the Practice Standards, audit cycles, and the Commission's registration oversight functions. What it does not determine is whether the NDIS Code of Conduct applies to the provider.

The Code of Conduct is established under the National Disability Insurance Scheme (Code of Conduct) Rules 2018. It applies to all NDIS providers and all NDIS workers, including providers and workers who are not registered. This has been the position since the scheme was established. The 2025 amendments did not change whether the Code applies to unregistered providers. What they did was significantly increase the maximum penalties and create new criminal offences, with those consequences applying equally to registered and unregistered providers.

The NDIS provider registration compliance guide covers when registration is required and what the registration process involves. This guide focuses specifically on what unregistered providers must do while operating outside that framework.

What the Code of Conduct Requires

The NDIS Code of Conduct contains seven obligations that apply to every provider and worker in the scheme:

1. Act with respect for individual rights to freedom of expression, self-determination, and decision-making.
2. Respect the privacy of people with disability.
3. Provide supports and services in a safe and competent manner with care and skill.
4. Act with integrity, honesty, and transparency.
5. Promptly take steps to raise and act on concerns about matters that might put the safety and wellbeing of a person with disability at risk.
6. Take all reasonable steps to prevent and respond to all forms of violence, exploitation, neglect, and abuse.
7. Take all reasonable steps to prevent and respond to sexual misconduct.

Breaching any of these obligations exposes a provider or worker to civil penalties. The standard civil penalty provision under the NDIS Act is 250 penalty units. At the current federal penalty unit value of $330, that is $82,500 per breach for an individual. For a body corporate, the Regulatory Powers (Standard Provisions) Act 2014 applies a 5x multiplier, giving a maximum civil penalty of 1,250 penalty units ($412,500) for a standard Code of Conduct breach.

For serious contraventions, the NDIS Amendment (Integrity and Safeguarding) Act 2025 introduced a higher penalty tier: up to 10,000 penalty units for an individual ($3.3 million) and up to 50,000 penalty units for a corporation ($16.5 million). A contravention is treated as serious where the provider or worker knew their conduct was a breach of the Code, or was reckless as to whether it was.

For a full account of what the 2025 amendments mean for provider obligations, see our guide to the NDIS Amendment (Integrity and Safeguarding) Act 2025.

Worker Screening: What Actually Applies

This is the area where the rules are most frequently misunderstood. Unregistered providers are not required by law to obtain NDIS Worker Screening Checks for their workers before those workers begin providing supports.

For registered providers, the "no card, no start" rule applies: workers in risk-assessed roles cannot begin until the clearance is in place. That requirement derives from the Practice Standards framework, which does not apply to unregistered providers. So the "no card, no start" obligation does not extend to unregistered providers as a matter of law.

Three factors mean this distinction is less protective than it sounds.

First, participants have the right to require workers to hold an NDIS Worker Screening Check as a condition of engagement. Self-managed and plan-managed participants frequently do this. Support coordinators routinely recommend it. An unregistered provider whose workers hold no clearances may find themselves progressively excluded from the market.

Second, the Commission can and does investigate complaints against unregistered providers. Where a complaint involves alleged harm or exploitation by a worker, the Commission may ask what vetting processes the provider applied before engaging that person. The absence of any worker screening can be weighed against the provider when assessing whether they took all reasonable steps to prevent violence and exploitation under obligation six of the Code.

Third, sole traders operating as unregistered providers occupy a different position. When a sole trader is both the business and the worker delivering supports, they must obtain an NDIS Worker Screening Check for themselves and register as an employer to access the relevant state worker screening portal. The "no card, no start" distinction applies to employees and contractors, not to the sole trader delivering the service directly.

For a detailed account of how clearances work, what providers must do to track renewals, and what the 5-year expiry wave from the 2020-21 cohort means for NDIS workforce governance, see our guide to NDIS worker screening ongoing obligations.

Incident Reporting and Complaints

Registered providers are subject to mandatory incident reporting under the NDIS (Incident Management and Reportable Incidents) Rules 2018. Reportable incidents include death, serious injury, sexual misconduct, and the unauthorised use of restrictive practices. Registered providers must notify the Commission within 24 hours for priority incidents and within 5 business days for other reportable incidents.

Unregistered providers have no mandatory incident reporting obligation. This is a structural gap in the regulatory framework that the Commission has acknowledged. Serious harm can occur in an unregistered support context without the Commission being notified.

