In accordance with RFC2119, two types of requirements are specified in this standard:

In case a requirement has a recommendation like nature, it does not need to be implemented if justifiable reasons exist. Recommendations that are specified with “CAN” are focused on applications of increased protection requirements or risk profile.

Exceptions to not complying with mandatory requirements must be approved by the relevant IT security function.