[stockresearcher]

These are good developments, but it remains to be seen how much of impact they will have. Software developers will have to follow a bunch of “best practices”, but there isn’t a requirement that they are good at them. There are no fines for producing insecure software, only fines for not following the rules.

Software providers are also likely to be specifying narrow “fit for purpose” statements and short (ish) support window. If costs go up too much, people will be using “inappropriate” and/or EOL stuff because the “right thing” is too expensive.

To be clear, this is a step in the right direction but is not the panacea.