That law would override any such disclaimer by the seller (or other kind of "commercial producer") of OSS software. What is "critical" is determined by the catalogue of critical software categories.
Which would move up the chain to all dependencies of a critical project.
Libc, clang/gcc, whatever. Needs to be audited.
Perhaps they require the “integrator” to perform the audit or maybe the fact someone provides software which can be useful in critical environments is enough to signal an implied warranty and they are on the hook for compliance. Nobody knows until it all goes through costly legal procedures where everyone is trying to cover their asses and pass the buck.
I’m waiting for the day where FLOSS devs are greeted at EU airports by process servers because they released some software while in college and it got used in some critical software.
No, the draft requires the purpose of a software to be declared. So if you declare Linux to be a terminal emulator, not an operating system, and only sell/import/distribute it as such, you only need to comply with the somewhat easier self-certification requirements for non-critical software.
However, that declaration of purpose of course binds all other users/distributors of Linux, if they should dare to use or bundle it as a desktop, server or mobile operating system, they are doing so outside the original certification and need to have the required audit for critical software performed.
That, as far as I read it, also means that something like GCC, which is unambiguously a compiler, isn't critical and need not be audited, only self-certified, even if used to compile a critical software component.
