The NDIS Just Changed What Non-Compliance Costs You. Personally.

Over a billion dollars has been spent reviewing how our country supports people with disability. The centrepiece is obviously the NDIS. A Royal Commission ran for four years. An independent NDIS Review spearheaded into the tail end. ANAO has produced finding after finding that the government agencies are only 'partially effective' and the public submissions to the Joint Committee of Public Accounts and Audit confirmed it.

The sector has engaged in good faith and at significant cost, on the reasonable assumption that this investment would produce a coherent path forward.

What it produced instead was partially acknowledged recommendations from the Royal Commission and an NDIS Review that has never been formally accepted. Not rejected. Just not formally responded to in alignment with other evidence sources. This 'oversight' is critically important as it means there is no single agreed destination that the sector is building toward.

Instead, we are in receipt of multiple reforms and portions of recommendations landing simultaneously:

• - the Getting the NDIS Back on Track legislation (effective October 2024),
• - mandatory provider registration,
• - new SIL Practice Standards, followed by revised Practice Standards
• - the new framework plans,
• - Foundational Supports, and
• - formidable compliance activity.

Each reform is individually defensible. But together? They create compounding administrative pressure on a system that, by its own admission, is not yet ready.

Minister Mark Butler has been quoted saying

"The scheme is off track. It lacks those disciplined design features of a good social program, and we're determined to get it back on track,"

He went on to say

"You can have fewer people on the scheme; you can have relatively the same number of people on the scheme with lower cost growth. And I think our job now is to work through all of those different permutations."

His framing is revealing. The problems he named are cost and cohort size. Yet mere days later, the Senate passed the NDIS Amendment (Integrity and Safeguarding) Act 2025, which doesn't address either of those things. It addresses enforcement. It strengthens penalties, monitoring, and the Commission's ability to act. Which is important. But it is not aligned to the problems the Minister himself just described.

Nobody in the sector would argue against swift and significant consequences for people who set out to exploit the scheme or take advantage of people with disability. The concern is that enforcement is the only area where the legislation has moved with pace and clarity.

We are investing to be better able to punish failure. When the critical focus needs to be getting better at preventing it. Over time, that produces a predictable pattern:

• - Providers become more risk-averse, not more capable
• - Documentation increases, but understanding doesn't
• - Signals of emerging risk are buried under compliance noise
• - And harm is still only fully understood after it happens

In the early NDIS years, it was described as a plane being built during take-off. Now it feels like we are trying to redesign that same plane mid-flight, whilst losing altitude.

Minister Butler might be sitting in the control tower. But NDIS providers are the ones piloting the planes. And regardless of what the tower is working through, the lives entrusted to you still need to land safely.

This article works through what has actually been legislated, what it changes about your risk profile, and what you can do about it now.

What the Act does

The NDIS Amendment (Integrity and Safeguarding) Act 2025 does five things. It changes:

• - who pays after something goes wrong,
• - how much they pay,
• - what triggers enforcement,
• - how fast the Commission can move, and
• - who can be permanently removed from the sector.

None of these are subtle. Together, they represent the most significant shift in NDIS provider accountability since the Commission was established. It does this by:

Redefining what counts as serious. The Act introduces a tiered penalty structure. Standard contraventions remain at 250 penalty units. But a new category of serious contravention now attracts up to 1,000 penalty units for individuals and 10,000 penalty units for bodies corporate. At current penalty unit values, that means fines up to $330,000 for an individual and $3.3 million for a body corporate, with the body corporate multiplier potentially reaching $16.5 million.

What makes a contravention "serious" is where this gets interesting. There are two paths:

• 1. The first is a significant failure, meaning conduct that significantly departs from what could reasonably be expected.
• 2. The second is a systematic pattern of conduct. This is assessed by the number of contraventions, the period they span, the number of people affected, and whether the provider responded to complaints or known issues.

In my experience as an independent Quality and Safeguards investigator, the significant failure usually follows the systemic pattern of conduct. All providers with even the slightest bit of complexity will experience small things going wrong. The shift here is that the Act now explicitly allows those small things to be treated as a pattern, and that pattern can be enough for a serious contravention finding.

Naming individuals, not just organisations. Key personnel, including directors, CEOs, and senior leaders, are individually named throughout the penalty provisions. Personal liability is no longer something that only applies in extreme cases. It is now an explicit feature of the framework.

