NIS2: why your EU client will ask for your disaster recovery plan (even if you are in Mauritius)

The EU's NIS2 directive does not directly apply to a Mauritian company. But it requires its European clients to secure their entire supply chain, and that obligation flows down through contracts to suppliers wherever they operate. If you serve clients in Europe, their resilience questionnaires will eventually land on your desk — better to be ready before they arrive.
NIS2 in short: from cybersecurity to mandatory resilience
NIS2 is the European directive on the security of network and information systems. It considerably widens the scope of the first NIS directive: more sectors covered (energy, transport, health, digital services, finance, public administration, plus many mid-sized "important" entities) and far more concrete obligations.
Entities in scope must demonstrate, among other things:
- documented risk management, approved by top management;
- incident handling with short notification deadlines to the authorities;
- business continuity: backups, disaster recovery, crisis management;
- supply chain security — meaning the security of their suppliers.
Non-compliance exposes them to significant financial penalties and makes executives personally liable. That last point is what changes behaviour: a personally liable executive no longer signs a supplier contract without guarantees.
The cascade effect: why a non-EU supplier is concerned
The lever that reaches you is supply chain security. An entity regulated under NIS2 must assess the risks its providers create for its own resilience, and address them contractually. The directive therefore does not stop at the EU border: it travels through contracts.
In practice, a software vendor, a shared services centre, a BPO provider or a managed services company based in Mauritius that works for a French, German or Belgian client within NIS2 scope will sooner or later receive:
- a security due diligence questionnaire, often long and detailed;
- contract clauses: incident notification, continuity commitments, audit rights;
- requests for evidence: test reports, certificates, written policies.
And even where the legal obligation is debatable, the commercial reality is not: between two otherwise equivalent suppliers, the regulated client will pick the one that can prove its resilience. Failing to answer a NIS2 questionnaire — or answering it poorly — is becoming a reason to be excluded from tenders.
What your clients will actually ask you for
Questionnaires vary from one client to another, but the same requirements come up every time:
- Incident notification: a commitment to alert your client within a short window (often 24 to 72 hours) when an incident affects their service or their data, so they can meet their own regulatory deadlines.
- A documented and tested DR plan: not just a document, but dated exercises with measured RTO and RPO. A disaster recovery plan that has genuinely been tested, restoration included, is worth more than any statement of intent.
- Protected backups: isolated or immutable copies, because backups have become ransomware's favourite target.
- Access control: MFA everywhere, privileged account management, logging of administrative actions.
- Your own subcontractors: the cascade continues — you will need to show how you govern your hosting provider, your contractors and your SaaS tools.
- A named security contact: someone reachable, with a defined escalation process.
Turning the constraint into a commercial advantage
Most suppliers deal with these questionnaires in a rush, at contract renewal time. The smarter ones invert the logic: they build a permanent evidence file — policies, DR exercise reports, incident register, subcontractor map — and keep it up to date all year round.
The benefits are immediate: questionnaires answered in days rather than weeks, a stronger position when negotiating clauses, and a genuine sales argument against competitors who have nothing to show. This is the kind of evidence file a managed services partner like SOVALYX builds with its clients: a DR plan tested under SLA, continuous monitoring and exercise reports that answer NIS2's continuity requirements point by point.
One warning: never contractually promise an RTO or a notification deadline your infrastructure cannot meet. An untenable clause is worse than no clause at all, because it engages your liability.
Supplier checklist: ready for the NIS2 questionnaire?
- We know which of our clients (direct or indirect) fall within NIS2 scope.
- We have a written security policy, reviewed and approved by management.
- Our disaster recovery plan is documented, with RTO and RPO defined per application.
- Our last restoration test is less than six months old and its report is available.
- Our backups include at least one isolated or immutable copy.
- A client incident notification process is defined, with a precise deadline and channel.
- MFA is enabled everywhere, including for administrator and remote access.
- Our own critical subcontractors are inventoried and assessed.
- A security contact is designated, with a named backup person.
- Our contractual commitments (RTO, notification) match our measured capabilities.
If several boxes remain unticked, deal with them before the first questionnaire arrives: a resilience assessment takes a few days — a damaged client relationship takes far longer to repair.
How SOVALYX can help
SOVALYX helps Mauritian suppliers build this evidence file before the first questionnaire arrives. An infrastructure diagnostic identifies your gaps against NIS2-style requirements, then an automated, regularly tested disaster recovery plan produces the dated exercise reports your clients expect. With 24/7 monitoring under SLA, you can commit to incident notification deadlines and RTOs your infrastructure actually meets, instead of signing untenable clauses.
Talk compliance with an engineer🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.
Reviewed and optimised by AI.