Those requirements are explicitly on the outcomes because companies like Apple used to abuse loopholes in previous, non-outcome defined laws. They, as always, have no one to blame but themselves.
It sounds like what you’re saying is that because the legislature can’t anticipate how companies will abuse loopholes, they sidestep that by outlining the outcomes instead.
The issue I have with that approach is that I don’t agree with that approach to governance. I believe it’s incumbent on the regulator to define what is acceptable vs. disallowed in unambiguous terms.
This is a spirit of the law vs letter of the law debate. Europe in general (i know its not that easy) tends to go more towards Spirit of the Law. While the US usualy tends more to letter of the law.
The issue I have with that approach is that I don’t agree with that approach to governance. I believe it’s incumbent on the regulator to define what is acceptable vs. disallowed in unambiguous terms.