I would, with lifecycle and sunsetting requirements. Laws are requirements docs with more ceremony and stakeholder participation, but also with much more authority.

That all seems well-intentioned and plausible in terms of how things should have been originally. However,

1) I can't help but think of all the problems that apply in general to specifying requirements (too vague, too constraining, too expensive to hammer out to sufficient precision).

2) That's different from changing it retroactively. Would you change it again when JSON goes out of fashion? Or mandate HTTPS? I've not read the OP in detail, but the impression I have is that the existing service is very much functional. Even ignoring the cost of changing the law, do we really want our public institutions to be in breach of law whenever fashions change? I'd rather let them set their own priorities to a large extent - for example, specify a very general, minimal set of requirements and do better when they have capacity to do so. I'm fine with people building on top of that where convenient. It seems like a good thing, in fact.

I think your points are important, but it's likely we won't reach an agreement on this issue. Appreciate you raising the points though!