In Australia we have legislated it on multiple places, and it has become tied to things like privacy legislation and for that which isnt privacy related we defer to industry best practice - which is often discussed and published by national agencies in the tech and security space, which of course turns into "must do" actions by every government CISO and CDO/CIO.

It has been a headache for our vendors.