Close
Close
Linkedin
Close
Close

Proving compliance without complexity: interview with Hennie Jansen, CCO of Msafe

Following our Compliance Summit, ITinsight conducted an interview with Hennie Jansen, Msafe's CCO. The theme is provable compliance without complexity. Hennie Jansen indicates that it is not a slogan. "It's a way to bring security, compliance and business closer together. And organizations that get that right in 2026 are building not only better audits, but also more trust, more control and more operational peace of mind."
provable-compliance-without-complexity-hennie-jansen

Compliance is no longer a paper exercise in 2026. Organizations in Europe have to deal with the accountability requirement from the GDPR, the ramifications of NIS2 and – in the financial sector – DORA. At the same time, Eurostat shows that 21.54% of EU companies were affected by ICT security incidents in 2023, only 35.50% had formal documents around ICT security measures, and less than half keep logs for post-incident analysis. ENISA also analyzed 4,875 incidents over the period July 2024 to June 2025 in its most recent EU threat landscape. [1][2][3][4][5]

In that playing field, one question is rapidly gaining importance: how do you make compliance not only mandatory, but also manageable, demonstrable and workable for the business? We talked about this with Hennie Jansen, CCO of Msafe.

“Proof compliance without complexity” is a strong statement. What exactly do you mean by that?

Hennie Jansen:
“For me, it means very concretely that compliance should not be stuck in a folder, spreadsheet or audit file somewhere. It should be visible in day-to-day operations. So: who had access to what information, when was something shared, what policy was in place at the time, when was access withdrawn, and can you show that too if an auditor, customer or regulator asks for it?

The bottom line is that you not only organize compliance, you can demonstrate it. That aligns exactly with the line of the GDPR: organizations are not only responsible for compliance, but also for demonstrating it. And that’s where things often go wrong in practice. Companies have policies, but lack the operational proof layer.” [3]

Why exactly in 2026 should this issue be on the agenda of boards and security teams?

Hennie Jansen:
“Because 2026 is the year when no one can credibly say that compliance is mainly something for later. NIS2 had to be transposed into national law by October 17, 2024. DORA has been applicable since Jan. 17, 2025. And the European Commission even showed on Jan. 20, 2026 that compliance must also remain manageable, with targeted proposals to simplify NIS2 compliance for 28,700 companies, including 6,200 micro and small enterprises. This is an important signal: compliance should not only be strict, but also manageable.” [2][4]

“On top of that, the threat is not theoretical. Eurostat shows that over one in five EU companies have already been affected by ICT security incidents. And perhaps more importantly, many organizations are not yet operationally where they need to be. Only 35.50% had formal documents around ICT security measures and only 45.16% kept log files for analysis after incidents. So then you often have risk, but no consistent evidence.” [1]

“ENISA confirms that picture. In the European threat landscape, availability attacks, ransomware and data threats remain dominant, and the most recent threat landscape analysis looked at 4,875 incidents in one reporting period. This means that compliance, security and operational resilience are increasingly intertwined.” [5]

What do you think is the route to provable compliance without complexity?

Hennie Jansen:
“That route consists of four steps.

First, you need to know where your biggest operational risks are. In many organizations, this is not immediately the very largest platform or most visible application, but rather something mundane such as sharing sensitive files with customers, suppliers, auditors or external partners.

The second step is to standardize. So not ten different practices, but clear policies for access, retention periods, authentication and revocation of rights.

The third step is automating evidence. If someone has to reconstruct what happened after the fact, you’re too late. Evidence should arise automatically from the workflow itself: audit trails, exportable reports, logging and clear policy context.

And the fourth step is adoption. Once compliance becomes too complex, people start working around the system. Then you lose both control and proof. Therefore, a solution must be secure for security and compliance, but simple enough for end users.”

Specifically, what do companies gain from this?

Hennie Jansen:
“Three things. First: faster and quieter audit preparation. If you have your evidence already in your process, you need to collect much less manually.

Second, more grip on external cooperation. This is precisely where a blind spot often arises. Files go through e-mail, consumer tools or ad hoc links, while the organization remains responsible for policy, access and traceability.

Third, less friction between business and control. Good compliance should not mean slowing employees down. It should mean that they can work safely within a model that is explainable and defensible to IT, security and compliance.

To me, that is the essence of manageable compliance: not more rules for the sake of rules, but better control without unnecessary operational burden.”

Why should companies specifically look at Msafe’s solution now?

Hennie Jansen:
“Because many organizations still conduct their compliance discussion too abstractly. They talk about governance, risk and regulation, but forget to look at concrete information flows where things often go wrong in practice. Secure file transfer is a good example. Almost every company shares contracts, technical drawings, reports, financial documents or other sensitive files with external parties. And that’s exactly where you want control, logging and demonstrability.”

