[tsimionescu]

The game is not over just because you trust a CA. If they sign a certificate for a domain, they have to also publish that they did (in the CT logs) before browsers will accept it. If they do so for an entity that didn't ask for it, that will be investigated by browser and OS vendors and it may easily end up with the CA becoming untrusted.

[theonlybutlet]

Well this is it, they will no longer become untrusted. They can however, ask to have the offending certificate revoked if they have proof it's bad and once they have permission from the authorities (they kind of have to grant the permission if there's evidence but will be on the authorities timeline).

[rcxdude]

AFAIK there is no requirement for CT in this regulation, and it prevents browsers from requiring it to accept the certificates.