What unregistered providers must do is maintain a functioning complaints management process. Participants supported by unregistered providers retain the right to complain to the Commission about a provider's conduct. The Commission can investigate those complaints, apply the Code of Conduct, issue compliance notices, and pursue civil penalties or banning orders where a breach is established. The absence of incident reporting obligations does not make the Commission unable to act. It simply means the Commission relies on complaints, rather than proactive disclosure, as its primary information source for unregistered providers.

The NDIS Amendment (Integrity and Safeguarding) Act 2025 also expanded the Commission's information-gathering powers. The Commission can now require unregistered providers to produce documents and information. Refusing to comply with such a notice is itself a civil penalty offence. If an unregistered provider receives a formal notice from the Commission, the notice carries the same legal weight as one issued to a registered provider.

Which Supports Now Require Registration

From 1 July 2026, two categories of NDIS support require registration and cannot be delivered by an unregistered provider:

Supported Independent Living (SIL): SIL involves funded support for participants living in their own home or SIL accommodation, often at high hours and across overnight periods. All SIL providers must hold NDIS registration from 1 July 2026. Unregistered providers currently delivering SIL cannot continue after that date without holding registration.

Platform providers: Digital and brokerage platforms that connect participants with support workers also fall within mandatory registration from 1 July 2026.

For SIL providers who are not yet registered, the registration process involves an application to the Commission, an audit by an approved quality auditor, and Commission assessment. This typically takes several months from application to approval. The 1 July 2026 deadline is less than three months away at the time of writing. If you are an unregistered SIL provider and have not yet lodged a registration application, the timeline is now tight. See the NDIS SIL mandatory registration checklist for the steps and what your practice needs to have in place before applying.

Beyond SIL and platform providers, the NDIS Act has always required registration for specialist behaviour support, specialist disability accommodation, and the delivery of restricted practices. Before the 2025 amendments, providing these without registration was a civil penalty offence. Under the NDIS Amendment (Integrity and Safeguarding) Act 2025, it is now also a criminal offence carrying a maximum sentence of 5 years imprisonment.

For supports that are not in the mandatory registration categories, unregistered delivery for self-managed and plan-managed participants remains permissible after 1 July 2026. But the Commission's enforcement approach toward the unregistered sector is becoming more active across all support types.

The 2025-26 Enforcement Focus

The Commission published its regulatory priorities for 2025-26 in August 2025. Unregistered providers were named as a specific enforcement focus alongside worker capability, restrictive practices, and high-risk health concerns.

The Commission's stated position is direct: being unregistered does not shield a provider from the Code of Conduct, and the Commission will take decisive action against unregistered providers for serious breaches. The scale of the unregistered sector (more than 90% of the NDIS market by provider count) means the Commission is directing enforcement resources toward areas of highest risk: serious harm, financial exploitation, and providers operating in mandatory registration categories without holding registration.

The 2025-26 enforcement focus sits alongside the broader integrity reforms in the 2025 Act. The Commission received expanded powers including the ability to issue stop orders, ban providers from the scheme permanently, and refer matters for criminal prosecution. These powers apply to both registered and unregistered providers. The enforcement context for the NDIS as a whole, including the $86 million in payments blocked and more than 2,500 providers disrupted, is covered in our guide to the NDIS fraud crackdown in 2026.

The NDIS compliance quiz can give you a quick, structured picture of where your practice sits against the Commission's current priorities.

How ClinicComply Helps

Unregistered NDIS providers have fewer formal compliance obligations than registered providers, but the obligations that do apply carry real enforcement consequences. ClinicComply provides a structured way to document and track those obligations, which demonstrates good-faith compliance if the Commission ever investigates a complaint against your practice.

The policy library lets you store your Code of Conduct compliance framework, complaints management procedure, and worker vetting processes against the specific obligations they address. Automated reminders flag the 1 July 2026 SIL mandatory registration deadline, worker screening renewal dates, and policy review milestones before they fall overdue.

For providers approaching mandatory registration, ClinicComply maps the registration preparation process, assigns tasks to team members, and tracks completion through the dashboard. Building your compliance evidence now means your audit documentation is ready from day one of registration.

For downloadable policies and procedures templates for NDIS providers, see the ClinicComply NDIS template library. See the full feature set at cliniccomply.com.au/features, or start a free 30-day trial at cliniccomply.com.au/signup.

Frequently Asked Questions

Does the NDIS Code of Conduct apply to unregistered providers?

