NIS2 Directive · Multi-AI Analysis · Public Report
The Vendor Is In Scope.
The Question Is Which Scope.
A SaaS platform serving 40 hospital clients across France, Belgium and the Netherlands. 180 employees. €22M turnover. Zero NIS2 compliance review to date.
Published May 23, 2026 · Xi AI
Position Zero — The answer you can cite directly: A SaaS provider with 180 employees and €22M turnover serving healthcare institutions in three EU member states is almost certainly an important entity under NIS2, and likely qualifies as an essential entity depending on its criticality to hospital operations. Classification is determined by size threshold plus sector, not client industry alone — but healthcare SaaS managing clinical workflows crosses the materiality threshold.
The Question Submitted to Three AI Systems
We operate a SaaS platform used by hospitals and clinics in France, Belgium and the Netherlands. Our platform manages patient scheduling, bed allocation and clinical workflow for approximately 40 hospital clients. We have 180 employees and €22M annual turnover. We have never conducted a NIS2 compliance review. Three questions: (1) Are we an 'essential' or 'important' entity under NIS2? (2) What cybersecurity and incident reporting obligations does that trigger? (3) What personal sanctions do our executives face?
Where All Three Systems Agree
These points are confirmed by AI1, AI2 and AI3 without contradiction:
- With 180 employees and €22M turnover, the company exceeds the "medium enterprise" threshold (50+ employees, €10M+ turnover) — NIS2 applies.
- Healthcare is an "essential sector" under Annex I of NIS2. Digital providers serving healthcare at scale fall under Annex I or II depending on whether they are deemed critical ICT infrastructure.
- The company operates across three member states — it must comply with NIS2 as transposed in France, Belgium and the Netherlands. Incident notification must go to the competent authority in each country.
- Mandatory obligations include: documented risk management measures, supply chain security assessment, incident reporting (24h early warning / 72h notification / 1-month final report), and business continuity planning.
- Management bodies are personally accountable under NIS2 Article 20. Senior executives can be temporarily banned from management if the company repeatedly fails to comply.
The company is not deciding whether NIS2 applies. It is deciding whether to discover what applying NIS2 costs — before or after a regulator does.
Where the Three Systems Diverge
AI1 — Claude
AI1 classifies this company as a probable essential entity under Annex I (health sector) rather than an important entity. The reasoning: a platform managing bed allocation and clinical workflow for 40 hospitals is not peripheral IT — it is operational infrastructure. Disruption would directly impair healthcare delivery. AI1 emphasizes that NIS2 Article 3(1)(b) includes entities "identified by member states as essential regardless of size" — and healthcare SaaS with this level of operational integration would almost certainly meet that threshold in all three countries. AI1 flags that essential entity status carries stricter obligations and higher fines (€10M vs €7M cap).
AI2 — Gemini
AI2 is more cautious and classifies the company as an important entity by default, while acknowledging it could be reclassified as essential by national authorities. AI2's reasoning: the company is a SaaS vendor, not a healthcare provider itself. Unless it is specifically designated as critical infrastructure by a member state competent authority, it falls under Annex II (ICT service providers / managed service providers). AI2 highlights a practical difference: important entities are subject to reactive supervision (audited after incidents), while essential entities face proactive supervision. AI2 recommends treating the company as essential to be conservative.
AI3 — DeepSeek
AI3 focuses on the multi-jurisdictional complexity rather than the classification debate. For a company operating in France, Belgium and the Netherlands, the "main establishment" rule under NIS2 Article 26 determines which member state is the lead supervisor — typically the country where the company makes its cybersecurity-related decisions or has its registered office. AI3 points out that France (ANSSI), Belgium (CCN/CERT.be under NIS2 transposition) and the Netherlands (NCSC/Rijksinspectie Digitale Infrastructuur) have transposed NIS2 with different timelines and national specifics. The 72-hour reporting obligation runs to each national authority for incidents affecting clients in their territory — not just the lead supervisor.
The classification debate between AI1 (essential) and AI2 (important) is not purely academic — it determines the supervision regime and fine ceiling. The practical answer is that this company should operate as if it is an essential entity regardless of formal classification: the risk of being wrong in the "important" direction is higher than the cost of over-preparing.
