Rules Mate
PlaybooksBottom-funnel persona playbook

Compliance playbook for transport and logistics operators

Heavy Vehicle National Law + chain of responsibility, fatigue management with work-diary obligations, High Risk Work Licences (forklift, crane, hoist), CoR insurance, state Security of Payment Acts if subcontracting, Biosecurity Act 2015 + Customs Act 1901 imports/exports, dangerous goods (UN ADG Code), AS/NZS safety standards, maritime obligations (Navigation Act 2012 + AMSA Marine Orders) for shipping, aviation obligations (CASR Parts 121/135/137 + DAMP under Part 99) for airfreight, workers' compensation by state, Privacy Act for telematics data — every obligation a road, sea, or air freight operator carries.

20 obligations4 deadlines22 cross-linked articles

Key deadlines — next 12 months

  • 28 September 2026SOCI CIRMP board attestation
  • 1 July 2026Payday Super starts (per-pay-event SG)
  • Within 12 / 72 hoursSOCI cyber-incident report (significant / other)
  • Within 72 hoursRansomware payment report (Cyber Security Act 2024)
  • Per HRWL cycleHigh Risk Work Licence renewal (5-year)
  • Per tripWork Diary + Load Restraint compliance

Does this apply to me?

Answer yes to any of the below and the obligations in this playbook are likely relevant.

  • 1Do you operate a heavy vehicle of gross vehicle mass (GVM) over 4.5 tonnes (Heavy Vehicle National Law applies in all jurisdictions except WA + NT)?
  • 2Are you part of a 'chain of responsibility' as a consignor, packer, loader, scheduler, prime contractor, operator, driver, or unloader under Chapter 1A of the HVNL?
  • 3Do your workers operate equipment requiring a High Risk Work Licence (forklift LF, scissor lift LS, mobile crane CN/CV/CO/CB, dogman DG, rigger RB/RI/RA, hoist HO, scaffolding SB/SI/SA, boiler, pressure equipment)?
  • 4Do you import or export goods through Australian Border Force (Customs Act 1901, ICS, Tariff Act, anti-dumping)?
  • 5Do you store, transport or handle dangerous goods (UN classified, ADG Code 7.8) by road, rail, sea or air?
  • 6Do you operate a shipping or maritime fleet (Navigation Act 2012, AMSA Marine Orders, Domestic Commercial Vessel National Law)?
  • 7Do you operate aircraft for hire or reward (CASA — CASR Parts 121, 135, 137; DAMP under CASR Part 99)?

Plain English summary

Transport and logistics carry a regulatory load proportional to safety risk — and Australian regulators have moved consistently to push accountability up the chain rather than just down to drivers. The Heavy Vehicle National Law (HVNL) created the chain of responsibility framework: consignors, packers, loaders, schedulers, prime contractors, operators, drivers, unloaders are each separately liable for safe loads, safe schedules, and safe vehicles. The HVNL applies in NSW, VIC, QLD, SA, TAS, ACT — WA and NT operate parallel state regimes.

Fatigue management is mandatory for any 12-tonne+ vehicle (Fatigue Regulated Heavy Vehicle). Standard hours, Basic Fatigue Management (BFM), and Advanced Fatigue Management (AFM) regimes each set rest/work limits with a Work Diary requirement (paper or Electronic Work Diary). Drivers must record + retain records; operators verify; consignors and schedulers must not require unsafe schedules.

Dangerous goods (UN-classified Classes 1-9) by road and rail are governed by the Australian Dangerous Goods Code Edition 7.8 (ADG Code), administered through state DG regulators + the National Transport Commission. Marine DG = IMDG Code (administered by AMSA). Air DG = IATA DGR (administered by CASA). Each layer is distinct and the operator typically holds all three simultaneously.

This playbook lists every obligation a road, sea, or air freight operator carries today, the section of the Act it sits under, who is accountable, the cadence, the maximum penalty, and a regulator-direct source. Cross-link to the compliance calendar and the penalty estimator.

Obligation checklist

Every obligation cites the Act and section. Source URLs link to the regulator's portal — Rules Mate does not republish statutory text.

  1. 1

    Heavy Vehicle National Law (HVNL), Chapter 1A — Chain of Responsibility

    Each party in the chain (consignor, packer, loader, scheduler, prime contractor, operator, driver, unloader) has a positive duty to do all things reasonably practicable to ensure compliance with mass, dimension, loading, speed, fatigue, vehicle standards. Document a CoR-aligned safety management system.

