NIS2: why your EU client will ask for your disaster recovery plan (even if you are in Mauritius)

· 4 min read · SOVALYX Technologies

SHARE

The EU's NIS2 directive does not directly apply to a Mauritian company. But it requires its European clients to secure their entire supply chain, and that obligation flows down through contracts to suppliers wherever they operate. If you serve clients in Europe, their resilience questionnaires will eventually land on your desk — better to be ready before they arrive.

NIS2 in short: from cybersecurity to mandatory resilience

NIS2 is the European directive on the security of network and information systems. It considerably widens the scope of the first NIS directive: more sectors covered (energy, transport, health, digital services, finance, public administration, plus many mid-sized "important" entities) and far more concrete obligations.

Entities in scope must demonstrate, among other things:

Non-compliance exposes them to significant financial penalties and makes executives personally liable. That last point is what changes behaviour: a personally liable executive no longer signs a supplier contract without guarantees.

The cascade effect: why a non-EU supplier is concerned

The lever that reaches you is supply chain security. An entity regulated under NIS2 must assess the risks its providers create for its own resilience, and address them contractually. The directive therefore does not stop at the EU border: it travels through contracts.

In practice, a software vendor, a shared services centre, a BPO provider or a managed services company based in Mauritius that works for a French, German or Belgian client within NIS2 scope will sooner or later receive:

And even where the legal obligation is debatable, the commercial reality is not: between two otherwise equivalent suppliers, the regulated client will pick the one that can prove its resilience. Failing to answer a NIS2 questionnaire — or answering it poorly — is becoming a reason to be excluded from tenders.

What your clients will actually ask you for

Questionnaires vary from one client to another, but the same requirements come up every time:

Turning the constraint into a commercial advantage

Most suppliers deal with these questionnaires in a rush, at contract renewal time. The smarter ones invert the logic: they build a permanent evidence file — policies, DR exercise reports, incident register, subcontractor map — and keep it up to date all year round.

The benefits are immediate: questionnaires answered in days rather than weeks, a stronger position when negotiating clauses, and a genuine sales argument against competitors who have nothing to show. This is the kind of evidence file a managed services partner like SOVALYX builds with its clients: a DR plan tested under SLA, continuous monitoring and exercise reports that answer NIS2's continuity requirements point by point.

One warning: never contractually promise an RTO or a notification deadline your infrastructure cannot meet. An untenable clause is worse than no clause at all, because it engages your liability.

Supplier checklist: ready for the NIS2 questionnaire?

If several boxes remain unticked, deal with them before the first questionnaire arrives: a resilience assessment takes a few days — a damaged client relationship takes far longer to repair.

How SOVALYX can help

SOVALYX helps Mauritian suppliers build this evidence file before the first questionnaire arrives. An infrastructure diagnostic identifies your gaps against NIS2-style requirements, then an automated, regularly tested disaster recovery plan produces the dated exercise reports your clients expect. With 24/7 monitoring under SLA, you can commit to incident notification deadlines and RTOs your infrastructure actually meets, instead of signing untenable clauses.

Talk compliance with an engineer

🧰 The companion tool: Are you ready for the AI Act? — free · 2 minutes.

Reviewed and optimised by AI.