What NDIS provider compliance means
NDIS provider compliance is the full set of obligations a provider of NDIS supports must meet under the NDIS Quality and Safeguards Commission. It is broader than registration: some duties apply only to registered providers, but a core set (the Code of Conduct, worker screening for risk-assessed roles, and new criminal offences) binds every provider, registered or not.
The practical question for any provider is not "am I compliant" in the abstract, but "which obligations apply to me, given what I deliver and how I am registered." This guide answers that by mapping the whole landscape, then pointing to the detailed guide for each part.
The framework at a glance
| Element | Applies to | What it is |
|---|---|---|
| Code of Conduct | All providers and workers | The behaviour standards everyone delivering NDIS supports must follow. |
| Worker screening | All providers (risk-assessed roles) | A clearance required before a worker can fill a risk-assessed role. |
| Registration | Providers who must, or choose to, register | Approval by the Commission to deliver specified supports. |
| Registration groups | Registered providers | The categories of support you are registered for, which set your audit pathway. |
| Practice Standards | Registered providers | The quality standards assessed at audit, by module. |
| Audit (certification or verification) | Registered providers | The independent assessment against the Practice Standards. |
| Reportable incidents | Registered providers (and worker duties) | Serious incidents that must be notified to the Commission within set timeframes. |
| Restrictive practices | Implementing providers | Regulated practices that require authorisation and a behaviour support plan. |
Registered versus unregistered providers
Not every NDIS provider must be registered, but registration status changes which obligations bite. Registered providers carry the full weight of the Practice Standards, audits, and reportable incident duties. Unregistered providers are still bound by the NDIS Code of Conduct, worker screening for risk-assessed roles, and the criminal offences introduced by recent reform.
If you operate without registration, read NDIS unregistered provider obligations for exactly what still applies. For the broader registration overview, the NDIS provider registration guide is the foundational explainer.
In-depth guideNDIS Unregistered Providers 2026: The Compliance Obligations You Still Have
Registration groups and Practice Standards modules
Your registration groups are the categories of support you apply to deliver. They matter for compliance because they determine two things: which audit pathway you take, and which Practice Standards modules you are assessed against.
- For the full reference table of registration groups and how each maps to verification or certification, see NDIS registration groups explained.
- For which Practice Standards modules (Core, Specialist, and the verification module) apply to your groups, see NDIS Practice Standards modules by registration group.
Audit pathways: certification versus verification
Registered providers are assessed against the Practice Standards through one of two audit pathways, set by the risk and complexity of the supports they deliver:
- A verification audit is the lighter pathway, used for lower-risk, less complex supports.
- A certification audit is the more rigorous pathway, required for higher-risk or more complex supports such as Supported Independent Living. It involves a two-stage process and a mid-term audit.
For the mechanics of both pathways (the two-stage process, the mid-term audit at around 18 months, and non-conformity close-out timeframes), read NDIS audit pathways explained. When you are getting ready for an audit, the NDIS audit preparation checklist covers the seven evidence areas auditors check and the common non-conformities. You can also estimate the cost with the audit cost estimator linked below.
In-depth guideNDIS Audit Pathways: Certification vs Verification and Mid-Term Audits
The Code of Conduct: the duty no one escapes
The NDIS Code of Conduct sets the standards of behaviour expected of everyone who works with or delivers supports to people with disability. It applies whether or not you are registered, and breaches can attract penalties and banning orders. It is the floor beneath every other obligation, which is why it is the first thing the Commission looks to when something goes wrong.
Worker screening and workforce governance
Providers must ensure workers in risk-assessed roles hold a valid NDIS Worker Screening Check. The duty does not end when a clearance is granted: providers must monitor ongoing suitability and track expiry and renewal, including for older 2021-era checks now reaching their five-year mark.
For the ongoing employer duties after a clearance is issued, read NDIS worker screening ongoing obligations. Use the worker screening expiry calculator below to stay ahead of renewals.