    Who's responsible
    Director / CEO + Safety Manager + each party in the chain
    Frequency
    Continuous
    Penalty
    Category 1 (most serious): up to ~$3M (corporate) + 5 years imprisonment individual; Category 2: ~$1.5M corporate; Category 3: ~$300K corporate.
    Full obligation page →
  2. 2

    HVNL, Chapter 6 — Fatigue management + Work Diary

    For Fatigue Regulated Heavy Vehicles (12-tonne+ GVM): driver must complete Work Diary (paper or Electronic Work Diary) recording rest, work, and standard/BFM/AFM regime. Operator must verify diary completion, schedule within hours limits, store records for 3 years.

    Who's responsible
    Driver + Operator + Scheduler
    Frequency
    Per trip; ongoing record retention
    Penalty
    Up to ~$10,650 fine per breach (penalty units); CoR escalation; demerit-point system.
  3. 3

    Work Health and Safety (model) Act 2011, Pt 3 — High Risk Work Licences

    Workers operating high-risk work (forklift LF, scissor lift LS, mobile crane CN/CV/CO/CB, slewing crane C2/C6/CT/CN, dogman DG, rigger RB/RI/RA, scaffolding SB/SI/SA, hoist HO, boiler, pressure equipment) must hold the relevant National HRWL issued by the state WHS regulator. Operator must verify.

    Who's responsible
    Operator + Site Supervisor
    Frequency
    Per worker; HRWL valid 5 years
    Penalty
    Category 1: up to ~$3.85M corporate + 5 years; civil penalty per unauthorised operation.
  4. 4

    Australian Dangerous Goods Code (ADG Code) Edition 7.8 + state DG Acts

    Classify, package, mark, placard, document (transport document + emergency response info), drive (DG licence holder), store DG (Classes 1-9) by road and rail. Apply ADG-Code-aligned consignment procedures + driver licensing + DG vehicle registration.

    Who's responsible
    DG Manager + Driver + Consignor
    Frequency
    Per consignment
    Penalty
    State DG Act civil penalty per breach; cross-border CoR exposure.
  5. 5

    Biosecurity Act 2015 (Cth) — imports + agricultural quarantine

    For imports: declare biosecurity risk goods; cooperate with Biosecurity Officer inspections; arrange treatment / destruction of non-compliant cargo; comply with conditions of import permits. Apply Approved Arrangement protocols where authorised.

    Who's responsible
    Imports Manager + Compliance
    Frequency
    Per shipment
    Penalty
    Civil penalty up to ~$10.6M (corporate) for serious contraventions; criminal offences.
  6. 6

    Customs Act 1901 (Cth) + Customs Tariff Act 1995 — import + export declarations

    Lodge Import Declarations (IDs) via the Integrated Cargo System (ICS) for goods >$1,000. Lodge Export Declarations (EDs) for goods >$2,000. Comply with tariff classification, valuation, anti-dumping, country-of-origin rules. ABF authority for cargo terminal facilitation.

    Who's responsible
    Customs Broker + Imports/Exports Manager
    Frequency
    Per shipment
    Penalty
    Customs Act penalty regime; underpaid duty + administrative penalty; ABF seizure power.
    Full obligation page →
  7. 7

    Navigation Act 2012 (Cth) + AMSA Marine Orders + Domestic Commercial Vessel National Law

    For shipping or maritime fleet: comply with applicable Marine Orders (Parts 1-105) — survey, certificates, crewing, safety equipment, pollution. Domestic Commercial Vessel National Law (DCV NL) applies to most coastal vessels — AMSA-issued Certificate of Survey + Certificate of Operation.

    Who's responsible
    Vessel Operator / Master + Designated Person Ashore
    Frequency
    Continuous; survey + certificate cycles
    Penalty
    Civil penalty per Marine Order; AMSA enforcement; potential vessel detention.
    Full obligation page →
  8. 8

    Civil Aviation Safety Regulations 1998 — Parts 121, 135, 137 — air operator certificates

    For commercial aircraft operations: hold the relevant Air Operator's Certificate (AOC) under CASR Part 121 (large RPT >19 pax), Part 135 (small charter / aeromedical / aerial work), Part 137 (aerial agricultural). Maintain Operations Manual, Training and Checking, Safety Management System.

