Parliament has raised the compliance stakes for every registered provider

The compliance environment for NDIS providers changed materially on 1 April 2026, when Parliament passed the National Disability Insurance Scheme Amendment (Integrity and Safeguarding) Bill 2025.

The numbers alone signal a different regulatory era. A serious code of conduct breach that causes death or serious injury previously attracted a maximum fine of $412,500. Under the new law, that ceiling is more than $15 million — a 40-fold increase. Criminal penalties now attach to operating without registration when it is required, carrying up to 5 years imprisonment. Breaching a banning order carries the same maximum. These are not administrative tweaks. They are penalties calibrated to deter, and the Minister's language has been explicit: people belong in prison, not in the sector.

The Commission's reach has also widened. Banning orders can now extend to auditors, business advisors and consultants — the third parties many providers rely on for compliance infrastructure. Anti-promotion orders give the Commission a new tool against misleading marketing. And the NDIA can now request evidence before claims are paid, which changes the cash-flow assumptions underpinning a significant number of service agreements.

Set that against the Australian National Audit Office's September 2025 findings and the picture becomes more uncomfortable for boards. The ANAO concluded the Commission is only partly effective in exercising its regulatory functions. It found the Commission has not established a regulatory risk framework to guide decision-making, and that its monitoring, compliance and enforcement activities are not yet risk-responsive or proportionate. Ten recommendations followed; the Commission agreed to nine outright and one in principle.

That combination matters for senior operators. A regulator with significantly expanded powers, criminal referral capacity, and a public mandate to act — but one the ANAO assessed as still developing the internal frameworks to deploy those powers consistently — creates real unpredictability. Providers cannot assume enforcement will track neatly to risk profile. The Commission is building its risk framework in real time, with sharper tools now in hand.

For boards, the exposure question is no longer abstract. Criminal penalties for operating without required registration, and fines exceeding $15 million for serious misconduct, are the kind of numbers that belong in board risk registers and directors' liability conversations, not just compliance team briefings. The NDIS Commission's own Commissioner, Louise Glanville, stated publicly that the new laws will support more timely enforcement action. Boards should take that at face value.

The question that sits unresolved — and that experienced operators are genuinely wrestling with — is how boards should calibrate their own oversight now that the penalty regime has changed but the Commission's risk-prioritisation framework remains under development. If enforcement is still inconsistent in practice, does a well-governed provider gain any real protection from doing the right things, or does exposure remain as much a function of which complaints land on the Commission's desk as of actual compliance posture? That is worth comparing notes on.