FAQ n.139295

A derogation is a temporary exemption from the full requirements of a regulation. The organisation is advised to remain vigilant and, as a minimum, reassess its exposure to cybersecurity threats whenever the scope changes. In particular, the continued validity of that derogation will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.