FAQ n.139295

If my organisation receives a derogation, does this mean that it is exempted from compliance with Part IS?


A derogation is a temporary exemption from the full requirements of a regulation. The organisation is advised to remain vigilant and, as a minimum, reassess its exposure to cybersecurity threats whenever the scope changes. In particular, the continued validity of that derogation will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

Last updated

Was this helpful?