Correct. And I agree with that effect:
* a company paying salary of a developer that contributes to an open source project outside of the commercial activity of the company does *not* expose the company to extra requirements
* a company taking *any* software, including open source software, and selling a product based on that or related to that, to EU customers, *will* be required to think more about safety (regardless of who it employs and for what)
The *one* negative impact I can see of this legislation is impact on small integrators that were used to being able to go to a
client company, install a bunch of Ubuntu Desktop workstations, set up a Ubuntu Server for SMB and also to serve the website
of the company, take one-time fee for their work and be gone. Now it would have to be made clear - who will be maintaining those
machines over time, ensuring they are patched with security updates in time, upgraded to new OS releases when old ones are no
longer supported and so on. This, over time, will reduce the number of forgotten and bit-rotting systems on the networks that provide
tons of known security holes for attackers. Who will take the responsibility is still open - would that be the end customer itself, would
that be the system integrator that installed the systems for them, can they maybe have a contract with Canonical for such support or
some other company providing such services specifically for the EU. How much would that cost? How would that cost compare to
similar agreements on the Windows side?
Lots of interesting questions. But at no point does any responsibility get automatically assigned to, for example, Debian or individual
open source developers.