It creates criminal offences such as:

• - Operating unregistered where registration is required. This now carries up to two years imprisonment.
• - Breaching a banning order carries up to five years imprisonment.
• - Providing false or misleading information to the Commission attracts civil penalties.

Most registered providers wouldn't be too concerned by these in theory. They have registration, they haven't been sanctioned. But these provisions are designed to be used. The Commission has signaled through its enforcement activity that it is building institutional capability to pursue these matters at scale.

Lets the Commission move faster. The Act broadens the Commission's monitoring and investigation powers, including the right to entry and inspection. It states they can impose shorter information request timeframes and issue infringement notices for civil penalties.

It can permanently remove people from the sector. The categories of individuals who can be banned from providing NDIS supports have been expanded. Combined with the personal liability provisions, this creates real consequences for individuals who cannot demonstrate they were actively engaged in the quality and safety of their services.

The missing measurement

Every one of those provisions sounds reasonable in isolation. The sector and the media have been strongly advocating for faster enforcement and the ability to remove bad actors permanently. The Act answers both of those calls.

But it is based on an assumption that falls apart under scrutiny. It assumes we have an agreed, measurable definition of what good NDIS service delivery looks like. We don't.

• - The NDIS Act 2013 establishes the scheme, the Agency, the Commission, participant rights, and provider obligations at a structural level. It does not define good practice.
• - The Getting the NDIS Back on Track Act 2024 focuses on plan management, budgets, and framework plans. It does not define good practice.
• - The Integrity and Safeguarding Act 2025 focuses on enforcement and penalties. It does not define good practice either.

What good practice looks like sits in the NDIS Practice Standards, which are made under the NDIS Rules rather than in the legislation itself. And even then, the Practice Standards describe what providers should have in place. They do not define what quality looks like in practice.

They are a benchmark for compliance, not the instruction manual for care, support and improving independence.

This means the Act has dramatically raised the consequences of getting it wrong without adding any further clarity on what getting it right looks like. Providers are now operating under a penalty framework that is clearer than the standards it enforces.

I want to be clear, I am not arguing against enforcement. I am making the observation that enforcement without a clear, shared standard of quality creates a system where compliance becomes the proxy for quality. And compliance is not quality.

By not focusing on the outcomes for the people being supported, even the good providers risk becoming the 'bad actor' as the focus is paperwork and not people.

What this changes about your risk profile

With that gap in mind, here is what the Act practically changes about your exposure as a provider.

If your services are genuinely strong, if your staff know the people they support, if your incident data tells you something useful and you act on it, then much of this Act is a governance exercise.

The accumulation problem

Most providers think about risk in terms of single events.

• - A serious incident.
• - A complaint.
• - An audit finding.

The Act now explicitly accounts for patterns. A provider that has fifteen medication errors across three months, even though none of them individually catastrophic, can now face a serious contravention finding because the pattern demonstrates a systemic issue that was not addressed.

This is a fundamental shift. The Act treats that accumulation differently from how the previous framework did. It means your incident data is not just a record of what happened, but is now evidence of what you knew, when you knew it and what you did about it.

The question every provider needs to ask now is how well your systems can surface those patterns before the Commission comes looking.

The board exposure problem

Directors and senior leaders who previously relied on organisational compliance as their shield now have personal exposure written into legislation. If the policy existed, the training was delivered, and the documentation was in place, that used to be enough to demonstrate organisational diligence. Under this Act, the question shifts to whether the individual leader can demonstrate they were actively engaged in understanding the quality and risk environment of the services they govern.

This change in legislation is about ensuring directors and senior leaders are closer to the consequences of what happens on the ground. It makes "I didn't know" no longer a defence, as the legislation now expects key personnel to have systems that ensure they do know.

This means your board papers can no longer just be lag indicators of:

• - dashboards
• - incident counts, and
• - compliance checklists.

Knowing now requires an understanding of what is driving those numbers. Meaning the board can no longer just receive assurance. They must interrogate it. Individually, each key personnel need to demonstrate that they have:

• - Attempted to surface the underlying quality and risk drivers they need to make decisions on.
• - Not relied upon systems being "in place" and have sought to understand whether those systems are actually working in practice.
• - Mechanisms to see where risk is accumulating, not just where incidents have occurred.
• - Understood where capability is thin or inconsistent and set strategies to correct.

