CE certification requirements concern the sale of products in the EU. You are not allowed to import, make available or sell products that do not have a CE certification, if one is required for that kind of product. CE certification is usually just a self-declaration by the producer. If you make "Chemical Ali's colourful children's chew-toy" you have to provide a CE self-certification that e.g. certifies that you didn't use any lead-based paint, and all the other requirements for this category of product.

Enforcement of compliance would thus be via the seller, distributor, importer or producer, whichever is a EU entity and available/responsible.

Generally it would be permissible to use non-CE-certified products e.g. at home, provided you do not make them available to others, give them away or sell them. Using non-certified products can be prohibited for companies and other legal entities, usually through the safety regulations they have to obey.

What the legal consequences for a user of non-CE-certified software would be, I don't know. There will certainly be an assumption of negligence if anything goes wrong.

> There will certainly be an assumption of negligence if anything goes wrong.

This was a long time coming for our entire industry- ever since internet stopped being just about kittens and porn and started handling serious money.

This is a good thing because it will force decision makers at major compabies to sober the fuck up and pay real attention to security. We still have consumer products, like phones and routers, that are being shipped with known security holes and without any updates.

The issue is pervasive throughout the industry and will take decades to resolve.

There are lots of alternatives for SSL libraries, and there are also indeed increasing alternatives to Linux. But in reality, Linux tends to get patches for compliance purposes, or forks for meeting various obligations.

These smaller projects are probably even less likely to be compliant.

If anything, it will create a situation where e.g. OpenSSL is audited and compliant, but other newer solutions aren't so you can't use them. If "has been audited and approved" would be a good assurance the project is of good quality then that might be okay, but overall I find it's a rather weak signal.

Smaller projects? There are tons of very mature TLS libraries.

"Smaller" does not imply "not mature", or "not used". It just means ... "smaller".

For example Go has a boringssl build because boringssl is FIPS certified whereas the default Go crypto stuff isn't, and this matters for some people.

I'm not sure I understand what smaller is supposed to mean here. Do you mean less used? Or less code?

Usually a combination of less usage and general interest, fewer developers and development time, less or no funding, etc.

Details depend on the project, of course. The lesser used WolfSSL is also FIPS verified; it's clearly not impossible to do these things, it just puts additional pressure on what are often already constrained resources. I mean, the amount of general resources Linux has available compared to, say, OpenBSD is just huge.

I'm not sure that this is really proven out to be a generally true concept. Boringssl is a good example of a very well funded project. There are FIPS modes in the Linux kernel for various things like RNG.

Same as for GDPR probably. Selective enforcement and chilling effect. Companies will have to take risk of legal action into account, but not really adhere to it, except in some really basic cases.