“Msafe Secure File Transfer is designed to make that process manageable. Think strong encryption, role-based permissions, revocable access, expiry and retention policies, SSO and SCIM for identity governance, exportable audit trails and EU-hosted deployment. As a result, you turn an often messy process into a controlled workflow with a clear evidence layer.” [6]

“What I find strong is that this doesn’t start with complexity, but with use. A solution only really works if people use it. Therefore, secure file transfer must not only be secure, it must also fit logically into everyday work. Only then do you get real adoption, and without adoption you don’t get manageable compliance.”

For which organizations is this most relevant?

Hennie Jansen:
“Especially for regulated sectors. Think finance, critical infrastructure, industry, healthcare and other organizations where confidential data, operational continuity and accountability come together. But actually it’s broader. Any company sharing sensitive information with external parties has to ask itself: can we show who had access, under what conditions, and what exactly happened?

In 2026, that demand will not diminish. Customers, auditors, supply chain partners and regulators increasingly expect not just nice policy documents, but demonstrable control.”

Finally, what is the core message you want to give organizations?

Hennie Jansen:
“Don’t wait until compliance becomes a brake on your organization. Instead, start with processes that you can improve today. Make risks visible, standardize your policies, automate your evidence and keep it workable for users.

Proof compliance without complexity is not a slogan. It’s a way of bringing security, compliance and business closer together. And organizations that get that right in 2026 are building not only better audits, but also more trust, more control and more operational peace of mind.”

Sources to the figures

[1] Eurostat reports that 21.54% of EU companies were affected by ICT security incidents in 2023, 35.50% had formal documents on ICT security measures, and 45.16% kept logs for post-incident analysis.

[2] European Commission / NIS2: Member States had until October 17, 2024 to transpose NIS2 into national law; NIS1 was repealed as of October 18, 2024. On January 20, 2026, the Commission proposed targeted amendments to simplify compliance with EU cyber rules for 28,700 companies, including 6,200 micro and small enterprises.

[3] GDPR accountability: the European Commission calls accountability a cornerstone of the GDPR, stating that organizations must not only comply with the data protection principles, but also be able to demonstrate compliance. In doing so, the EDPS says organizations must take appropriate technical and organizational measures and be able to show what they did and how effective it was.

[4] DORA has been in effect since Jan. 17, 2025.

[5] ENISA: in the Threat Landscape 2024, threats against availability, ransomware and threats against data were at the top; the Threat Landscape 2025 analyzed 4,875 incidents over the period July 1, 2024 to June 30, 2025.

[6] Msafe Msafe Secure File Transfer has strong encryption, AES-256 security, role-based permissions, SSO/SCIM, EU hosting. In addition, audit trails, exportable reports, Outlook/API and policies such as revocable access and expiry/retention.

Share:

More Posts

Why secure file sharing is only truly safe with security awareness training
Blog

Security awareness training makes secure file sharing truly compliant

Files are still shared by people. And that’s precisely where risk arises. An employee who clicks on a phishing email, shares a document with the wrong recipient, leaves overly broad permissions, or works outside the secure channel because it seems faster, can put pressure on even the best-equipped environment. That’s why secure file sharing, security awareness and compliance training belong together.

Read More »
14/05/2026
Complexity Kills Compliance
Blog

Complexity Kills Compliance

Compliance rarely goes wrong because organizations don’t have policies. It goes wrong because policies become too complicated in practice. Once employees have to deal with cumbersome processes, extra steps, loose portals and unclear exceptions, they look for a faster route. And that’s exactly where the problem begins. What seems secure and compliant on paper quickly turns into shadow IT, workarounds and invisible risks in daily operations.

Read More »
04/05/2026
How do companies comply with GDPR guidelines
Blog

How do companies comply with GDPR guidelines? And why secure file transfer is essential in this

To comply with GDPR guidelines, a privacy statement or secure tool is not enough. Companies must process personal data lawfully, respect privacy rights, take appropriate security measures, manage data breaches and be able to demonstrate that they have their processes in order. The Personal Data Authority lists foundations, privacy rights, security, DPIAs in high-risk situations and accountability among the core components of AVG compliance.

Read More »
20/04/2026
KPMG research- why compliance in 2026 calls for Secure File Sharing
Blog

KPMG study: why compliance in 2026 calls for Secure File Sharing

Why is a Secure File Sharing solution indispensable in a good compliance policy? KPMG says in essence, organizations are facing more compliance pressures, increased privacy and cybersecurity requirements, and a growing need for monitoring, reporting and control. Our Msafe Secure File Transfer solution is perfect for an environment where sensitive files are exchanged encrypted, access-controlled and fully traceable.

Read More »
26/03/2026
Automate secure file sharing with the Msafe API
Blog

Automate secure file sharing with the Msafe API

More and more organizations want to automate file sharing. No longer manually uploading, sending and storing, but rather integrating secure file sharing directly into existing processes and systems. Msafe’s API makes this possible. Through an API, applications can automatically upload, share and link files to internal systems such as CRM or document management systems.

Read More »
12/03/2026