Governance in human services should have never been about pointing to a framework. It's about being able to demonstrate foresight and proactive support at each level of the organisation.

The underlying tension that will be felt by many leaders is that if the Government is going to rely more heavily on accountability, then the only way forward is to invest just as heavily in visibility.

And whilst I acknowledge that the legislation isn't actually strengthening governance, it's just shifting the liability, the question all NDIS leaders need to ask themselves is:

"How do I increase my odds of being successful?"

The speed problem

The Commission can issue shorter information request timeframes and infringement notices for civil penalties. The goal is that the Commission can act faster when participant safety is at risk. The effect is that providers will have less time to prepare a response when something goes wrong.

The Act has lowered the cost and time required for the Commission to act on non-compliance by shifting the burden of readiness. This is the risk that providers need to address. The gap between what is known inside your organisation and what is ready to be demonstrated to the Commission, that gap is your vulnerability and needs to be closed.

What you need to be doing now

The typical sector response is a checklist:

• - Update your policies.
• - Review your governance documents.
• - Prepare an audit response plan.

And those things may need doing. But they are the equivalent of a pilot booking in more time in the crash simulator. It's a good exercise, but it does not help you as you're losing altitude.

The Act's most significant provisions, the systematic pattern test and the personal liability framework, are not triggered by missing documents. They are triggered by patterns of harm that went unrecognised or unaddressed. The question is not whether your policies are current. The question is whether your organisation can see what is actually happening.

Can your organisation see what is actually happening in your services? And does that information transfer to the people with legal accountability for quality and safety? The issue is, you can't safeguard what you can't see. And you can't govern what never reaches you.

Stage 1: Know the problem

Before you can respond to the Act, you need an honest picture of your current position across the full reform landscape. Not just this Act, but the Practice Standards, mandatory registration, the framework plans, pricing, and workforce. These are all converging at once. You need to know where you are strong and where you are exposed.

Most leadership teams carry this knowledge intuitively. You know which sites feel different. You have a sense of where things are tighter and where they drift. But intuition is not a defence under this Act. You need a structured, documented view of your reform exposure.

We built the Reform Readiness Check for exactly this moment. It takes about twenty minutes. It walks you through the key domains of the current reform environment and gives you a structured view of where you stand, what needs attention first, and where the gaps are that you might not have considered.

You can do this kind of assessment yourself with a whiteboard and a few hours or, the Reform Readiness Check structures the questions so you don't have to design the process from scratch while you're also trying to run services.

Either way, you need to know where you are starting from. Everything else flows from knowing where you stand.

Stage 2: Read your own instruments

Once you know where you stand strategically, the next question is whether your operational data supports or contradicts that picture. Whilst those in the control tower may assist the pilot during an emergency, it's the pilot that has to read and translate the instruments for the task at hand.

Pull your incident data for the last twelve months. Not to count incidents, but to really read them.

• - What recurs.
• - Which locations appear most often.
• - Which participants are involved in repeated incidents.
• - Which incident types cluster together.
• - What was done each time and whether it changed anything.

If you see the same patterns repeating across quarters, that is the accumulation the Act now targets.

Then you want to run a simple test. Take your three most common incident types. For each one, can you show what you changed as a result? Not what you documented. What you actually changed. Did you adjust staffing, change a process, retrain specific staff, modify an environment? Or did you review each one individually and close it off?

If the answer for any of those incident types is "we reviewed each one individually but didn't change anything systemic," that is the pattern the Act is designed to catch.

Then, pick one site or one service area where you suspect things are not as strong as they could be. Unpick what is being said, not said and how it is being said to identify the root cause of what really needs to shift.

The answers to those questions are the leading indicators that the Act now treats as evidence of proactivity. You do not want to be the leader of a frontline that can name the patterns your incident data can't.

This is the work that matters most under the new legislation. It is also the hardest to do from inside the operation. The people who should be reading the patterns are the same people managing the crises those patterns produce.

If you have someone in your organisation with the analytical capability, the time, and the mandate to do this, give them the space and make this their priority. If you don't, and most providers honestly don't, this is the kind of work we do. We can help you read what your data is actually saying and translate it into something your board and leadership team can act on before the Commission comes looking.

Stage 3: Act on what you find

Whatever you learn from the first two stages, these things need to happen quickly:

Brief your key personnel. Every person in your organisation who meets the definition of key personnel under the Act needs to understand their personal obligations. This is not a group email. It is a conversation about what this means for them individually and what they need to be asking about the services they govern.

