You're free to run GrapheneOS or Windows or whatever, so long as you also have a device that is attested to be untampered by Google Play or Apple's equivalent
Graphene replied in that thread (just ctrl+f for them), saying "Unfortunately, the EU is adopting the Play Integrity API enforcing having a Google Mobile Services device instead. We've repeatedly raised this issue with the EU Commission and many apps including ones tied to this specific project. We've never been given reasoning why they can't use the hardware attestation API instead."
I'm personally not so keen on that lesser DRM requirement either, since it's just another level of gatekeeping: ok now it's not only Google/Apple but also a few OSes that meet ?some? requirements, but e.g. GrapheneOS also doesn't unilaterally let me access data on my device, maintaining that full access is dangerous and cannot be allowed -- yeah, I'll agree data is safer when I can't even access it myself, seeing how much malware goes around for NT/Linux distributions where you can have root, but I'd still much rather live in a world where I'm the root on my systems. But anyway, that's maybe another discussion, the broader point is that even GrapheneOS can't talk sense into the EU with their lesser-but-still-DRM option
Surely that directly entrenches their moat, and raises the difficulty of any new market entrants competing (leaving us with the effective duopoly we have today)
I fear this is increasingly becoming the case for most digital businesses through blanket requirements that don't taper into effect with the maturity/scale of the business - it's a legislative pulling up of the ladder behind them by creating high barriers to entry.