1. This adds barriers to sell OSS software, which helps solidify existing markets and prevents new competitors from stepping up
2. This won't change anything except forcing projects to waste money in legal BS, when the responsibility should be uniquely on the commercial entities USING and providing a service (and therefore making money) with the OSS software
3. This is only the first step, I'm sure they'll keep adding rules
4. I'm thinking they may have been heavy handed in the first draft just so that people would think at the end "oh, phew! the regulators didn't kill ALL OSS software in Europe, great!" without thinking why do we need this regulation or how it improves ANYTHING
Will it actually improve security? I don't think so.
If someone is paying for commercial support they likely already have security updates and, once vulnerabilities are known by the maintainers, the news spread.
The security problem with OSS is not that things are not communicated promptly, but that it's hard to make money with OSS so there is no staff working on security.
This would have not saved us from eg. OpenSSL vulnerabilities and it will be even harder to $NextOSSOrg to start charging for their product and improve their security.
All commercial software is included, I don't see how (commercial) OSS is somehow special. Did you read the article?