[usrusr]

So basically the equivalent of requiring ID for getting a phone SIM, thanks for the clarification.

Did not make much sense otherwise for just email or even for active user accounts (as in unix logins), because if you have tens of thousands of them your security model surely cannot rely on the assumption that none of them are bad actors.

"Just like a phone SIM" is also where it definitely enters the realm of legal requirements. Certainly debatable, but there can't be much precedent and then it's the usual struggle between a perhaps careless group appealing to common sense and a maximum correctness camp that wants to go by the book, in its most pessimistic interpretation. When under a malware attack like that, even the slightest trace of neglect on the technical side can punish you hard. It's no surprise that the required mindset of extreme prudence carries over to the legal side. I still don't believe that the ID check would be the only correct way to handle this (e.g. snail mail still goes a long way in terms of checking legal boxes), but they surely are not in the mood for taking risks right now.