[zxcmx]

Regulation gets interesting too. What devices does this apply to? Does it apply to smart tvs, thermostats, printers, anything with software? (which will soon be everything). Components?

Can I import a device? What vetting / certification process will be applied? Who does that? What happens when devices are manufactured by subsidiaries which get folded after 3 years? What if "updates" are provided that don't actually fix any vulnerabilities? What counts as a vulnerability for the purpose of the law?

[adrianN]

Security updates need to be supplied for anything that can connect to a network. Vulnerabilities are anything that allows remote read or write access to the device without the user's explicit consent. Companies need to open source everything needed for supplying security updates before going bankrupt (perhaps setting up a suitable insurance to make sure there is money for work needed to do so). You can't import products that don't meet these requirements, just like you can't import products that don't meet other safety requirements. If the provided updates don't actually fix the problem the manufacturer is liable for all damages. You can't sell things that depend on external servers for normal operation without also maintaining those servers (and enabling community replacement in case of bankruptcy).

[catalogia]

A thermostat that can't be counted on to function properly for at least several times longer than ten years shouldn't be legal to sell in the first place.