So, they're just going to kill commercial open source devs?
"outside the course of a commercial activity"
That's a pretty problematic caveat right there.
Does that put Lenovo on the hook for security vulnerabilities in Fedora? After all, they will sell you a laptop with it pre-loaded.
What about Rocky or Alma, who don't sell the OS, but sell support for it? Are they on the hook for security vulnerabilities in the Kernel, even though they don't actually sell OS?
Or the likes of HPE - whose HPE Cray OS is based on Linux? Are they on the hook, given that the supercomputers they build are shipped with their custom in-house Linux spin integrated into it?
What are the implications for AMD and their move to open firmware?
It still feels like the legislation is blind to the complexities of the Open Source model, and doesn't realize that something can be both FOSS, and deeply tied into commercial activity.
Once again, the EU has permitted - as most governments do, though the EU seems especially gifted at it - a cabal of people illiterate in the space in which they are legislating to draft a nice legal document which fails in critical ways to actually conform to the reality of the world they are trying to legislate. And, because it is a fundamentally unaccountable and a-democratic institution, the fallout for the 400-odd million people who have to live with it will be largely unaddressed. Yet another layer of byzantine regulation which will encumber anyone who tries to follow it, will likely curtail or kill small businesses and innovators, and will be ignored and skirted by anyone who can afford the lawyers and lobbyists to do so.