The comply-or-explain principle is a central element of most codes of corporate governance. Originally put forward by the Cadbury Committee in the UK as a practical means of establishing a code of corporate governance whilst avoiding an inflexible “one size fits all” approach, it has since been incorporated into code regimes around the world. Companies can either comply with code provisions or may explain why they do not comply, i.e., why they deviate from a code provision. Despite its wide application very little is known about the ways in which comply-or-explain is used. In addressing this we employ legitimacy theory by which explanations for deviating can be understood as means of legitimizing the company’s actions. We analyzed the compliance statements and reports of 257 listed companies in the UK and Germany, producing some 715 records of deviation. From this we generated an empirically derived taxonomy of the explanations. In a second order analysis we examine the underlying logic and identify various legitimacy tactics. We discuss the consequences of these legitimacy tactics for code regimes and the implications for policy makers.