3. Governance

1. Has your governance framework integrated EU regulations (e.g., NIS2, GDPR, sectoral mandates) and aligned with international PQC standards (NIST, ETSI, ISO)?

2. When was the cryptographic policy last reviewed or updated?

3. Do you have a centralized inventory of cryptographic assets?

4. Is there a cryptography steering committee or working group (COE)?

5. Is there a crypto governance policy that defines acceptable algorithms and key lengths?

6. Are all Tier 1 and Tier n applications covered by documented encryption policies? Are they listed in the CMDB?

7. Are there controls to prevent hard-coded secrets, keys, and tokens in source code?

8. Do you have governance metrics and KPIs (e.g., % of systems inventoried, % vendors hybrid-ready, % protocols upgraded) reported to executive leadership?

9. Do we have a formal, documented cryptographic policy?

10. Does your governance framework include regular audits, reviews, and updates to cryptographic policies and PQC migration strategies as standards evolve?

11. Are clear roles and accountabilities assigned for cryptographic management, PQC migration, and regulatory compliance across business and IT teams?

12. Is PQC migration fully embedded into your enterprise risk management (ERM) processes, with quantum threats assessed alongside other cyber risks?