A internal interview – Special Feature for the European Governance Review
Why the World Needs a New Compliance Architecture
For years, organizations have been drowning in compliance — juggling frameworks like ISO, GDPR, NIS2, DORA, and now AI-related laws.
While the intentions behind these regulations are noble, the day-to-day reality for most compliance teams is anything but efficient. Documentation is scattered, frameworks overlap, and staff often feel compliance is more punishment than protection.
That reality is changing — and it’s happening in Belgium as usual.
Qfirst, a compliance innovation company led by Danny Zeegers and Harry V.M. van der Plas owner of Management-Projects bv, has created CATS, the Compliance Audit Tracking System, and its operational backbone, HSMS – the Hybrid System Management Setup.
Together, they represent a radical departure from traditional governance models.
Their philosophy? Compliance should be experienced, not endured.
Who Are the Minds Behind It?
The system’s DNA comes from two industry titans with nearly four decades of hands-on experience each.
- Danny Zeegers, founder of the Ford Motor Company’s Quality System in 1990, is now one of Europe’s leading voices on NIS2, DORA, and the EU Data Act.
- Harry V.M. van der Plas, 4 decades of IT experience in technology and software development (retail ERP and apps), now serving as a vCISO, certified ISO 17021 auditor (including for TÜV Nord Netherlands, Certificeringsadvies NL, and Qfirst), ISO Lead Auditor, creator of HSMS (based on standards and legislation that companies must comply with), and publicist.
Together, they’ve engineered something far more profound than another compliance tool:
a meta-framework that connects every law, regulation, and standard into one live system that communicates, measures, and improves itself.
“Compliance can’t just be a library of checkboxes,” says Danny Zeegers.
“It must be a living system — one that speaks to people, adapts to new risks, and grows with regulation.” Harry VM van der Plas
What Is HSMS and Why Does It Matter?
The HSMS (Hybrid System Management Setup) is the invisible architecture that makes CATS work.
It replaces the static, intranet-bound document repositories companies used for decades with a dynamic, interlinked environment that ties policies, risks, clauses, controls, and evidence into one structure.
HSMS doesn’t store compliance — it activates it.
Each clause or control in CATS follows a clear logic:
WHO – WHY – WHAT – WHEN — bringing human context back into regulatory interpretation.
- WHO is responsible for the control
- WHY it exists (regulatory source and rationale)
- WHAT needs to be done
- WHEN it should be reviewed, tested, or evidenced
This simple but powerful structure replaces chaos with clarity — and ensures no one ever asks again, “Who owns this?”
Is This Setup Better for Compliance-Bored Organizations?
Absolutely.
CATS was engineered precisely for organizations tired of compliance fatigue — where teams waste time maintaining redundant frameworks.
The Meta-Framework within CATS unites overlapping obligations from NIS2, ISO, GDPR, DORA, and CSR into a single “control universe.”
As Zeegers notes:
“Once you map once, you comply many times. That’s the CATS philosophy.”
Every policy, control, or evidence file in CATS can serve multiple frameworks — eliminating duplication and dramatically reducing workload.
How Flexible Is HSMS?
HSMS is not rigid — it’s designed for evolution.
When a new regulation appears, administrators can easily extend the meta-framework by adding source texts, implementation texts, and mappings to the SCL (Standard Control Library).
CATS versioning keeps traceability and history intact, ensuring that every regulatory change is documented and every implementation decision is auditable.
When asked about emerging frameworks like the Cyber Resilience Act (CRA) or AI compliance guidelines, Van der Plas smiles:
“They’re not threats; they’re just new layers. HSMS was built to absorb change.
Every new rule is another node in the network — it links, not breaks.”
Future-Proof by Design
With the Cyber Resilience Act, AI Act, and Quantum Security initiatives on the horizon, many governance systems risk becoming obsolete.
HSMS and CATS, by contrast, are built around meta-linkage and modularity — meaning future regulations plug in without rebuilding the system.
“It’s future-proof not because it predicts everything,” says Van der Plas,
“but because it’s structured to adapt to anything.”
Why Choose JIRA Instead of a Built-in CAPA Kanban?
CATS integrates directly with JIRA, rather than embedding its own CAPA (Corrective and Preventive Action) tracker.
Why? Because JIRA is the global standard for workflow, already used by most IT and development teams.
RATS — the Risk Audit Tracking System built into CATS — communicates seamlessly with JIRA to assign risk owners, track CAPA progress, and close mitigation actions.
This avoids creating another isolated system and connects compliance directly to operational execution.
“We don’t need to reinvent collaboration,” says Danny Zeegers.
“We just need to connect compliance to where the work already happens.”
A Blessing for Risk Assessment and NIS2 Compliance
RATS transforms how organizations assess and respond to risk.
Linked directly to clauses and technical controls, RATS automatically identifies mitigation opportunities, measures residual risk, and visualizes the company’s risk appetite in line with NIS2’s pillars of governance, resilience, and reporting.
CATS’ Gap Analysis Tool further enables organizations to measure their NIS2 readiness and maturity, using built-in surveys aligned with ENISA recommendations.
Every framework template — from Cyfun Basic to Essential — already includes the evidences an external auditor would expect.
The result: faster verification, higher confidence, and fewer surprises at audit time.
Training, Guidance, and Human Value
CATS isn’t just software — it’s supported by Qfirst’s Centre of Excellence, a multidisciplinary team combining compliance, cybersecurity, and education.
Head of Training, Karin Printemps, brings her credentials as a Certiprof and SANS-certified partner to the platform.
Her team provides tailored compliance and cybersecurity training integrated with CATS, turning it into a one-stop learning and governance hub.
“We don’t just give clients a tool,” Karin Printemps Experienced Risk Manager and Head of Training explains.
“We build competence — so they understand the why behind the what.”
Training, mentorship, and the combined experience of Danny and Harry’s teams ensure organizations can both implement and internalize compliance as a continuous discipline.
What Comes Next: AI, Quantum, and the Ethics of Automation
The team at Qfirst is already looking beyond 2025.
As Quantum computing threatens to upend encryption models and AI systems begin making autonomous compliance decisions, the next frontier is clear: Quantum-Resilient Compliance.
Danny Zeegers foresees a near future where AI co-pilots assist CISOs and auditors in real-time:
analyzing evidence patterns, predicting emerging risks, and even drafting mitigations.
But he’s careful to stress that human governance will remain central.
“Artificial intelligence will amplify compliance,” he says,
“but it will never replace the human judgment that ethics and governance demand.”
Conclusion: The Way Forward
CATS and HSMS together form not just a compliance toolset but a new governance philosophy — one that values clarity, accountability, and evolution over bureaucracy.
It’s built by people who’ve lived through compliance’s growing pains and decided to rewrite its DNA.
For organizations tired of compliance fatigue, drowning in documentation, or facing the tidal wave of new EU regulations, CATS is more than software — it’s the long-awaited bridge between regulation and reality.
Because in the age of AI, data, and digital risk,
CATS is the WAY.
🧭 For press inquiries and interviews:
📩 ask@jeeves-d-ai.com
🌐 www.qfirst.be