Fix your reporting line, end to end. The Act's personal liability provisions mean your board and senior leaders need to see the uncomfortable data, not just the reassuring data. But that is only the tip of the iceberg. The information exchange between frontline, management and governance needs to be bi-directional. Knowing whether the information is flowing, whether it is being read, whether it is being acted on. That is the work.

The explanatory memorandum makes one thing clear about the new penalty framework: the fines are deliberately set so that they cannot be absorbed as a cost of doing business.

That is a conscious design choice, to remove the calculated bet of it being cheaper to risk non-compliance than to invest in getting it right. Now, the Act is pricing the penalties to ensure providers can't afford not to invest.

The default position in our sector has long been that the price guide doesn't fund quality. But really, none of this requires a large budget or a long timeline. It requires honesty about where you are, and a willingness to close the gap between what you say and what your data shows.

The flight ahead

Ladies and Gentlemen, this is your pilot speaking. I want to apologise for the recent turbulence. There are many things outside of our control, but rest assured, we have reset our tools and have confirmed our heading. Today's conditions aren't perfect, we are still working through some of it. But we know where we are and we know where we need to land. We've got you.

The NDIS Quality and Safeguards Commission now has stronger tools. Tougher penalties, broader powers and faster mechanisms. All pointed at providers.

What the Commission does not yet have, and what none of these reforms create, is a proactive system for preventing harm before it happens. The Joint Standing Committee recommended it in 2021. The NDIS Review called for it in 2023. We are still waiting.

That means the burden of prevention sits with you. Not because it entirely should, but because nobody else is picking it up and you will be responsible.

We can complain that the reforms have given the regulator better instruments for finding and penalising failure without giving providers better instruments for avoiding it. But it won't change the asymmetry of being assessed against an undefined standard with clearly defined consequences.

The only way to properly safeguard yourself, as an individual leader, and your organisation is by truly safeguarding the people you support.

You need to KNOW that the people living in your services are safe. I don't mean compliant or documented. Are the people you support actually supported in the way they need to be, by staff who know them, who are capable, and who are accountable?

You need to KNOW that your incident data is telling you something useful, rather than just proving you have a reporting system.

You need to KNOW that your information captures and translates the real state of your services, not just the historic dashboard that has evolved with your compliance requirements.

Those are the things only the pilot can KNOW. The control tower might be asking questions. The regulators will probe after the crash. But the actions of the pilot, they determine whether the lives on board arrive safely.

---

Angela Harvey is the Director of Supporting Potential, an NDIS quality, safeguarding and systems consultancy.

---

Appendix: Detailed summary of changes made by the Act

The NDIS Amendment (Integrity and Safeguarding) Act 2025 amends the National Disability Insurance Scheme Act 2013 across two schedules. Schedule 1 relates to the NDIS Quality and Safeguards Commission. Schedule 2 relates to the NDIA.

All provisions in Schedule 1 commence the day after Royal Assent. Schedule 2 commences 28 days after Royal Assent (except Part 3, which commences the day after Royal Assent).

Schedule 1: Amendments relating to the Commission

Part 1: New civil penalty provisions

The addition of civil penalties alongside existing criminal offences allows the Commissioner to take proportionate enforcement action where criminal prosecution may not be appropriate, including issuing infringement notices for civil penalties.

Part 2: New criminal offences and increased penalties

New definitions inserted into the Act:

• "Conduct" means an act, an omission to perform an act, or a state of affairs
• "Engage in conduct" means to do an act or omit to perform an act
• "Serious contravention" (new section 11B) requires conduct that involves a "significant failure" or is part of a "systematic pattern of conduct"
• "Significant failure" means the conduct of an NDIS provider or its key personnel represents a significant departure from the conduct that could reasonably be expected, having regard to the requirements imposed under the Act
• "Systematic pattern of conduct" is assessed by: number of contraventions, period over which they occurred, number of individuals affected, and the provider's or key personnel member's response (or failure to respond) to complaints or known issues

These definitions are consistent with the Aged Care Act 2024 to support consistent interpretation across both sectors.

Note on body corporate multiplier: Under subsection 82(5) of the Regulatory Powers Act, the civil penalty for a body corporate must not exceed 5 times the penalty specified. This means the maximum for a body corporate for a serious contravention is 50,000 penalty units ($16.5 million).

