Central government can force any covered entity to publish which standards they (do not) support, to produce an audit, and in the last instance, instruct them to comply. This is a specific provision on top of generic rules and regulations, where central government can step in the place of a lower government if they are non-compliant.
Also, citizens (or NGOs) can sue entities (including central government) for non-compliance. For example, in 2022, the NGO Urgenda won a case against the Dutch government for not doing enough about climate change (less than needed to comply with international treaties), and now the political landscape is in turmoil because there's no consensus which polluters should stop polluting quite as much.
In practice, the list of standards is just tacked onto procurement procedures. Since governments and contractors love to bicker, a missing security.txt can be something to hit the vendor over the head with (and withhold payment for a month, to make this year's budget).
Also, citizens (or NGOs) can sue entities (including central government) for non-compliance. For example, in 2022, the NGO Urgenda won a case against the Dutch government for not doing enough about climate change (less than needed to comply with international treaties), and now the political landscape is in turmoil because there's no consensus which polluters should stop polluting quite as much.
In practice, the list of standards is just tacked onto procurement procedures. Since governments and contractors love to bicker, a missing security.txt can be something to hit the vendor over the head with (and withhold payment for a month, to make this year's budget).