Every Australian business operates within a framework of legal obligations. Some are universal — applying to any entity that employs people, collects personal data, or sells goods and services. Others are specific to industry, location, or business size. Taken together, they form the compliance landscape that business owners are legally required to navigate, whether or not they have the resources to do so systematically.
This guide provides a comprehensive overview of business compliance obligations in Australia: what they are, which ones apply to which types of businesses, how to manage them effectively, and what happens when they aren’t met. It’s designed as a practical reference for business owners and managers who need to understand their compliance position — and keep it current as the regulatory environment evolves.
What Are Business Compliance Obligations?
A compliance obligation is a specific legal requirement imposed on a business by legislation, regulation, licence condition, or other authoritative source. It specifies what the business must do (or must not do), by when, and often how the requirement must be evidenced or reported.
Compliance obligations are distinct from general legal risk. Legal risk is broad exposure to liability — the possibility that something a business does might give rise to legal proceedings. Compliance obligations are specific, enumerated requirements that a business can identify, own, monitor, and evidence. A well-managed compliance program converts the abstract concept of “legal risk” into a specific, trackable list of obligations with named owners and documented evidence.
For most Australian businesses, the total compliance obligation picture spans several distinct regulatory frameworks. Understanding each framework — and which specific obligations within it apply to a given business — is the foundation of any compliance program.
The Core Compliance Frameworks for Australian Businesses
Employment Law: Fair Work Act and Awards
The Fair Work Act 2009 is the primary federal legislation governing employment in Australia. It establishes the National Employment Standards — ten minimum conditions that apply to all national system employees regardless of any award, enterprise agreement, or employment contract. These include maximum weekly hours, annual leave entitlements, parental leave, flexible working arrangements, and notice of termination requirements.
Most businesses also have obligations under one or more Modern Awards — industry or occupation-specific instruments that set minimum pay rates, penalty rates, overtime, allowances, and other conditions. There are over 100 Modern Awards covering different industries and occupations; businesses must identify which awards apply to their employees and comply with them in full.
Key employment compliance obligations beyond the base NES and award requirements include: superannuation guarantee contributions (11.5% from 1 July 2024, rising to 12% from 1 July 2025, with payday super from 1 July 2026); payroll tax obligations varying by state threshold; long service leave under applicable state legislation; and record-keeping requirements including time and wages records, pay slips, and employee records. The Fair Work Ombudsman enforces these obligations actively — employment law is the highest-volume compliance risk area for Australian SMEs.
Workplace Health and Safety
WHS obligations in Australia derive from state and territory legislation, primarily harmonised under the model Work Health and Safety Act adopted by most jurisdictions (though Victoria and Western Australia maintain separate legislation). The primary duty of care requires persons conducting a business or undertaking (PCBUs) to ensure, so far as is reasonably practicable, the health and safety of workers and others affected by their operations.
“Reasonably practicable” is not a vague standard — it requires systematic risk identification, risk control, and documentation of the measures taken. Officers of PCBUs have additional personal due diligence duties, requiring them to actively acquire knowledge of WHS matters, ensure resources are available, and verify compliance. These officer obligations mean that WHS compliance isn’t just a company-level concern; it creates personal legal exposure for directors and senior managers.
Specific WHS obligations include: incident notification to the relevant state regulator for notifiable incidents (deaths, serious injuries, dangerous incidents); consultation obligations with workers and health and safety representatives; specific management requirements for high-risk construction work; return-to-work and workers’ compensation obligations; and ongoing risk management documentation.
Privacy and Data Protection
The Privacy Act 1988 regulates how businesses collect, use, store, and disclose personal information. The Australian Privacy Principles (APPs) — 13 principles covering the full lifecycle of personal information — apply to all Australian Government agencies and to businesses with annual turnover exceeding $3 million. Regardless of turnover, health service providers and businesses that trade in personal information are also subject to the APPs.
Key privacy compliance obligations include: maintaining a current, accurate privacy policy that describes how the business handles personal information; notifying individuals of the purpose of data collection at or before the point of collection; taking reasonable steps to secure personal information from unauthorised access or disclosure; complying with the Notifiable Data Breaches scheme, which requires notification to the OAIC and affected individuals within 30 days of identifying an eligible data breach; and responding to access and correction requests from individuals within 30 days.
Proposed privacy law reforms currently before Parliament are expected to substantially strengthen consent requirements, introduce a direct right of action for individuals, and further expand the OAIC’s enforcement powers. Businesses should monitor this reform process closely.
Tax, Superannuation, and Corporate Obligations
Tax and corporate compliance obligations affect every Australian business. For most businesses, these include: BAS lodgement and payment on the applicable cycle (monthly, quarterly, or annually); PAYG withholding and instalment obligations; income tax lodgement; superannuation guarantee contributions paid to the correct fund by the applicable deadline (from 1 July 2026, payday super requires contributions to be paid within 7 days of each pay day); payroll tax in each state where the business’s Australian wages exceed the relevant threshold; and record-keeping obligations — businesses must retain financial records for five years from when they are prepared.
