Your NDIS legal requirements are the laws, rules and documents you have to comply with to deliver NDIS-funded supports in Australia. They come from the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Practice Standards and Code of Conduct, Australian Consumer Law, privacy and work health and safety law, plus the written documents that prove you meet them: a service agreement, complaints policy, privacy policy, incident management policy and cancellation policy.
Most people start an NDIS business to help people, not to read legislation. Then a complaint, an audit or a string of last-minute cancellations lands, and the paperwork they kept putting off becomes the thing standing between them and getting paid. Here is the better news. Your NDIS legal requirements are a shorter, more fixable list than the worry makes them feel.
- Five core documents cover most providers. A service agreement, cancellation policy, complaints policy, incident management policy and privacy policy carry the bulk of your day-to-day NDIS legal requirements.
- The NDIS Act changed on 3 October 2024. The “Getting the NDIS Back on Track” amendments added a legal definition of “NDIS supports” and new funding rules, so older agreements and policies are worth a re-read.
- Consumer law and the Code of Conduct apply to everyone. Registered or not, if you receive NDIS funding you are bound by the NDIS Code of Conduct and Australian Consumer Law.
- Worker screening and insurance are not optional. Workers in risk-assessed roles need a valid NDIS Worker Screening Check, and registered providers must hold appropriate insurance.
- Mandatory registration is expanding. From 1 July 2026, Supported Independent Living and platform providers must be registered with the NDIS Commission.
What are your NDIS legal requirements as a provider?
As an NDIS provider you sit under several layers of law at once. The main ones are the National Disability Insurance Scheme Act 2013 (Cth) and the NDIS Rules made under it, the NDIS Practice Standards and Code of Conduct, Australian Consumer Law and the Competition and Consumer Act 2010 (Cth), the Privacy Act 1988 (Cth), work health and safety law, and the usual employment and tax obligations every Australian business carries.
Here is the wrong assumption that trips up new providers most. “I’m unregistered, so the NDIS rules don’t really apply to me.” They do. The NDIS Code of Conduct and Australian Consumer Law bind every provider who receives NDIS funding, registered or not. You can read the full list of your legal requirements as a provider on the NDIS website, but the short version is simple. The funding comes with rules attached, and the rules follow the money, not your registration status.
So your NDIS legal requirements break into two buckets. One: the conduct and quality rules you must follow. Two: the documents that show you are following them. A provider with the right documents and no system behind them still fails an audit. A provider with good systems and no documents struggles to prove it. You want both.
Do you have to register as an NDIS provider?
Not always. Whether you register changes which participants you can support and which supports you can deliver, and it shapes the rest of your NDIS legal requirements. Only registered providers can work with agency-managed participants. Unregistered providers can still support plan-managed and self-managed participants, which is a large share of the market.
Some supports force the decision for you. Specialist Disability Accommodation, behaviour support and the use of regulated restrictive practices all require registration with the NDIS Quality and Safeguards Commission. And the registration net is widening. From 1 July 2026, Supported Independent Living providers and online platform providers move into mandatory registration, so a model that is unregistered today may not stay that way.
| Question | Registered provider | Unregistered provider |
|---|---|---|
| Who you can support | Agency-managed, plan-managed and self-managed participants | Plan-managed and self-managed participants only |
| SDA, behaviour support, restrictive practices | Allowed | Cannot deliver these |
| Independent audit | Required (verification or certification) | Not required |
| Code of Conduct and consumer law | Applies | Applies |
| Worker screening for risk-assessed roles | Mandatory | Often required by contract, otherwise voluntary |
Registration is a bigger commitment, with audits and ongoing reporting, but it opens the whole participant market and tends to build trust faster. If you are still weighing it up, our guide to starting an NDIS business walks through the setup decisions in order.
Which legal documents does an NDIS provider need?
Five documents do most of the heavy lifting. Each one maps to a specific obligation, which is the point: documents are how you turn your NDIS legal requirements into something an auditor, a participant or a plan manager can actually see.
| Document | What it does | Required? |
|---|---|---|
| Service agreement | Sets out supports, pricing, cancellations and rights between you and the participant | Best practice for all, mandatory for SDA, and needed to charge cancellation and travel fees |
| Cancellation policy | Defines notice periods and when you can charge for a missed booking | Needed to claim short-notice cancellations |
| Complaints policy | Explains how participants raise and you resolve complaints | Required under the NDIS complaints rules |
| Incident management policy | Covers how you record, manage and report incidents | Required under the NDIS incident rules |
| Privacy policy | Explains how you collect, store and share personal information | Required under the Privacy Act for most providers |
NDIS service agreement
Your NDIS service agreement is the contract between you and the participant (or their nominee). It sets out what you will deliver, how and when, and the money side: fees, invoicing, cancellations and termination. It is your single most useful document, because it is the one a participant signs and the one you reach for when something goes wrong.