    Who's responsible
    Chief Pilot + Head of Operations + Accountable Manager
    Frequency
    Continuous; AOC variation per fleet change
    Penalty
    AOC suspension/cancellation; criminal offences for unauthorised operations; civil penalty under CASR.
  9. 9

    CASR Part 99 — Drug and Alcohol Management Plan (DAMP)

    Aviation operators must maintain a Drug and Alcohol Management Plan covering safety-sensitive aviation activities (pilots, cabin crew, engineers, ATCs, aerodrome safety). Random testing, post-incident testing, return-to-work protocols.

    Who's responsible
    DAMP Coordinator + Chief Pilot
    Frequency
    Continuous; testing cycle
    Penalty
    Civil penalty + criminal offence for positive tests of safety-sensitive personnel; AOC consequences.
  10. 10

    Work Health and Safety Act 2011 (model) — primary duty of care

    PCBU duty: ensure (so far as reasonably practicable) the health and safety of workers and others — workshop safety, manual handling, traffic management, hazardous chemicals, working at heights, plant. Notify the WHS regulator of notifiable incidents.

    Who's responsible
    Operator + WHS Manager
    Frequency
    Continuous
    Penalty
    Category 1: up to ~$3.85M (corporate) + 5 years imprisonment individuals; industrial-manslaughter exposure in most states.
  11. 11

    State workers' compensation Acts — Workers Compensation Act 1987 (NSW) / WIRC Act 2013 (Vic) / WCRA 2003 (Qld) / Workers' Compensation and Injury Management Act 1981 (WA)

    Hold workers' compensation insurance with the relevant state insurer (icare NSW; WorkCover Vic; WorkCover Qld; Insurance Commission WA; ReturnToWorkSA). Cooperate with claims management + return to work obligations.

    Who's responsible
    HR + Finance
    Frequency
    Annual policy renewal; per-claim management
    Penalty
    State criminal offences for uninsured operation; civil penalty per state Workers Comp Act.
  12. 12

    Security of Payment Acts — Building and Construction Industry Security of Payment Act 1999 (NSW) / Building Industry Fairness (Security of Payment) Act 2017 (Qld) / BCISP Acts (Vic, WA, SA, TAS, ACT, NT)

    If subcontracted on construction (including freight logistics for construction projects), serve and respond to Payment Claims + Payment Schedules within statutory timeframes; refer disputes to Adjudication. Some state Acts apply to logistics-adjacent construction services.

    Who's responsible
    CFO + Operations Manager
    Frequency
    Per payment cycle (typically monthly)
    Penalty
    Failure to respond: respondent liable for full claim; claimant can suspend works; lien rights.
  13. 13

    Fair Work Act 2009 (Cth) + Road Transport and Distribution Award (MA000038) / Transport (Cash in Transit) Award (MA000042) / Road Transport (Long Distance Operations) Award (MA000039)

    Comply with applicable Modern Award rates + allowances (overnight, meal, broken shift). From 26 August 2024: 'employee-like' regulated worker regime applies to gig + on-demand transport workers under Fair Work Act Pt 3A-1.

    Who's responsible
    HR + Payroll
    Frequency
    Continuous
    Penalty
    Civil penalties; Fair Work Ombudsman enforcement; underpayment criminalised under Closing Loopholes from 1 January 2025.
  14. 14

    Fair Work Act 2009 (Cth), Pt 3A-1 — Regulated workers in road transport

    Owner-driver and gig-economy transport workers may be 'employee-like' workers and 'regulated road transport contractors' under the Closing Loopholes No. 2 reforms. Fair Work Commission can set minimum standards through Road Transport Industry Award + Road Transport Contractual Chain Order.

    Who's responsible
    Operations + Contractor Engagement
    Frequency
    Continuous
    Penalty
    Civil penalty for underpayment; FWO enforcement; sham contracting penalties.
  15. 15

    Privacy Act 1988 (Cth) — telematics, GPS, in-cab cameras, driver biometrics

    Telematics data (GPS, speed, harsh-braking events), in-cab cameras, fatigue-detection biometrics are personal information. Maintain Privacy Policy (APP 1), collection notice (APP 5), secure storage (APP 11). Workplace surveillance state Acts (NSW + ACT) also apply.

