NDIS Integrity and Safeguarding Bill: 10 Changes Every Provider Should Understand

NDIS Integrity and Safeguarding Bill: 10 Changes Every Provider Should Understand

The NDIS Amendment (Integrity and Safeguarding) Bill received Royal Assent on 8 April 2026. It's done. It's law.

This isn't a consultation paper or a policy announcement — it's enforceable legislation that changes how the NDIS Commission operates, how claims work, and what happens when providers get it wrong. We've broken it down into the 10 provisions that matter most, starting with the ones that carry the biggest operational impact.

1. Penalties just got serious — $15 million serious

Civil penalties for serious code of conduct breaches jumped from a maximum of $412,500 to over $15 million (10,000 penalty units) for corporations. That's not a typo. It's a 40-fold increase.

The Bill also defines "serious contravention" for the first time. It includes major departures from expected conduct, systemic patterns of non-compliance, and situations affecting multiple participants. The key word is systemic — a string of individually minor breaches can now be treated as a single serious contravention if the Commission identifies a pattern.

How you respond to incidents matters as much as preventing them. A well-documented investigation shows a functioning system. A trail of unaddressed complaints is exactly what this provision targets.

2. Unregistered provision is now a criminal offence

Operating without registration in a regulated support category now carries up to 5 years imprisonment or 120 penalty units. There's also a strict liability offence at 60 penalty units — meaning intent doesn't need to be proven.

With mandatory registration expanding to personal care, daily living supports, and closed-setting services from 1 July 2026, this isn't a hypothetical risk. If you're currently unregistered and delivering these supports, you're running out of runway.

3. Banning orders reach further

Previously, the Commission could only issue banning orders against providers and their workers. The net is wider now. Banning orders can be issued against:

• Applicants for NDIS provider registration
• Approved quality auditors
• Key personnel of any of the above
• Service providers who enable or facilitate disability supports
• Consultants and business advisors working with providers

Breaching a banning order: up to 5 years imprisonment or 10,000 penalty units for serious contraventions.

The message is clear — the Commission isn't just watching providers anymore. It's watching the people around them. If your auditor or consultant is cutting corners, that's now a regulatory problem that can land on your doorstep.

4. Anti-promotion orders: a new enforcement tool

The Commissioner has a brand-new power: stopping misleading advertising related to NDIS supports. Think "guaranteed NDIS registration in 7 days," inflated SDA investment returns, or claims of insider NDIA contacts for fast-tracked approvals.

These orders can be permanent or time-limited, and breaching one attracts up to 250 penalty units. Most legitimate providers won't be affected — but it's worth scanning your own website and marketing materials. Anything that could be read as guaranteeing NDIS-related outcomes is now enforceable territory.

5. Whistleblower protections are stronger

The Bill strengthens safeguards for anyone reporting unsafe or unlawful practices — workers, participants, families, anyone. It's designed to make it safer to speak up and harder for organisations to discourage it.

If you don't already have a documented internal complaints and whistleblower pathway, build one. Staff need to know it exists, how to use it, and that they're protected when they do.

6. The Commission can demand documents faster

The Commission's information-gathering powers have expanded in two ways. First, it can now require providers to produce documents — not just information. Second, it can set compliance timeframes shorter than 14 days where there's a reasonable belief that non-compliance increases the risk of serious harm to a participant.

New civil penalties also apply for refusing to provide information (60 penalty units), giving false or misleading information (120 penalty units), and misusing protected Commission information (120 penalty units).

Your records need to be somewhere you can actually find them. Case notes, incident reports, worker screening documentation, service delivery records — if the Commission asks, "show us," you need to be able to respond in days, not weeks.

7. 90-day cooling-off for participant withdrawals

When a participant requests to leave the NDIS, a mandatory 90-day cooling-off period now applies. The CEO must notify them of the consequences, explain how to cancel the request, and confirm that withdrawal only happens automatically after the period expires.

This protects against impulsive or pressure-driven exits. If you support participants who've raised the idea of leaving the scheme, be aware that services may continue through the cooling-off window. Plan your delivery accordingly.

