6. Hybrid approach

1. Are you deploying Micro-segmentation in the environment (Tech-Debt)?

2. Are APIs secured with strong encryption protocols (e.g., TLS 1.2+, mTLS)?

3. Are you deploying Micro-segmentation in the environment (Tech-Debt)?

4. Do you have a documented strategy that defines when and how hybrid cryptography (PQC combined with classical algorithms) should be used in your systems?

5. Based on your PQC discovery & risk assessment, have you identified which assets or systems should first adopt hybrid cryptography?

6. Have you tested hybrid cryptography implementations to ensure interoperability across internal systems and with external partners or suppliers?

7. Have you deployed pilot projects or proofs-of-concept using hybrid protocols (e.g., hybrid TLS, hybrid VPNs) in production or pre-production environments?

8. Have you assessed the performance overhead and operational implications of hybrid cryptography, and integrated mitigation strategies into your IT and security architecture?

9. Do you know when and how to use hybrid cryptography (PQC + classical algorithms) as recommended by advisory bodies?

10. Do you have monitoring and governance processes in place to evaluate hybrid cryptography performance, vulnerabilities, and regulatory changes on an ongoing basis?

11. Is hybrid cryptography explicitly included in your cryptographic agility strategy, ensuring you can phase out legacy algorithms while maintaining dual support where required?

12. Are your hybrid cryptographic approaches aligned with EU-level recommendations (e.g., NIS2, ENISA guidance) and sectoral regulations that encourage or require hybrid deployments?