Corporate compliance obligations under the Corporations Act 2001 include: maintaining accurate registers of members, directors, and secretaries; lodging annual company statements with ASIC; notifying ASIC of changes to company details within prescribed timeframes; and director obligations including the duty of care and diligence, the duty to act in good faith in the best interests of the company, and the duty to prevent insolvent trading.
Consumer Law Obligations
The Australian Consumer Law (ACL), contained in Schedule 2 of the Competition and Consumer Act 2010, applies to all businesses engaging in trade or commerce in Australia. Key ACL obligations include: prohibitions on misleading and deceptive conduct; prohibitions on unconscionable conduct; mandatory consumer guarantees for goods and services (which cannot be excluded by contract); product safety obligations including mandatory safety standards for specified product categories; mandatory cooling-off rights for certain contract types; and prohibitions on unfair contract terms in standard form consumer and small business contracts.
The ACCC enforces ACL obligations at the federal level; state and territory consumer protection agencies enforce them concurrently. The ACCC’s enforcement priority areas evolve regularly — businesses should monitor current focus areas, which have recently included online trading, subscription services, and environmental claims.
Industry-Specific Compliance Obligations
Beyond the universal frameworks above, many Australian businesses face additional compliance obligations specific to their industry or activity. These layer on top of the base obligations and are often the most complex and highest-consequence part of a business’s compliance picture.
Financial services businesses regulated by ASIC are subject to the Corporations Act financial services licensing regime, conduct obligations under the responsible lending rules, ongoing disclosure obligations, and breach reporting requirements. From 1 July 2026, Tranche 2 of Australia’s AML/CTF reform also brings accountants, lawyers, real estate agents, and other designated service providers into AUSTRAC’s regulatory perimeter for the first time.
Healthcare providers and NDIS businesses face registration conditions, quality and safety standards obligations, mandatory incident reporting requirements, and participant rights obligations. The consequences of non-compliance include registration suspension or cancellation — which is typically an existential outcome for the business.
Food businesses operate under Australia New Zealand Food Standards Code requirements, state food safety legislation, licensing conditions, and mandatory food safety supervisor requirements in most jurisdictions. Environmental compliance obligations also apply to businesses with significant environmental footprints, including waste disposal, emissions, and contamination obligations under state environmental legislation.
How to Identify Which Obligations Apply to Your Business
The starting point for any compliance program is a compliance scope assessment — a systematic process of identifying every regulatory framework that applies to the business and the specific obligations those frameworks create. The assessment should be structured around four factors:
Business structure and size: The Corporations Act obligations apply to companies; partnership and trust obligations differ. Privacy Act APPs apply to businesses over $3M turnover or in specific sectors. Payroll tax thresholds vary by state. Superannuation payday obligations apply from 1 July 2026 regardless of size. Several key obligations scale with business size — understanding which thresholds your business has crossed is essential.
Industry and sector: Industry determines which additional regulatory frameworks apply — financial services licensing, NDIS registration conditions, food safety legislation, building licensing, real estate licensing, AML/CTF obligations, and so on. A compliance scope assessment should start with a complete mapping of all industries and activities the business engages in.
Location: While federal law is uniform across Australia, several important compliance frameworks vary by state and territory. WHS legislation differs between Victoria and harmonised jurisdictions. Payroll tax thresholds and rates vary significantly by state. Long service leave entitlements vary. Environmental obligations are primarily state-based. Businesses operating in multiple states need to manage jurisdiction-specific obligations for each.
Specific activities: Certain business activities attract specific compliance obligations regardless of industry. Handling personal information at any scale requires privacy compliance. Employing workers triggers all employment law obligations. Selling products to consumers triggers ACL consumer guarantee obligations. Each activity layer adds to the compliance obligation picture.
Managing Your Compliance Obligations
Identifying compliance obligations is only the first step. Ongoing management requires a system — not just a one-time exercise. The standard approach for Australian businesses is a compliance register: a structured record of every compliance obligation, its source, the owner responsible for ensuring it’s met, the current compliance status, and the evidence of compliance.
The Compliance Register
A compliance register is the operational backbone of any compliance program. At minimum, it should record: the specific obligation (not just the legislation, but the exact requirement — “lodge BAS by 28th day after quarter end” rather than “ATO compliance”); the source legislation or regulation; the named owner (the individual responsible for ensuring the obligation is met — not a team or department, but a named person); the current status; the review date; and the evidence of compliance. Our compliance management guide covers the register approach in detail, including templates and best practices for structuring obligations effectively.
Assigning Ownership
Every compliance obligation needs a named owner — the individual in the business who is responsible for ensuring it is met, keeping evidence current, and flagging changes. Without named ownership, obligations fall through the cracks. Ownership is especially critical when staff change: if compliance knowledge is embedded in a system rather than a person, staff turnover doesn’t create compliance gaps.
Evidence and Documentation
Compliance is not just about doing the right thing — it’s about being able to demonstrate that you’ve done it. Evidence should be attached directly to specific obligations, not stored in a separate folder and referenced informally. When a regulator asks for evidence of a specific compliance requirement, the evidence should be immediately accessible and clearly linked to the obligation it satisfies. This is where dedicated compliance management software provides substantial advantages over spreadsheet-based approaches.
