When does the 24-hour notification clock start for a reportable incident?

The 24-hour clock starts from when the provider — including any worker — first becomes aware of the incident or alleged incident. It does not start from when an internal investigation is completed or when management is formally informed. Any knowledge by any staff member triggers the timer.

Is an unauthorised restrictive practice a reportable incident?

Yes. Under the NDIS Incident Rules, any use of a restrictive practice that was not authorised under applicable state or territory law, or was not implemented in accordance with a participant's behaviour support plan, is a reportable incident. The notification window is 5 business days from awareness.

What must be included in the Stage 2 full report?

The full report (due within 14 days of the initial notification) must include a factual account of the incident, immediate actions taken, steps to support the participant, preventive measures planned or implemented, involvement of police or emergency services, and any worker management actions taken as a result.

Does the provider also need to inform the participant about the incident?

Yes. Separate from the Commission notification, the NDIS Practice Standards require providers to inform the affected participant and, where appropriate, their nominee or family member about the incident and the provider's response. Failing to do this is a Practice Standards breach in its own right.

What happens if a provider misses the notification timeframe?

Late or missed notifications can result in regulatory action by the NDIS Commission, including compliance notices, conditions on registration, banning orders for responsible persons, or civil penalties. The Commission may also initiate a formal investigation into the provider's incident management system.

Do unregistered NDIS providers have the same reportable incident obligations?

No. The mandatory reportable incident notification requirements under the Incident Rules apply only to registered NDIS providers. However, unregistered providers delivering certain supports are subject to other safeguards, and participants should understand what protections apply to the services they receive.

Reportable incident: NDIS notification timeframes

Who must report and why timeframes matter

Every NDIS registered provider delivering supports — including Supported Independent Living (SIL), Specialist Disability Accommodation (SDA), and all other regulated services — is legally required to report certain incidents to the NDIS Quality and Safeguards Commission. This is not optional. The obligation flows directly from the National Disability Insurance Scheme Act 2013 and the NDIS (Incident Management and Reportable Incidents) Rules 2018 (the Incident Rules).

Getting the timeframes right is not merely a paperwork exercise. Late or missed notifications attract regulatory action, can trigger compliance audits, and in serious cases can result in civil penalties. For SIL providers operating in a context of elevated scrutiny under the 2026 strengthened framework, robust incident notification processes are a non-negotiable baseline.

What counts as a reportable incident

Not every adverse event is a reportable incident under the NDIS rules. Providers must correctly categorise incidents against the definitions in the Incident Rules. Reportable incidents include:

The death of a person with disability being supported by the provider
Serious injury of a person with disability
Abuse or neglect of a person with disability
Unlawful sexual or physical contact or assault of a person with disability
Sexual misconduct by a worker, including grooming behaviour
Use of a restrictive practice that was not authorised under the applicable state or territory law, or was not in accordance with a behaviour support plan

This list is closed — only incidents that fit these categories must be formally notified to the Commission. However, providers must also maintain their own internal incident management system for all incidents, including those that do not meet the threshold for external reporting. The NDIS Practice Standards require that system to be comprehensive, documented, and reviewed.

The two-stage notification process

The Incident Rules establish a two-stage notification process. Understanding both stages — and their separate timeframes — is essential for compliance.

Stage 1: Initial notification

The initial notification alerts the NDIS Commission that a reportable incident has occurred or is alleged to have occurred. The timeframes are:

Incident type	Initial notification deadline
Death of a person with disability	24 hours of becoming aware
Serious injury	24 hours of becoming aware
Abuse, neglect, unlawful contact, sexual misconduct	24 hours of becoming aware
Unauthorised restrictive practice	5 business days of becoming aware

The key phrase is of becoming aware. The clock starts from when the provider (including any worker or person associated with the organisation) first becomes aware of the incident or the alleged incident — not when a formal internal report is finalised. This means providers cannot defer starting the clock by delaying internal processes.

Initial notifications are lodged through the NDIS Commission Portal. They do not need to be exhaustive, but they must include sufficient information to identify the provider, the participant, and the nature of the incident.

