The building code (pretty much everywhere) tells us that if you build a building without a fire escape you’re in trouble, but it took government to impose those rules.
If your site has more then 500 users, or any sensitive PII the digital code should require you to require 2FA, and encrypt that data at rest. (e.g. the recent Tea app breach)
Now to convince the government to create said digital code.