Dutch employee insurance service provider UWV did not apply multi-factor authentication when granting access to the online employer portal, so security was deemed insufficient.

https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-dwingt-uwv-met-sanctie-gegevens-beter-te-beveiligen