    Who's responsible
    Privacy Officer + Fleet Manager
    Frequency
    Continuous
    Penalty
    Up to $50M / 3× benefit / 30% turnover.
  16. 16

    Cyber Security Act 2024 (Cth) — ransomware payment reporting

    From 30 May 2025: entities with annual turnover above $3M (and all critical-infrastructure entities) must report ransomware payments to the Department of Home Affairs within 72 hours of payment.

    Who's responsible
    CISO + GC
    Frequency
    Event-driven
    Penalty
    Civil penalty (60 penalty units, ~$19,800).
  17. 17

    Security of Critical Infrastructure Act 2018 (Cth) — transport sector

    Transport sector (freight infrastructure, freight services, public transport) is captured by SOCI Pt 2A reforms. Responsible entities must register critical assets, adopt CIRMP, give board attestation by 28 September each year, and report cyber incidents (12 / 72 hours) to ASD ACSC.

    Who's responsible
    Board + CISO
    Frequency
    Annual attestation + ongoing CIRMP
    Penalty
    Civil penalty up to ~$1.565M (corporate) per contravention.
    Full obligation page →
  18. 18

    Modern Slavery Act 2018 (Cth), s 5 — reporting entity

    Where consolidated revenue is AUD $100M or more: lodge an annual Modern Slavery Statement on the Modern Slavery Statements Register within 6 months of the end of the reporting period. Apply diligence to global freight supply chain.

    Who's responsible
    CFO + Company Secretary
    Frequency
    Annual
    Penalty
    Public listing on register; civil penalties proposed under Modern Slavery Amendment Bill 2024.
    Full obligation page →
  19. 19

    AS/NZS 4602.1:2011 — High Visibility Safety Garments

    Provide and require high-visibility garments meeting AS/NZS 4602.1:2011 for workers in road, rail, depot, and worksite environments. Industry-standard PPE under WHS Reg 44.

    Who's responsible
    WHS Officer + Site Supervisor
    Frequency
    Per worker; on engagement; periodic replacement
    Penalty
    WHS Act penalty for inadequate PPE; CoR escalation if linked to a serious incident.
  20. 20

    Heavy Vehicle (Mass, Dimension and Loading) National Regulation

    Configure heavy vehicles within mass, dimension, axle-loading, and loading limits. Permits required for over-dimension/over-mass operations. Loading restraint per Load Restraint Guide 2018.

    Who's responsible
    Loader + Operator + Driver
    Frequency
    Per trip
    Penalty
    Substantial: minor breach ~$330, substantial breach ~$3,300, severe breach ~$22,000+; CoR exposure on all parties.

Deadlines

Pulled from the Rules Mate compliance calendar. Click through for the full deadline page.

Forms and regulator portals

Direct links to the lodgement forms and regulator portals. Rules Mate does not host copies — we link to the official source.

  • NHVR — operator + driver portal

    Heavy Vehicle Accreditation Scheme registration, permits, mass-dimension applications.

    Open portal →

  • Australian Border Force — Integrated Cargo System (ICS)

    Lodge Import / Export Declarations; track tariff and excise.

    Open portal →

  • Department of Agriculture, Fisheries and Forestry — Biosecurity Import Conditions database (BICON)

    Check biosecurity conditions for goods + apply for import permits.

    Open portal →

  • AMSA — Marine Survey + Certificate of Operation portal

    DCV registration, survey arrangements, Certificate of Operation issue.

    Open portal →

  • CASA — Aviation Reference Number portal

    Aviation Reference Number, AOC variations, DAMP submissions.

    Open portal →

  • ASD ACSC — cyber incident reporting

    Lodge SOCI mandatory cyber-incident notifications (12 / 72 hours).

    Open portal →

Free tools that help

Interactive Rules Mate tools matched to this persona.

Compliance calendar builder

Use tool →

Penalty estimator

Use tool →

Modern Slavery statement scaffold

Use tool →

Modern Slavery threshold

Use tool →

Cyber incident notifications

Use tool →

Essential Eight maturity check

Use tool →

Privacy Act 2026 readiness

Use tool →

What changes 2025–2026

26 August 2024 → 26 August 2025 — Closing Loopholes 'employee-like' workers

The Closing Loopholes No. 2 reforms introduced the regulated-worker regime for road transport contractors + gig delivery workers. FWC can set minimum standards through Road Transport Industry Award + Contractual Chain Orders.