In-depth guideNDIS Worker Screening: What Providers Must Do After the Clearance Arrives
Reportable incidents
A reportable incident is a serious incident, or an allegation of one, connected with NDIS supports that must be notified to the Commission within set timeframes. Getting the decision right (is this reportable, and how quickly) is one of the highest-stakes judgements a provider makes, because late or missed notifications are themselves a breach.
The reportable incident decision tool linked below walks the test step by step, and the incident management template gives you the register and procedure auditors expect.
Restrictive practices and behaviour support
A restrictive practice is any action that restricts the rights or freedom of movement of a person with disability. The five regulated restrictive practices may only be used with proper authorisation and an approved behaviour support plan, and implementing providers carry specific reporting duties.
For the full set of duties on implementing providers, including state and territory authorisation, read NDIS restrictive practices compliance.
In-depth guideNDIS Restrictive Practices Compliance 2026: Provider Guide
The Commission, enforcement, and fraud
The Commission is also an enforcement body. The Fraud Fusion Taskforce has sharpened scrutiny of provider claiming and conduct, and recent legislation added criminal penalties and stronger banning powers. Compliant providers protect themselves by keeping clean records, billing strictly within the price rules, and documenting their decisions.
- For the enforcement climate and what compliant providers do to avoid being flagged, read the NDIS fraud crackdown guide.
- For the legislation behind the new penalties and powers, read the Integrity and Safeguarding Bill guide.
What is changing in 2026
NDIS compliance is moving quickly, and several obligations shift on or around 1 July 2026. Rather than track them piecemeal, start with the dated roundup hub and the long-horizon timeline:
- NDIS changes on 1 July 2026 aggregates the near-term wave, including SIL mandatory registration and the new framework for allied health planning.
- The Securing the NDIS Bill timeline lays out the staged 2026 to 2030 reforms.
- For early childhood providers, Thriving Kids changes the access pathway for under-9s from 1 October 2026.
Service agreements also need updating when prices change: the NDIS service agreement requirements checklist covers the inclusions and participant notification.
In-depth guideNDIS Changes 1 July 2026: What Providers Must Know
Common mistakes
- Assuming "unregistered" means "unregulated". The Code of Conduct, worker screening, and criminal offences apply regardless of registration.
- Treating the audit as the whole job. The Practice Standards describe systems that must run every day, not just on audit week.
- Missing reportable incident timeframes because the decision was unclear or the register was not maintained.
- Letting worker screening clearances lapse, especially older checks now reaching expiry.
- Billing outside the price rules, which is exactly what enforcement is looking for.
Frequently asked questions
What is NDIS provider compliance?
NDIS provider compliance is the full set of obligations a provider of NDIS supports must meet under the NDIS Quality and Safeguards Commission. It includes the Code of Conduct and worker screening that apply to every provider, plus the Practice Standards, audits, reportable incident duties, and restrictive practice rules that apply to registered and implementing providers.
Do unregistered NDIS providers have to comply with anything?
Yes. Unregistered providers must still follow the NDIS Code of Conduct, ensure workers in risk-assessed roles hold a valid Worker Screening Check, and meet the criminal offences and conduct duties introduced by recent reform. Registration adds the Practice Standards, audits, and reportable incident obligations on top.
What is the difference between a certification and a verification audit?
A verification audit is the lighter pathway for lower-risk, less complex supports. A certification audit is the more rigorous pathway for higher-risk or complex supports, with a two-stage process and a mid-term audit. Your registration groups determine which pathway applies.
What must be reported to the NDIS Commission?
Reportable incidents (serious incidents or allegations connected with NDIS supports) must be notified to the Commission within set timeframes. The categories include death, serious injury, abuse or neglect, unlawful sexual or physical contact, and the unauthorised use of a restrictive practice.
What changes for NDIS providers on 1 July 2026?
Several obligations shift around 1 July 2026, including mandatory registration for Supported Independent Living and a new framework for allied health planning. Because the detail evolves, the dated roundup hub is the best starting point for the current state of play.
Step-by-step guides
Key terms
Tools & templates
All guides in this cluster
Last reviewed