4. Policies& Regulations

1. How is encryption validated during internal or external audits?

2. Is cryptographic logging and auditing in place for sensitive key operations?

3. Are cryptographic decisions documented for legal/regulatory purposes?

4. Are there compensating controls in place for non-encrypted legacy systems Segmentation, Zero Trust, etc.?

5. Are you compliant with data encryption requirements for GDPR, HIPAA, or GLBA?

6. Do you track national-level PQC-related regulations (e.g., BSI in Germany, ANSSI in France, NCSC-NL, financial regulators, healthcare mandate, HIPAA USA, etc.)?

7. Do you have a formal process to review and update cryptographic policies in line with evolving PQC standards and regulatory changes?

8. Are your PQC-related policies aligned with sectoral mandates (e.g., financial services, healthcare, telecom, energy) that specify cryptographic standards?

9. Are cryptographic and PQC policies formally integrated into your enterprise governance framework, risk management, and compliance dashboards?

10. Do your policies include provisions for crypto-agility and rapid adoption of future PQC standards, anticipating EU or global regulatory updates?

11. Is the legal team updated on PQC requirements and non-compliance actions?

12. Do you have processes to audit compliance with cryptographic policies internally and across your ecosystem (vendors, subsidiaries)?