mailbox.org does not support MFA (multi-factor authentication) at all. Therefore it is NOT GDPR compliant because it does not offer reasonable security. It will also not be considered CRA compliant when Cyber Resilience Act comes into force. I don’t think it is compliant with BSI requirements, yet it offers [packages to the public sector](https://mailbox.org/en/education-and-public-authorities), but what about all the news about government entities being hacked for ransomware and data theft? Mailbox.org has a section about [your social and ecological responsibility](https://mailbox.org/en/company#our-responsibility) on your website, but what about your responsibility to your customer’s security?
In the [recent SANS Newsbites](https://view.email.sans.org/?qs=533959a804114f542720fb441a50fc1b5ae0ca7f2b35400a108504c695c220871225af4d289c01cc8a57847d83e147e607330d3d38e6996526b297a451804fdd7da41d2aeef5c25175554b7128f6b1e5), the attack against Spanish Telephonica is discussed and a quote about MFA:
> In today’s threat environment, implementing Multi-Factor Authentication (MFA) is now table stakes for all systems, but in particular sensitive systems, whether they are internal or external-facing. MFA should now be viewed in the same regard as seat belts in a car, and those that don’t use MFA viewed in the same way as those who don’t wear seat belts.
Confused Reader