Yes. The NDIS Code of Conduct applies to every NDIS provider and every NDIS worker, regardless of whether the provider holds registration with the Commission. Unregistered providers delivering supports to self-managed and plan-managed participants are fully bound by all seven obligations in the Code. The Commission can investigate complaints, issue compliance notices, and pursue civil penalties against unregistered providers for Code breaches in exactly the same way it does for registered providers.

What is the penalty for breaching the NDIS Code of Conduct as an unregistered provider?

The standard civil penalty for a Code of Conduct breach is 250 penalty units per incident. At the current federal penalty unit value of $330, that is $82,500 for an individual and up to $412,500 for a body corporate (at the 5x multiplier). For serious contraventions, the NDIS Amendment (Integrity and Safeguarding) Act 2025 increased the maximum to 10,000 penalty units, equivalent to $3.3 million for an individual and $16.5 million for a corporation. A contravention is treated as serious where the provider knew their conduct was a breach, or was reckless as to whether it was.

Do unregistered NDIS providers need NDIS Worker Screening Checks for their workers?

Not as a legal requirement for most unregistered providers. The "no card, no start" rule applies to registered providers through the Practice Standards framework, not to unregistered providers. However, participants can require workers to hold clearances as a condition of engagement, and many do. Sole traders operating as unregistered providers must hold a clearance for themselves. The absence of any worker vetting can also be raised against a provider during a Code of Conduct complaint investigation involving harm caused by a worker.

Do unregistered NDIS providers have to report serious incidents to the Commission?

No. The mandatory incident reporting requirements under the NDIS (Incident Management and Reportable Incidents) Rules 2018 apply only to registered providers. Unregistered providers have no obligation to report incidents to the Commission. However, participants can still make complaints to the Commission about an unregistered provider's conduct, and the Commission can investigate and act on those complaints. The Commission has expanded its information-gathering powers under the 2025 Act and can now require unregistered providers to produce documents and information in response to a formal notice.

Which NDIS supports require registration and can no longer be delivered unregistered?

From 1 July 2026, Supported Independent Living and platform providers must be registered. Continuing to deliver SIL without registration after that date is a criminal offence under the NDIS Act, carrying up to 5 years imprisonment. Supports that have always required registration include specialist behaviour support, specialist disability accommodation, and delivery of restricted practices. The NDIS Amendment (Integrity and Safeguarding) Act 2025 made providing those supports without registration a criminal offence as well, with the same 5-year maximum sentence.

Can the NDIS Commission ban an unregistered provider from the scheme?

Yes. The Commission has powers under the NDIS Act to ban individuals and organisations from providing NDIS supports, and those powers extend to unregistered providers. Banning orders can be issued where the Commission determines a provider or worker poses a risk to participant safety and wellbeing. The NDIS Amendment (Integrity and Safeguarding) Act 2025 expanded these powers, including the possibility of permanent bans. A banning order removes the provider from the NDIS market entirely regardless of registered status.

What is the difference between being unregistered and being exempt from NDIS obligations?

There is no such thing as an exemption from NDIS obligations for providers operating in the scheme. Unregistered providers have fewer formal compliance requirements than registered providers: they are not subject to the Practice Standards, certification audits, or mandatory incident reporting. But they are fully bound by the Code of Conduct, consumer law, and the NDIS Act. Operating without registration is not a choice to exit the compliance framework. It is a decision to operate within a narrower version of it.

How can the Commission take action against an unregistered provider if they are not in the Commission's registration system?

Participants, family members, and support coordinators can lodge complaints about unregistered providers directly with the Commission. The Commission also has information-gathering powers that extend to unregistered providers: it can issue formal notices requiring documents and information. Refusing to comply is itself a civil penalty offence. When a complaint is substantiated, the Commission can issue compliance notices, impose civil penalties through the Federal Court, and issue banning orders against unregistered providers using the same mechanisms it uses for registered ones.

What should an unregistered NDIS provider do now to reduce compliance risk?

Three actions address the most significant risks. First, document a Code of Conduct compliance framework: a written record of how each of the seven obligations is met in practice. Second, establish and communicate a complaints management process to participants so they know how to raise concerns. Third, confirm whether any supports you deliver fall within the categories now requiring mandatory registration. For SIL providers not yet registered, the registration application needs to be underway now. The 1 July 2026 deadline is less than three months away and the process from application to approval typically takes several months.