Compliance guide

2026 Master Code Chain of Responsibility controls and compliance software

The 2026 Master Code expands Chain of Responsibility risk controls from around 150 to more than 500, shifting from role-based to activity-based guidance. Here is what operators need to do and how CoRGuard supports the workflow.

2026 Master CodeChain of Responsibility controlsCoR compliance softwareHVNL primary dutyfatigue management HVNL
A compliance manager and colleague in hi-vis vests review an expanded risk control matrix in an Australian heavy vehicle depot briefing room, with prime movers visible through the window in the truck yard outside.
GPT-generated CoRGuard article image
Published 4 July 2026/Chain of Responsibility

The 2026 Master Code is the NHVR's updated industry code of practice for Chain of Responsibility (CoR) compliance, structured around transport activities rather than individual roles and expanding the number of referenced risk controls from approximately 150 to more than 500. For Australian heavy vehicle operators, this means documented verification, risk assessment, and continuous monitoring must replace assumption-based compliance — and the evidence trail must be retrievable on demand.

Key takeaways

  • The 2026 Master Code moves from a role-based structure to an activity-based structure, meaning controls are organised around what parties do (consigning, packing, loading, driving, operating) rather than just who they are.
  • The HVNL primary duty under section 26C requires each party in the CoR to ensure safety so far as is reasonably practicable — a positive obligation, not merely an obligation to avoid harm.
  • Chapter 6 of the HVNL imposes specific fatigue duties, including the duty of employers, prime contractors, operators, and schedulers under section 264 to ensure driver compliance with work and rest requirements.
  • Operators must be able to produce documented evidence of risk controls, verification activities, and corrective actions — not simply assert that controls exist.
  • CoRGuard provides the software workflow layer for capturing, centralising, and retrieving the compliance evidence the Master Code expects, while MAEZ provides expert advisory, training, and gap-closing support where deeper risk assessment is needed.

What is the 2026 Master Code and how does it change CoR obligations?

The 2026 Master Code is the NHVR's authoritative source of information concerning safety in heavy vehicle transport. It provides guidance on managing hazards and risks, conducting risk assessments, and implementing risk controls across the Chain of Responsibility. The previous version of the Master Code referenced approximately 150 controls; the 2026 version references more than 500, giving duty holders clearer and more granular guidance on what a compliant control set looks like.

The most significant structural change is the shift from a role-based organisation to an activity-based organisation. Under the previous structure, guidance was grouped by CoR party (consignor, consignee, packer, loader, driver, operator, scheduler). The 2026 Code instead groups controls around the activities those parties perform — consigning, packing, loading, driving, scheduling, managing, and receiving. This means a single operator may need to address controls across multiple activity categories, because operators typically perform several of these activities simultaneously.

Operationally, this change matters because it shifts the compliance question from "what is my role?" to "what activities am I performing, and what controls apply to each?" An operator who also loads vehicles and schedules drivers must address controls relevant to all three activity streams, not just the operator controls.

How does the HVNL primary duty work under the current law?

The Heavy Vehicle National Law (HVNL), as currently in force, establishes the legal foundation for CoR obligations. Part 1A.1 sets out the principle of shared responsibility (section 26A), meaning every party in the transport chain shares responsibility for safety — not just the driver or the operator.

Section 26C establishes the primary duty: each party in the CoR must ensure, so far as is reasonably practicable, the safety of heavy vehicle transport activities. This is a positive duty. It requires proactive risk management, not merely avoidance of negligent conduct. The duty extends to eliminating or minimising public risks, including risks related to vehicle speed, mass, load restraint, driver fatigue, and vehicle standards.

Section 26D imposes a separate duty on executives of legal entities. An executive of a legal entity that is a party in the CoR must exercise due diligence to ensure the entity complies with its primary duty. This means executives cannot delegate away their personal exposure — they must actively understand the entity's CoR risks, verify controls, and ensure resources are allocated to compliance.

Section 26E addresses prohibited requests and contracts. A party must not make a request, enter into a contract, or impose a condition that would encourage or require another party to breach the HVNL. This provision catches indirect pressure — for example, a consignor who sets an unrealistic delivery time that effectively forces a driver to exceed fatigue limits.

Breaches of the primary duty are categorised under sections 26F and 26G. Category 1 offences involve exposing an individual to a risk of death or serious illness or injury, and carry the most severe penalties. Category 2 offences involve a substantial risk of harm. The offence categories matter because they determine both the severity of penalties and the level of scrutiny a breach will attract from the NHVR.

For a deeper treatment of the upcoming legislative changes, see What the 2026 HVNL changes mean for transport compliance systems.

What are the specific CoR duty roles under the HVNL?