8. Plan variations can go up or down

The Bill removes any ambiguity: plan variations can involve an increase or a decrease in total funding. This was technically possible before, but it's now explicit in legislation.

With average plan funding already trending downward under the broader NDIS reset, this is a practical reminder. Budget monitoring and funding period tracking aren't optional extras — they're how you avoid delivering services against funding that's no longer there.

9. Electronic claims — the provision that changes daily operations

This is the one to pay closest attention to.

The Bill gives the NDIA CEO power to control and limit the channels through which claims can be made — paving the way for mandatory electronic claiming and the end of paper-based or manual claim processes.

It also introduces something entirely new: the NDIA can now request evidence before paying a claim. If you're asked to substantiate a claim, you have 14 days to provide the evidence. No evidence, no payment.

This is the legal mechanism behind the digital payments direction flagged in the NDIS Reset. The Reset was the policy signal. This Bill is the legislation that backs it up.

For legitimate providers, standardised electronic claims should mean faster processing, fewer rejections, and clearer audit trails. But the 14-day evidence requirement is the part to genuinely prepare for — you need to be able to prove who delivered a service, when, where, for how long, against which line item, and with what documentation.

We've written a detailed guide on exactly what evidence the NDIA will ask for, where providers typically get caught out, and how to build a claiming process that holds up: NDIS Electronic Claims: How to Substantiate Every Claim Under the New Rules.

10. Evidentiary certificates

The Commissioner can now issue certificates that serve as prima facie evidence of a provider's registration status, conditions, and related matters — usable in both criminal and civil proceedings.

In plain terms: the Commission can produce a document that proves, in court, whether you were registered and under what conditions at any given time. Keep your registration details current and accurate.

Where to from here

This Bill is done. It's law. But some provisions will take effect as supporting rules and regulations are finalised over the coming months.

Rather than a checklist (you've seen enough of those), here are the three questions worth sitting with:

1. If the NDIA asked you to substantiate your last 10 claims within 14 days, could you? Not just the invoice — the appointment, the progress note, the worker, the line item. The full chain.

2. If the Commission asked for your incident and complaint records tomorrow, would they tell a story of a functioning system — or reveal gaps? Patterns matter now. It's not about having zero incidents. It's about showing you identified, responded, and improved.

3. Do you know who you're working with? Your auditors, consultants, and business advisors are now within the Commission's regulatory reach. Their conduct can affect your standing.

If any of those questions gave you pause, talk to us. We'd rather help you get ahead of this than watch you scramble when the requirements land.

FAQ

What is the NDIS Integrity and Safeguarding Bill?

It's the National Disability Insurance Scheme Amendment (Integrity and Safeguarding) Act 2026, which passed Parliament on 1 April and received Royal Assent on 8 April. It strengthens the NDIS Commission's enforcement powers, introduces electronic claiming, increases penalties up to $15 million for serious misconduct, and expands banning orders to cover auditors, consultants, and facilitators.

What are the new NDIS electronic claims requirements?

The Bill gives the NDIA power to mandate electronic claiming and control which channels providers can use to submit claims. It also introduces a new evidence-before-payment mechanism — the NDIA can request substantiation of any claim, and providers must respond within 14 days or the claim won't be paid.

How much have NDIS penalties increased under the new Bill?

Civil penalties for serious code of conduct breaches went from $412,500 to over $15 million for corporations. Providing unregistered supports is now a criminal offence carrying up to 5 years imprisonment. Breaching a banning order can also result in 5 years imprisonment or penalties up to 10,000 penalty units.

How is this different from the NDIS Reset announcement?

The NDIS Reset (announced 22 April 2026) is a broad policy overhaul covering eligibility, plan funding, mandatory registration, and digital payments. The Integrity and Safeguarding Bill is specific legislation that passed Parliament before the Reset announcement — it provides the legal framework for electronic claiming, higher penalties, and expanded Commission powers. The Reset sets the direction. This Bill gives the government the legal tools to enforce it.

Sources: Parliament of Australia — Bills Digest, Amplify Alliance, NDIS Commission, Mirage News, Team DSC