FAQ n.139295

A derogation is a temporary exemption from the full requirements of the Regulation. The organisation is advised to remain vigilant and, as a minimum, reassess its exposure to cybersecurity threats whenever the scope changes. In particular, the continued validity of that approval will be reviewed by the competent authority following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.

There are a few requirements that still apply or partially apply to a derogated organisation. More information on this and the derogation process.