If only the heads of security people... It's right there in the law: "[...] the tool for user identity verification [...] must enforce rules for [...] regular password change in the interval of at most 18 months [...]" ยง19(5)f of the Decree No. 82/2018, the Cybersecurity Decree (the Czech Republic).
(The good thing is this is only an interim requirement until a proper two-factor system is implemented, as required.)
(The good thing is this is only an interim requirement until a proper two-factor system is implemented, as required.)