NDIS Provider Compliance: The Complete Guide
A practical guide to NDIS provider compliance in 2026: Practice Standards, Code of Conduct, audits, incidents, screening and the reforms changing the rules.
What NDIS provider compliance actually covers
The NDIS Code of Conduct: the baseline everyone meets
The NDIS Practice Standards and audit
Worker screening and who needs a clearance
Reportable incidents: tight windows, real consequences
Complaints management as a compliance system
Record-keeping and the shift to "prove and pay"
Conflict of interest, especially where you both coordinate and deliver
The 2026-27 reforms rewriting the compliance floor
What compliance costs — and why price is not profit
A starting checklist and how to get discovered
Frequently asked questions
Do unregistered NDIS providers have to comply with anything?
Yes. The NDIS Code of Conduct applies to every provider and worker regardless of registration, and worker screening applies to risk-assessed roles. Unregistered providers are still subject to Commission investigation and banning orders. From July 2027 many unregistered providers of high-risk supports will have to register or stop delivering those supports.
What is the difference between the NDIS Code of Conduct and the Practice Standards?
The Code of Conduct is a set of seven behavioural duties that binds all providers and workers. The Practice Standards are the operational quality requirements that only registered providers must meet and prove through independent audit. You can breach the Code without being registered; the Practice Standards only apply once you register.
How often are NDIS providers audited?
Registered providers are audited on a registration cycle, typically three years, with the type depending on risk. Lower-risk registrations use verification audits; higher-risk ones use certification audits with an initial two-stage assessment plus surveillance audits mid-cycle. High-intensity providers face tightening audit cycles under the 2026-27 reforms, so confirm your schedule with your approved quality auditor.
What are the reportable incident timeframes for NDIS providers?
The most serious incidents — including death, serious injury and abuse — must be notified to the Commission within 24 hours, with a fuller report to follow, and other reportable incidents within five business days. These windows are being shortened for some providers under expanding enforcement powers, so confirm the current timeframes on ndiscommission.gov.au.
When does mandatory NDIS registration take effect?
Mandatory registration for SIL and digital-platform providers commenced 1 July 2026. Expansion to high-risk supports such as personal care and daily living begins from 1 July 2027 and is intended to be full by the end of 2030. These changes flow from the Securing the NDIS for Future Generations Bill 2026, so verify the current status on health.gov.au before relying on specific dates.