[jeroenhd]

I'm actually surprised software has been exempted for so long. Based on the lawsuits started against companies like Crowdstrike, it probably isn't, but nobody has bothered to write it down yet.

What we have here is an intention, research into why it's necessary, and a process. None of this is law yet, this isn't even a legal proposal. The conclusions taken by this news publication are damn certain about something that's currently just a vague idea existing in a politician's drafts folder.

It's obvious software vendors have to comply with some standard of warranty because lawsuits against buggy software are regularly won. Most documented cases I've found are actually from the US, so perhaps Europe is behind on the US for winning such cases, often in the form of class action suits.

The EU isn't alone in wanting software vendors to be liable for their flaws; the White House also called for a law (see "Strategic objective 3.3"). This version has been wrapped in a soothing layer of "cybersecurity" but the implication is the same.

[zaroth]

It’s even worse to proscribe liability when the “flaw” is not even an actual operating failure, but the ability for a bad actor to break the software maliciously.

Software is only as insecure as the user’s willingness to expose it to untrusted inputs, combined with the user’s willingness to give the software unfettered access to sensitive data.

“Don’t let hackers control the input stream” is literally the end of any and all security issues.