The HVNL defines a broad set of parties in the Chain of Responsibility. Each party carries the primary duty in relation to the activities they influence or control. The key parties include:

  • Consignor — the party who engages a carrier to transport goods. Controls include providing accurate mass and load information and not setting delivery schedules that encourage breaches.
  • Consignee — the party receiving the goods. Controls include ensuring the receiving site can safely accommodate the vehicle and not causing unreasonable delays that push drivers into fatigue breaches.
  • Packer — the party who packs or assembles the load. Controls include ensuring the load is packed to prevent shifting and that mass is accurately declared.
  • Loader — the party who loads the vehicle. Controls include verifying mass distribution, load restraint, and dimensional compliance.
  • Driver — the party operating the vehicle. Controls include complying with work and rest requirements, conducting pre-departure checks, and not driving while fatigued.
  • Operator — the party responsible for the vehicle's operation. Controls include maintenance, vehicle standards compliance, and ensuring the vehicle is fit for purpose.
  • Scheduler — the party who plans routes and schedules. Controls include ensuring schedules are achievable within legal work and rest hours.

The 2026 Master Code's activity-based structure does not remove these role definitions from the HVNL. Rather, it organises the practical guidance for controls around the activities these roles perform, making it easier to identify which controls apply to each activity stream.

How does the Master Code's activity-based structure change risk controls?

Under the activity-based structure, operators need to map their operations against the activities they perform, not just their nominal role. For example:

  • A freight operator who loads its own trucks must address both loading controls and operator controls.
  • A prime contractor who schedules drivers must address scheduling controls in addition to operator controls.
  • A consignor who also packs goods must address both consigning and packing controls.

The expanded control set — from approximately 150 to more than 500 — means operators who previously relied on a thin checklist now need a more systematic approach. The 2026 Master Code expects documented risk assessments, implemented controls, verification that controls are working, and records of continuous monitoring.

This is where assumption-based compliance becomes insufficient. Under the previous Code, many operators could point to a policy or procedure and assert compliance. The 2026 Code's verification mandate means operators must be able to demonstrate that controls are actually in use, that they are effective, and that the evidence is available for review.

For guidance on how to operationalise these controls in daily workflow, see 2026 Master Code: turning Chain of Responsibility controls into daily workflow.

What fatigue management obligations does the HVNL impose?

Chapter 6 of the HVNL addresses driver fatigue. Part 6.2 sets out duties relating to fatigue, beginning with the definition of fatigue in section 223. The law recognises fatigue as a safety risk that must be managed, not simply an individual driver's personal responsibility.

Section 264 of the HVNL imposes a specific duty on employers, prime contractors, operators, and schedulers to ensure driver compliance with work and rest requirements. This means an operator cannot treat fatigue compliance as solely the driver's problem — the operator must actively verify that drivers are complying with their applicable work and rest hours.

The HVNL prescribes standard hours for solo drivers (section 250) and two-up drivers (section 251), as well as Basic Fatigue Management (BFM) and Advanced Fatigue Management (AFM) options for operators with accredited fatigue management systems. Breaches of fatigue requirements are categorised as minor, substantial, or severe risk breaches under section 222, with escalating penalties.

Section 293 requires drivers of fatigue-regulated heavy vehicles to carry a work diary. Sections 297 and 298 impose requirements to record information immediately after starting work and to record odometer readings. These records are the primary evidence source for fatigue compliance verification.

For operators, the practical implication is that work diary records must be checked, verified, and retained — not simply collected. NHVR enforcement activity has signalled that fatigue and driver diary checks are a focus area. See Fatigue and driver diary checks: what recent NHVR enforcement signals mean for operators for a detailed treatment.

CoRGuard currently supports fatigue and driver diary checks as part of its compliance workflow. An Electronic Work Diary module is not yet live, so operators using CoRGuard for fatigue management should use the driver diary check workflow to capture and verify paper-based work diary records.

What maintenance and vehicle standards evidence must operators keep?

The HVNL imposes vehicle standards and maintenance obligations across several parts. Part 4.2 addresses mass requirements (section 96), and Part 4.4 addresses loading requirements (section 111). Part 3.3 requires approval for modifications to heavy vehicles (section 85), meaning unapproved modifications are a breach.

For operators accredited under the National Heavy Vehicle Accreditation Scheme (NHVAS), maintenance management evidence is a core requirement. As the regulatory framework transitions from NHVAS to the Heavy Vehicle Accreditation (HVA) framework, the evidence expectations are increasing. Operators must be able to demonstrate that scheduled maintenance has been performed, that defects have been identified and rectified, and that vehicle inspection records are current.

The 2026 Master Code's activity-based structure includes maintenance and vehicle standards controls within the broader operator activity stream. This means the evidence must be linked to the risk assessment — operators need to show not just that maintenance occurred, but that the maintenance regime addresses identified risks.

For a detailed discussion of the transition and its evidence implications, see NHVAS to HVA transition: why maintenance evidence needs to be easier to prove.