30 May 2025 — Cyber Security Act ransomware reporting

Entities above $3M turnover (and all critical-infrastructure entities) must report ransomware payments to Home Affairs within 72 hours.

28 September annually — SOCI board attestation

Transport-sector responsible entities lodge the CIRMP annual board attestation. Material risk-management uplift each cycle.

1 July 2026 — Payday Super starts

Super Guarantee shifts from quarterly to per-pay-event. Significant payroll change for owner-driver + contract-driver fleets.

Ongoing — HVNL Review

The Heavy Vehicle National Law is under a major review. Expect substantial amendments through 2025-2026 covering fatigue management, mass-dimension rules, and accreditation.

1 July 2026 — ASRS Group 2 reporting

Year-1 ASRS reporting begins for larger transport operators (>$200M revenue / $500M assets / 250 employees, two of three).

10 December 2026 — Privacy Act ADM transparency

Telematics-driven decision-making (dispatch, route, performance management) using AI / algorithm must be disclosed in the APP 1 Privacy Policy.

Ongoing — National Transport Commission Australian Dangerous Goods Code refresh

The ADG Code Edition 7.8 is current; Edition 8.0 in development with expected publication mid-decade.

In-depth reading

22 Rules Mate articles tagged to this playbook.

Frequently asked

We operate in WA only — does HVNL chain of responsibility apply?

Not directly — WA + NT remained outside the HVNL. WA operates under the Road Traffic Act 1974 + Road Traffic (Vehicles) Act 2012 + parallel regulations administered by Main Roads WA, but the substantive CoR concepts are mirrored. NT operates similarly. If you operate cross-border, HVNL applies in the HVNL jurisdictions and parallel state law in WA/NT.

What counts as 'reasonably practicable' under CoR?

The same s 18 WHS Act formulation — what was reasonably practicable in the circumstances at the time, considering the likelihood of harm, the degree of harm, what you knew or ought reasonably to have known, and the availability and suitability of ways to eliminate or minimise the risk. CoR-aligned safety management systems (consignor scheduling SOPs, loader-checks, fatigue-management plans) are the typical evidence package.

Owner-driver — are they an employee or contractor?

Often genuinely a contractor — but the Closing Loopholes 'employee-like' worker regime added a hybrid category. Owner-drivers in road transport providing on-demand services through digital platforms can be regulated road transport contractors. FWC can set minimum-standards orders. The contract characterisation question (Personnel Contracting + Jamsek HCA tests) still applies for employee/contractor at general law.

Dangerous goods — how do road, marine, and air differ?

Three different codes: road + rail = ADG Code (NTC + state regulators); marine = IMDG Code (AMSA / IMO); air = IATA DGR (CASA + IATA). All derive from the UN Recommendations on the Transport of Dangerous Goods Model Regulations. Same classification framework, different operational rules. Many freight forwarders carry all three accreditations.

Biosecurity Approved Arrangement — what's the benefit?

An Approved Arrangement under s 406 of the Biosecurity Act lets you carry out specified biosecurity activities (inspect, treat, manage cargo) at your own premises under DAFF oversight — instead of waiting for a Biosecurity Officer. Reduces time-on-water and lowers cost. Application process is rigorous.

If we're carrier of choice on a construction project, do SOPA rules apply?

Possibly. The state Security of Payment Acts cover 'construction work' and 'related goods and services' — and the definitions reach into supply of plant + materials to construction sites. State-by-state coverage varies; transport services for construction projects can be inside the regime in NSW + Vic. Adjudication runs short timeframes — strict compliance is essential.

Does SOCI really capture mid-size freight operators?

The transport sector is a 'critical infrastructure sector' under SOCI Pt 2A but specific assets are designated by Rules. Freight infrastructure (ports, rail, freight terminals) and freight services above scale are captured. Many mid-size road freight operators are not 'responsible entities' for declared assets. The Cyber and Infrastructure Security Centre (CISC) operates a portal to confirm classification.

Free assessment

Get a personalised obligation list

2-minute structured check tailored to your business.

AI advisor (waitlist)

Ask any compliance question

Coming Phase 2 — grounded answers with citations.

Last verified: 9 June 2026

Rules Mate provides citation-first reference material, not legal advice. Always consult a qualified professional for specific obligations.