Monitoring Regulatory Change
Australian regulatory change is constant and consequential. A compliance obligation that was correct 12 months ago may have been superseded by legislative amendment, regulatory guidance, or judicial interpretation. The superannuation guarantee rate has changed annually. WHS guidance evolves. Privacy law is being substantially reformed. AML/CTF Tranche 2 brings major new obligations from July 2026. A compliance program that doesn’t include systematic monitoring for regulatory change will inevitably fall out of date. Lahebo’s compliance obligations framework provides a detailed approach to monitoring regulatory change and keeping obligations current as the law evolves.
The Consequences of Non-Compliance
The consequences of failing to meet compliance obligations in Australia range from administrative penalties to criminal prosecution, depending on the framework and the severity of the breach.
Under the Fair Work Act, civil penalties for record-keeping contraventions can reach $93,900 per contravention for a company, with additional liability for back-payment of underpaid wages and entitlements. Under the Privacy Act, serious or repeated breaches attract penalties of up to $50 million for companies, or three times the benefit obtained, or 30% of Australian turnover — whichever is greater. WHS Category 1 offences (reckless conduct risking serious harm) carry maximum penalties of $3.6 million for a body corporate, and Category 2 offences (failure of duty of care) reach $1.8 million.
Beyond direct regulatory penalties, non-compliance creates secondary consequences: reputational damage, loss of licences, loss of contracts requiring compliance evidence, personal liability for directors and officers, and the significant cost of responding to investigations and enforcement proceedings. The total cost of a serious compliance failure — penalties plus professional fees plus remediation plus reputational damage — routinely exceeds the annual cost of systematic compliance management by orders of magnitude.
Building a Compliance Program That Works
A compliance program that actually works has five characteristics: it’s complete (covers all applicable obligations, not just the ones the business is most aware of); it’s current (updated when regulatory change occurs, not just when something goes wrong); it has clear ownership (every obligation has a named owner who is accountable); it has evidence (documented proof that each obligation is being met); and it’s producible (evidence can be compiled and presented quickly when a regulator or counterparty asks).
For small businesses with limited internal resources, the practical starting point is a well-structured spreadsheet: a compliance register with named owners, evidence links, and a quarterly review discipline. For businesses with 30 or more obligations, multiple owners, or regulatory footprints that include high-risk frameworks (AML/CTF, APRA, privacy incident response), purpose-built compliance management software is the more defensible approach — because spreadsheets don’t maintain audit trails, can’t monitor regulatory change automatically, and don’t link evidence formally to obligations.
Frequently Asked Questions
Are all Australian businesses subject to the same compliance obligations?
No. The compliance obligation picture varies by business size, structure, industry, location, and activities. Some obligations are universal — employment law applies to any business that employs people; ACL consumer guarantees apply to any business that sells goods or services. Others are threshold-based (Privacy Act APPs apply above $3M turnover or in specific sectors), industry-specific (financial services licensing, NDIS registration conditions), or state-specific (payroll tax thresholds, long service leave entitlements). The compliance scope assessment process is how businesses systematically identify which obligations apply to them specifically.
How often do compliance obligations change?
Frequently. Australian regulatory change is constant — the superannuation guarantee rate changes annually, Modern Award rates are updated each July, WHS guidance evolves, privacy law is being substantially reformed, and AML/CTF Tranche 2 brings major new obligations from July 2026. This is one of the strongest arguments for systematic compliance management: a register that was accurate 18 months ago may already be materially out of date. Without a process for monitoring and incorporating regulatory change, compliance programs silently fall behind.
What is the difference between a compliance obligation and a compliance risk?
A compliance obligation is a specific, enumerated legal requirement — something the business must do, must not do, or must be able to demonstrate. A compliance risk is the broader exposure to adverse outcomes from failing to meet obligations or from operating in ways that might attract regulatory attention. Good compliance management focuses on obligations (specific, trackable, assignable) rather than abstract risks — because obligations can be owned, monitored, evidenced, and discharged, while abstract risks cannot.
Do small businesses (under 20 staff) need a formal compliance program?
The regulatory obligations apply regardless of business size — and the consequences of non-compliance don’t scale down proportionally for small businesses. A small business without a formal compliance program still faces the same potential Fair Work penalties, privacy obligations, and WHS primary duty of care as a larger business. What scales is the appropriate tool for managing those obligations: a well-structured spreadsheet is a legitimate starting point for a very small business with simple, stable obligations, but becomes inadequate as obligations multiply, staff change, and regulatory requirements evolve.
Explore Further
This guide provides an overview of the compliance obligation landscape for Australian businesses. For more detail on specific frameworks and management approaches, explore the resources across this site — including our guides to compliance management registers and audits, our sector-specific compliance guides, and our analysis of the software tools available to Australian businesses managing compliance at scale. For businesses approaching their compliance obligations for the first time, the best starting point is a compliance scope assessment — the systematic process of identifying every obligation that applies to your business, before deciding how to manage them.