Note on serious contraventions in proceedings: An authorised applicant seeking a higher penalty for a serious contravention must specify this in the application. If the court is not satisfied a serious contravention occurred, it may still apply the standard penalty.

Part 3: Regulatory powers

• Monitoring powers under Part 2 of the Regulatory Powers Act now extend to Division 2 of Part 2 of Chapter 4 (privacy of information held by the Commission), in addition to existing coverage of Part 3A
• Investigation powers similarly extended
• All civil penalty provisions under the Act are now enforceable under Part 4 of the Regulatory Powers Act (previously only Part 3A penalties were enforceable)
• Enforceable undertakings and injunctions extended to cover new civil penalty provisions
• NDIS Provider Register relocated from Division 9 to new Division 7A (editorial change, no substantive change)

Part 4: Anti-promotion orders

New power for the Commissioner to issue an "anti-promotion order" prohibiting or restricting a person from engaging in regulated promotional conduct connected to the NDIS.

• Applies to any person (individual or body corporate)
• Regulated promotional conduct will be specified in NDIS rules made by the Minister
• Order takes effect at least 7 days after being made, unless the Commissioner is satisfied it should take effect earlier to protect the health, safety or wellbeing of a person with disability
• Person must be given opportunity to make submissions before an order is made
• Civil penalty for breaching an anti-promotion order: 250 penalty units
• Orders can be permanent or for a specified period, and can be varied or revoked
• Making of an order is a reviewable decision under section 99

Examples from the Explanatory Memorandum of conduct that could be subject to an order:

• Businesses misleading participants about using NDIS funds for holidays
• Providers making exaggerated SDA investment return claims (10-20% yields)
• People advertising the sale of NDIS registered businesses in ways that commodify participants
• Consultants claiming 100% audit success rates or offering "audit coaching"
• Entities offering "NDIS auditing services" without being approved quality auditors

Part 5: Banning orders

• Subsection 73ZN(10) repealed and replaced with new section 73ZNA (compliance with banning orders)
• New criminal and civil penalties for non-compliance with banning orders
• Broader categories of people against whom a banning order can be imposed

Part 6: Information gathering

• Commissioner can now require information or documents to be produced within timeframes shorter than the previous 14-day minimum
• Applies where the Commissioner reasonably believes that a shorter timeframe is necessary to reduce the risk of serious harm to a participant
• Commissioner retains discretion to extend the timeframe where appropriate
• Existing conditions of registration expanded to require compliance with requests for documents (previously only information)

Part 7: Evidentiary certificates

• New section 199C allows the Commissioner to issue a certificate that is prima facie evidence of specified registration matters
• Matters that can be certified: application dates, registration dates, transition dates, cessation/revocation dates, registered support classes, variation dates, variation/revocation decision dates
• NDIS rules can prescribe additional matters
• Reduces the need for Commissioner and staff to prepare affidavits and attend court for routine registration facts

Schedule 2: Amendments relating to the NDIA

Part 1: Withdrawing from the Scheme

• New section 29A establishes a formal process for participant withdrawal
• Minimum 90-day cooling-off period (increased from initially proposed 28 days following stakeholder feedback)
• CEO must notify participant in writing of: consequences of leaving, how to cancel the request, and that they will cease to be a participant if the request is not cancelled
• CEO can extend the cooling-off period (e.g., if the participant is hospitalised)
• Participant's correspondence nominee can cancel the request on their behalf
• Notice must be given to both the nominee and the participant
• Request can be made in any manner approved by the CEO (not limited to writing)

Part 2: Electronic claims forms

• CEO can now prescribe the manner in which claims must be submitted (not just the form)
• Enables mandatory electronic claiming through the myNDIS Provider Portal
• Claims not made in the approved manner are not payable
• CEO can require further information or documents in relation to a claim, with a minimum 14-day response period
• CEO can extend the response period and can treat late responses as compliant where appropriate
• Different manners and forms can be approved for different classes of claim (e.g., provider claims vs participant claims)
• Applies only to claims made after commencement

Part 3: Plan variation

• Confirms that plan variations under section 47A can increase or decrease total funding amounts
• Applies to both old and new framework plans
• Does not change the circumstances in which the CEO can vary a plan
• Addresses situations such as when a participant receives compensation that overlaps with NDIS supports, allowing plan adjustment without a full reassessment