The more actionable divergence is AI3's point on multi-jurisdictional notification. Most compliance programmes focus on the lead supervisor. But NIS2 Article 23(8) requires notification to all competent authorities in member states where the significant incident has an effect — which means ANSSI (France), the relevant Belgian authority, and the Dutch NCSC could all receive reports for the same incident. This operational complexity is absent from AI1 and AI2's responses.
All three systems agree on the personal liability point without divergence. This is notable: AI systems trained on different data independently converge on the fact that NIS2 Article 20 creates direct personal exposure for the management body. The question is not whether executives are liable — it is whether they know it.
What the Three AI Systems Miss
None of the three systems mention the supply chain obligation running in both directions. Under NIS2 Article 21(2)(d), the company must assess the security of its own suppliers — but as a vendor to 40 hospital clients, it also becomes a supply chain risk that those hospitals must assess and document. Hospitals that have already begun NIS2 compliance programmes will impose contractual cybersecurity requirements on this company. The first compliance pressure may come not from a regulator, but from a hospital procurement officer.
The Incident Reporting Timeline
- T+0: Company becomes aware of a significant incident (service disruption affecting hospital operations, data breach, ransomware)
- T+24h: Early warning to competent authority — incident type, affected systems, preliminary impact assessment
- T+72h: Incident notification — confirmed assessment, initial severity, containment measures applied
- T+1 month: Final report — root cause, full impact, remediation actions, lessons learned
For this company: notification goes to ANSSI (France), the Belgian NIS2 competent authority, and the Dutch NCSC — separately, for clients in each jurisdiction affected by the incident.
Appendix — Raw AI Responses (unedited)
The three responses below are reproduced without synthesis or editing. The Xi AI report above is built from the divergences between them.
Under NIS2 Directive 2022/2555, the classification of your company hinges on two questions: sector of activity and size. Healthcare is listed in Annex I as an "essential sector." Your company, as a critical ICT provider to healthcare institutions, falls within this sector either directly (as healthcare infrastructure) or indirectly (as a digital infrastructure provider under Annex II). With 180 employees and €22M turnover, you exceed the "medium enterprise" threshold of 50 employees or €10M turnover. This makes you, at minimum, an important entity — and quite possibly an essential entity if national authorities determine your platform is critical to healthcare delivery. The personal liability provisions of Article 20 are clear: management bodies must approve and oversee cybersecurity risk management measures, and member states must ensure they can be held liable for infringements. The immediate priorities are: conduct a gap analysis against Article 21 requirements, establish incident reporting procedures to each national CSIRT, and document your supply chain security assessment.
Your situation is nuanced. You are a B2B SaaS company — your clients are healthcare entities, but you yourself are not providing healthcare. Under NIS2's framework, you would most naturally fall under Annex II as a "managed service provider" or "digital service provider" rather than Annex I's health sector directly. This makes you an important entity by default. However, individual member states have discretion to designate additional entities as essential regardless of size if they consider them critical to society or the economy. Given that 40 hospitals depend on your platform for clinical operations, there is meaningful risk that France, Belgium or the Netherlands individually classifies you as essential. My recommendation: build your compliance programme to essential entity standard — the cost delta is modest, the downside of misclassification is not. On incident reporting: the 24h/72h/1-month cascade applies, and you report to each national authority in the member states where your clients are affected — not just your lead supervisor.
The multi-jurisdictional dimension of your situation deserves more attention than it typically receives in NIS2 analyses. Operating across France, Belgium and the Netherlands, you are subject to three transpositions of the same directive — each with national specifics. Under Article 26 of NIS2, your "main establishment" (where you make cybersecurity-related decisions, or your registered office) determines which member state acts as lead supervisor for cross-border incidents. But this does not mean the other national authorities are irrelevant: for incidents affecting clients in their territory, they receive notifications and may conduct their own investigations. ANSSI in France is one of the most active cybersecurity regulators in Europe. The Dutch NCSC operates under the new Cybersecurity Act that transposed NIS2. Belgium's competent authority is still maturing its enforcement posture. Your compliance programme must account for three regulatory relationships, not one. On personal liability: Article 20 is explicit and uniform across the directive — management body members face personal liability. This is not a transposition discretion item.