How does the Master Code treat verification and documented controls?

The 2026 Master Code replaces assumption-based compliance with documented verification, audit, and continuous monitoring requirements. This shift has three practical implications:

  1. Risk assessments must be documented. Operators must record the hazards identified, the risks assessed, and the controls selected. A risk assessment that exists only in someone's head is not compliant.

  2. Controls must be verified as operating. It is not sufficient to have a policy stating that loads will be checked. The operator must be able to show evidence that load checks were performed, when, by whom, and what was found.

  3. Corrective actions must be tracked to closure. When a control fails or a defect is identified, the corrective action must be recorded, assigned, and verified as complete. Open corrective actions that linger without resolution are themselves a compliance gap.

This is where a risk register and corrective action log become the quiet backbone of audit-ready compliance. The NHVR and auditors will look for evidence that the operator is actively managing risks, not just passively recording incidents. See Corrective actions and risk registers: the quiet backbone of audit-ready compliance for a practical framework.

How CoRGuard workflows support Master Code compliance activity

CoRGuard is the SaaS implementation path for operators who need software-supported evidence of their CoR compliance activities. Where MAEZ provides expert advisory, training, chartered risk assessment, and gap-closing services, CoRGuard provides the digital workflow to capture, store, and retrieve the evidence the Master Code expects.

Specifically, CoRGuard supports the following compliance activities:

  • Fatigue and driver diary checks — operators can record work diary verification activities, flag discrepancies, and track follow-up actions. (Electronic Work Diary is not yet live; current capability covers paper-based diary checks.)
  • Maintenance evidence — scheduled maintenance, defect reports, and inspection records can be centralised and linked to vehicles and drivers.
  • Risk register — identified risks, assessed controls, and residual risk ratings can be recorded and reviewed.
  • Corrective actions — when a control fails or a gap is identified, corrective actions can be assigned, tracked, and verified as closed.
  • Document control — policies, procedures, and training records can be stored with version history and access controls.
  • Audit readiness — evidence can be retrieved by activity type, vehicle, driver, or date range, supporting both internal review and external audit.

CoRGuard does not guarantee compliance, and using the software does not remove a duty holder's legal liability. What it does is provide the workflow and evidence infrastructure that makes it practical to demonstrate the activities the Master Code requires. Operators remain responsible for the quality and accuracy of the data entered.

For an overview of how the platform works, see the Features page. For operators looking to understand how CoRGuard fits alongside their existing NHVAS obligations, see NHVAS Compliance Software.

Practical next steps: building a Master Code-aligned compliance workflow

For operators preparing for the 2026 Master Code expectations, the following steps provide a starting point:

  1. Map your activities. Identify every CoR activity your business performs — consigning, packing, loading, driving, scheduling, operating, receiving. This determines which control sets apply to you.

  2. Conduct a documented risk assessment. For each activity, identify the hazards, assess the risks, and select controls. Record this in a format that can be produced on demand.

  3. Implement controls in workflow. Ensure each control has an operational owner — someone who performs or verifies the control — and that the evidence of the control is captured.

  4. Centralise evidence. Move work diary checks, maintenance records, defect reports, and corrective actions into a single retrievable system. Fragmented evidence across spreadsheets, paper files, and individual emails is a compliance risk.

  5. Track corrective actions to closure. Every identified gap must have a recorded corrective action with an owner, a due date, and verification of completion.

  6. Review and update the risk register regularly. The Master Code expects continuous monitoring, not a one-time assessment. Schedule periodic reviews and record the outcomes.

  7. Prepare for audit. Test your evidence retrieval by simulating an audit request. If you cannot produce the evidence quickly, the system needs improvement.

For operators who need expert guidance on gap assessment, risk assessment methodology, or training for CoR duty holders, MAEZ provides the advisory layer. For operators ready to implement the software evidence workflow, CoRGuard at chainresponsibility.au provides the SaaS platform. For a broader discussion of what to centralise before an audit, see Audit-ready evidence: what transport operators should centralise before review.

Frequently asked questions

What is the 2026 Master Code?

The 2026 Master Code is the NHVR's updated industry code of practice for Chain of Responsibility compliance. It provides guidance on managing hazards and risks, conducting risk assessments, and implementing risk controls. The 2026 version moves from a role-based to an activity-based structure and expands the referenced controls from approximately 150 to more than 500.

Does the 2026 Master Code create new legal obligations?

The Master Code itself is not legislation — it is an industry code of practice that provides guidance on how to meet the existing legal duties under the HVNL. However, the HVNL primary duty (section 26C) already requires each CoR party to ensure safety so far as is reasonably practicable. The Master Code provides the practical framework for demonstrating that this duty has been met. Courts and regulators may treat adherence to (or departure from) the Code as evidence of whether a party took reasonably practicable steps.

What is the difference between the HVNL and the Master Code?