Stage 2: Follow-up report (full report)

Following the initial notification, the provider must submit a full written report to the Commission. This follow-up report must be provided within 14 days of the date the initial notification was made. The full report must include:

A factual account of what occurred (who, what, when, where)
The immediate actions taken by the provider in response
Any action taken to support the person with disability affected
Steps taken or planned to prevent recurrence
Any involvement of police, emergency services, or other government agencies
Whether a worker has been stood down, retrained, or otherwise managed as a result

The Commission may request additional information, extend timeframes in limited circumstances, or initiate its own inquiry. Providers must cooperate fully with any Commission-led investigation.

Internal incident management obligations

The external notification obligation sits on top of — not instead of — internal incident management requirements. Under the NDIS Practice Standards (particularly the Core Module and the SIL and High Intensity Daily Personal Activities supplementary modules), providers must:

Maintain a documented incident management system
Ensure all workers know how to identify, record, and escalate incidents
Record all incidents in writing, including those that do not reach the reportable threshold
Conduct root cause analysis for serious incidents
Use incident data to inform continuous improvement
Inform the participant and, where appropriate, their representative about an incident and the provider's response

The 2026 strengthened Practice Standards place greater emphasis on a person-centred response — the provider's first obligation after ensuring immediate safety is to the participant, not to documentation. However, documentation must follow promptly to support both the internal system and the Commission notification.

Common compliance failures and how to avoid them

Quality auditors consistently identify the same failure patterns in incident management. Understanding them is half the battle.

Clock confusion: Providers calculate the 24-hour or 5-business-day period from when they completed internal investigations rather than from when they first became aware. Always start the clock from awareness, not completion of investigation.
Awareness attribution: An organisation becomes aware when any worker becomes aware. Providers sometimes argue that head-office did not know until days later. This does not restart the clock.
Restrictive practice misclassification: Providers incorrectly classify an unauthorised restrictive practice as a general incident, missing the 5-business-day notification window. Any use of a restrictive practice that was not authorised, or not implemented in accordance with a behaviour support plan, is reportable.
Incomplete full reports: Stage 2 reports submitted without a clear account of preventive action are routinely returned by the Commission. Ensure the full report answers what you will do differently.
No participant notification: Failing to inform the participant (and where appropriate, their nominee or family) about an incident is a breach of the Practice Standards separate from the Commission notification obligation.

Interaction with the 2026 strengthened framework

The NDIS Commission has signalled an increased regulatory focus on incident notification compliance as part of the 2026 registration renewal cycle. Providers applying for renewal or undergoing mid-term audits should expect auditors to scrutinise:

Whether the provider's incident register aligns with Commission records (i.e., were all required incidents actually notified?)
Whether timeframes were met across a sample of incidents
The quality and completeness of Stage 2 full reports
Evidence that the internal incident management system drives genuine quality improvement, not just box-ticking
Worker training records showing staff can identify and escalate reportable incidents

SIL providers, in particular, face elevated scrutiny because of the nature of the support environment — 24-hour staffed accommodation where incidents are statistically more frequent and the consequences of poor management more serious.

Practical steps for SIL providers

Map your incident triage process against the legal categories in the Incident Rules — every worker who might first become aware of an incident needs to know which category an event falls into.
Set internal notification deadlines that are tighter than regulatory deadlines (e.g., escalate to management within 4 hours for priority incidents, giving you time to lodge before 24 hours).
Template your Stage 1 and Stage 2 reports in advance so workers are not writing from scratch under pressure.
Build a notification tracker that records date/time of awareness, date/time of Stage 1 submission, and due date for Stage 2.
Conduct a quarterly reconciliation — compare your internal incident register to Commission portal records to catch any gaps before an auditor does.
Include restrictive practice incidents in your compliance calendar, as these have a separate (5-business-day) window and are frequently missed.

For SIL providers working through the full scope of 2026 compliance obligations — from incident management to behaviour support, worker screening, and quality audits — the 74-document audit-ready SIL compliance kit at ndiscompliant.com.au provides ready-to-use policy templates, registers, and procedural guides aligned to the current Practice Standards.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.