In the EU any bank requires customers to use 2FA. Dutch customs requires critical logistics companies to use 2FA (amongst other stuff).
From what I recall critical companies must address likely methods to breach their security. It is highly likely that a company will get loads of attempts to check. Similarly, a critical company is expected to deal with employees leaving and ensuring their access is revoked.
From skimming they seem to say that there isn't a breach because an account of an ex-employee was used. But that's too easy, the processes sucked. The way they got in is just one of the things that some EU regulation requires critical companies to address. Same for perhaps not forcing customers to use 2FA. That's crazy.
The EU is usually really slow in regulating things. If they got in using a method that the EU said you had to address then it means you had ages of time and nothing was done.
Really unresponsible. Especially as I think they seem be pretty critical part of the economy.