A good agreement is clear on the parties and who can sign, the scope of supports and where they happen, pricing tied to the current NDIS price limits, cancellation terms, how the agreement ends, and how you handle privacy and incidents. Where providers come unstuck is the gap between the paper and the practice. Your agreement might require seven days’ notice to cancel while your booking system only sends a reminder the day before. If the terms and your operations do not match, the terms are the part that fails.
NDIS cancellation policy
An NDIS cancellation policy sets out what happens when a participant cancels a booking. This is where real money sits. Under the NDIS Pricing Arrangements and Price Limits, a short notice cancellation is generally 7 clear days for disability support worker supports and 2 clear business days for other supports. When a cancellation meets the rules, you can usually claim up to 100% of the agreed support price.
The catch trips up new providers constantly. You can only claim a cancellation fee if the participant agreed to it first, in writing, before the service was booked. No signed cancellation terms means no claim, and a no-show you simply absorb. Your cancellation policy can be more generous than the NDIA minimums if you choose, but it cannot be vaguer. Spell out the notice period, what counts as short notice, and how you will let people know.
NDIS complaints policy
Every provider needs an NDIS complaints policy that sets out how a participant raises a concern and how you deal with it. The NDIS complaints rules expect every provider to have a complaints process that is proportionate to the size and complexity of what you deliver, and they expect you to act on what you hear.
Auditors look at this one closely, and not just for the document. They want to see complaints logged, responses dated, and changes made when a pattern shows up. A complaints policy that lives in a drawer is worse than useless, because it sets a standard you are then visibly not meeting. Treat it as a live process, not a formality.
NDIS incident management policy
An NDIS incident management policy explains how your business records, manages and reports incidents. If a participant has a fall, a medication error happens, or a worker behaves in a way that causes harm, this document is the plan everyone follows.
Registered providers also have reportable incident obligations to the NDIS Commission, with tight timeframes for the most serious events. The mistake to avoid is treating “incident management” as a synonym for “writing it down”. Recording an incident is step one. Acting on it, reporting the reportable ones on time, and changing how you work so it does not recur is the part that protects participants and your registration.
NDIS privacy policy
Your NDIS privacy policy sets out what personal information you collect, why, how you store it, and who you share it with. NDIS providers handle some of the most sensitive information there is: health records, disability details, support plans. The Privacy Act 1988 (Cth) applies to most providers, and participants have a right to see and correct what you hold.
Sharing is where it gets practical. You will pass information to plan managers, support coordinators, allied health workers and sometimes the NDIA. Your privacy policy needs to name who, and why, so a participant knows before they sign rather than after a breach. If you onboard people through a website or email form, this becomes more important, not less.
Get a free legal document when you sign up to Lawpath
What are a plan manager’s legal requirements?
Plan managers sit in a different seat, and their NDIS legal requirements reflect it. A plan manager handles a participant’s funding: paying providers, tracking the budget, keeping the records. That makes you a financial intermediary, so on top of the Code of Conduct you carry record-keeping and conflict-of-interest obligations that a support provider does not.
Two practical points. First, the plan management establishment fee was removed in the 2025-26 pricing year, so your fee structure may need a look if you have not updated it since 1 July 2025. Second, you still need a clear written agreement with each participant covering what you do, how you are paid, and how you manage the conflict that exists whenever a plan manager also delivers other supports. Declare it, document it, and keep the two roles at arm’s length.
Worker screening and insurance: the requirements providers miss
Documents get the attention. Worker screening and insurance get the audits. Both are core NDIS legal requirements, and both are easy to let slip.
Every worker in a risk-assessed role needs a valid NDIS Worker Screening Check. It runs under the National Disability Insurance Scheme Act 2013 (Cth) and the worker checks framework, lasts five years, and costs roughly $107 to $195 depending on your state. You must verify each clearance before the worker starts and keep a register of who holds what. The first checks issued back in 2021 started expiring in 2026, so a renewal wave is rolling through the sector right now. A lapsed clearance is one of the fastest ways to land a condition on your registration.
