You're free to run GrapheneOS or Windows or whatever, so long as you also have a device that is attested to be untampered by Google Play or Apple's equivalent
Graphene replied in that thread (just ctrl+f for them), saying "Unfortunately, the EU is adopting the Play Integrity API enforcing having a Google Mobile Services device instead. We've repeatedly raised this issue with the EU Commission and many apps including ones tied to this specific project. We've never been given reasoning why they can't use the hardware attestation API instead."
I'm personally not so keen on that lesser DRM requirement either, since it's just another level of gatekeeping: ok now it's not only Google/Apple but also a few OSes that meet ?some? requirements, but e.g. GrapheneOS also doesn't unilaterally let me access data on my device, maintaining that full access is dangerous and cannot be allowed -- yeah, I'll agree data is safer when I can't even access it myself, seeing how much malware goes around for NT/Linux distributions where you can have root, but I'd still much rather live in a world where I'm the root on my systems. But anyway, that's maybe another discussion, the broader point is that even GrapheneOS can't talk sense into the EU with their lesser-but-still-DRM option
They just don't support it because it's an immense risk (in my opinion as well).
The other thing, reliable backup is slowly in the making. As I understand there's not enough devs to work on it right now.
This won't be signed with the right attestation key because I'm not them.
My understanding is that attestation is tied to the distribution's private key, so this government software wouldn't trust my version of the OS, assuming the govt could be made to understand Android's attestation framework is a vendor-neutral way to achieve the same goal (whatever goal that may be). With a rooted GOS, I'd still need another device, tied to my government identity, of which I can't verify what it's doing, much less control it
Surely that directly entrenches their moat, and raises the difficulty of any new market entrants competing (leaving us with the effective duopoly we have today)
I fear this is increasingly becoming the case for most digital businesses through blanket requirements that don't taper into effect with the maturity/scale of the business - it's a legislative pulling up of the ladder behind them by creating high barriers to entry.
Of course it won't pass the attestation.