[supriyo-biswas]

If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.

Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.

[Jensson]

That has nothing to do with this, I don't think you understand this vulnerability. You can see which certificate authority issued the cert, so you can see if the suddenly the site started using a vulnerable cert provider and thus know that it is compromised. Note that the same attack is possible right now, the only difference is how your browser displays it, you can just install a plugin to get back the original behavior if you want. So this in no way prevents you from secure browsing.

TLDR: If you are worried about security you can always install a plugin to get back the old behavior. This just says that browsers should be able to trust them, not that you have to configure your browser to trust them.

[supriyo-biswas]

CA changes can happen due to many legitimate regions. Pinning certificates in this way doesn’t scale, as we saw with the deprecation of HPKP.

[Jensson]

All you need is a list of trusted CA's, like we do right now, and then issue a warning if it isn't on that list. It is a very simple plugin to make.

[g-b-r]

These certificate authories will also issue legitimate certificates btw, the regulation explicitly encourages local states to use them for their services

[g-b-r]

First, few people would know that they should install a plugin, second, since the laws says that browsers "shall ensure", there's a good chance that they would be forced to try to block these plugins