Insurance is the other quiet requirement. Registered providers must hold appropriate cover as a condition of registration, which usually means public liability and professional indemnity, plus workers’ compensation once you employ staff. Even unregistered providers carry real risk working with vulnerable people, so going without cover is a gamble rather than a saving.
Common mistakes NDIS providers make
Most compliance problems are not bad intent. They are a busy provider growing faster than their paperwork. These are the patterns that turn into trouble.
- Using a generic template that does not match the business. A service agreement built for a different support type leaves you unable to enforce the clauses that matter when a dispute lands.
- Cancellation terms that were never signed. If the participant did not agree to your cancellation policy in writing first, you cannot claim the fee. This quietly costs providers thousands a year.
- Assuming unregistered means rule-free. Consumer law and the Code of Conduct still apply. Being unregistered narrows what you can do, it does not remove your obligations.
- Letting worker screening lapse. One expired clearance on the roster is a reportable gap, not a clerical slip. Track expiry dates and chase renewals early.
- Treating documents as set-and-forget. The NDIS Act changed in October 2024 and pricing changed on 1 July 2025. Agreements written before then may now reference rules that no longer exist.
Frequently asked questions
Do I legally need a service agreement as an NDIS provider?
A written service agreement is mandatory for Specialist Disability Accommodation and strongly recommended for everyone else. You also need one in practice, because you can only charge a participant for fees they agreed to, including cancellation and travel. No signed agreement means no claim.
Do unregistered NDIS providers have to follow the NDIS rules?
Yes. The NDIS Code of Conduct and Australian Consumer Law apply to every provider who receives NDIS funding, registered or not. Registration adds extra obligations like audits and the NDIS Practice Standards, but it is not the line between rules and no rules.
What are the NDIS short notice cancellation rules?
Under the NDIS Pricing Arrangements and Price Limits, short notice is generally 7 clear days for disability support worker supports and 2 clear business days for other supports. When a cancellation meets the rules and your agreement allows it, you can usually claim up to 100% of the agreed price.
Do I have to register as an NDIS provider?
Only if you want to support agency-managed participants or deliver supports like SDA, behaviour support or restrictive practices. Otherwise you can operate unregistered with plan-managed and self-managed participants. From 1 July 2026, Supported Independent Living and platform providers must register.
What legal documents does a new NDIS provider need?
Start with five: a service agreement, cancellation policy, complaints policy, incident management policy and privacy policy. Together they cover the bulk of your day-to-day NDIS legal requirements. Add employment contracts and workplace policies once you take on staff.
Do NDIS workers need a worker screening check?
Anyone in a risk-assessed role with a registered provider needs a valid NDIS Worker Screening Check before they start. It lasts five years and costs about $107 to $195 depending on the state. Verify each clearance and keep a register of expiry dates.
Is insurance mandatory for NDIS providers?
Registered providers must hold appropriate insurance as a condition of registration, usually public liability and professional indemnity, plus workers’ compensation if you employ staff. Unregistered providers are not always required to, but working with vulnerable people without cover is a serious risk.
What changed in the NDIS Act in 2024?
The “Getting the NDIS Back on Track” amendments commenced on 3 October 2024. They added a legal definition of “NDIS supports” that sets out what funding can and cannot be used for, along with new funding period rules. If your documents predate the change, give them a review.
What are a plan manager’s legal requirements?
Plan managers follow the Code of Conduct and the pricing rules, plus extra record-keeping and conflict-of-interest obligations as a financial intermediary. You need a written agreement with each participant, and the establishment fee was removed in the 2025-26 pricing year, so review your fees if you have not since.
How much do NDIS legal documents cost?
It depends on the route. Customisable templates cover the five core documents for a low fixed cost, while bespoke drafting by a lawyer runs higher. Most new providers start with templates and bring in a lawyer for the bits unique to their business.
You are not behind. Sorting your legal side as you grow is normal for an NDIS business, and the list is shorter than it first looks. Get your five core documents in place, keep your worker screening current, and you have covered the requirements that actually get checked. If a part of it feels beyond a template, you can hire a lawyer to handle the tricky bits.
Ready to start? Set up your NDIS service agreement today and get the most important document in place first.