The HVNL is the law — it creates the legal duties, offences, and penalties. The Master Code is guidance — it explains how to comply with those duties in practice. The HVNL is enacted through state application legislation (for example, the Heavy Vehicle National Law Act 2012 in Queensland) and is current as at 19 February 2024. HVNL updates are due on 1 August 2026 and are future-effective until that date.

Can compliance software guarantee CoR compliance?

No. Compliance software does not guarantee compliance and does not remove a duty holder's legal liability. Software like CoRGuard provides the workflow infrastructure to capture, centralise, and retrieve the evidence that compliance activities have been performed. The duty holder remains responsible for the accuracy of the data, the appropriateness of the controls, and the ongoing management of risks.

Is CoRGuard's Electronic Work Diary available?

No. CoRGuard's Electronic Work Diary (EWD) module is not yet live. Current fatigue management capability covers driver diary checks — operators can use CoRGuard to record, verify, and track paper-based work diary records in line with HVNL Chapter 6 requirements, including section 293 (driver must carry work diary) and section 264 (duty of employer, prime contractor, operator, and scheduler to ensure driver compliance).

Who needs to use the 2026 Master Code?

Any party in the Chain of Responsibility — consignors, consignees, packers, loaders, drivers, operators, schedulers, and executives of legal entities — should refer to the 2026 Master Code. The activity-based structure means the relevant controls depend on what activities each party performs, not just their nominal title. Operators who perform multiple activities (loading, scheduling, driving, operating) must address the controls for each activity stream.

How does MAEZ relate to CoRGuard?

MAEZ is the expert advisory, training, chartered risk, and gap-closing offering. CoRGuard at chainresponsibility.au is the SaaS implementation path where software evidence is needed. MAEZ helps operators understand their obligations, assess gaps, and build risk management frameworks. CoRGuard provides the digital workflow to operationalise and evidence those frameworks. They are complementary — MAEZ for expertise, CoRGuard for implementation.

Frequently asked questions

Practical answers

What is the 2026 Master Code?
The 2026 Master Code is the NHVR's updated industry code of practice for Chain of Responsibility compliance. It provides guidance on managing hazards and risks, conducting risk assessments, and implementing risk controls. The 2026 version moves from a role-based to an activity-based structure and expands the referenced controls from approximately 150 to more than 500.
Does the 2026 Master Code create new legal obligations?
The Master Code itself is not legislation — it is an industry code of practice providing guidance on how to meet existing HVNL duties. The HVNL primary duty under section 26C already requires each CoR party to ensure safety so far as is reasonably practicable. The Master Code provides the practical framework for demonstrating that duty has been met, and regulators may treat adherence to or departure from the Code as evidence of reasonably practicable steps.
What is the difference between the HVNL and the Master Code?
The HVNL is the law that creates legal duties, offences, and penalties. The Master Code is guidance explaining how to comply with those duties in practice. The HVNL is applied as law in participating jurisdictions (for example, via the Heavy Vehicle National Law Act 2012 in Queensland) and is current as at 19 February 2024. HVNL updates due 1 August 2026 are future-effective until that date.
Can compliance software guarantee CoR compliance?
No. Compliance software does not guarantee compliance and does not remove a duty holder's legal liability. Software like CoRGuard provides workflow infrastructure to capture, centralise, and retrieve evidence that compliance activities have been performed. The duty holder remains responsible for data accuracy, control appropriateness, and ongoing risk management.
Is CoRGuard's Electronic Work Diary available?
No. CoRGuard's Electronic Work Diary module is not yet live. Current fatigue management capability covers driver diary checks — operators can use CoRGuard to record, verify, and track paper-based work diary records in line with HVNL Chapter 6 requirements, including section 293 (driver must carry work diary) and section 264 (duty of employer, prime contractor, operator, and scheduler to ensure driver compliance).
Who needs to use the 2026 Master Code?
Any party in the Chain of Responsibility — consignors, consignees, packers, loaders, drivers, operators, schedulers, and executives of legal entities — should refer to the 2026 Master Code. The activity-based structure means relevant controls depend on what activities each party performs. Operators who perform multiple activities such as loading, scheduling, driving, and operating must address controls for each activity stream.
How does MAEZ relate to CoRGuard?
MAEZ is the expert advisory, training, chartered risk, and gap-closing offering. CoRGuard at chainresponsibility.au is the SaaS implementation path where software evidence is needed. MAEZ helps operators understand obligations, assess gaps, and build risk management frameworks. CoRGuard provides the digital workflow to operationalise and evidence those frameworks. They are complementary — MAEZ for expertise, CoRGuard for implementation.

See how CoRGuard handles your compliance workflow

Book a short demo and we will map CoRGuard to your fleet, depots, drivers, contractors, NHVAS obligations, and Chain of Responsibility risk points.