And if FOSS is not a business, it's excluded from this regulation as well.
If you make business with said FOSS you need to provide security just like how a food truck making food from open recipes has to make sure to not poison people either.
What if you give self baked cookies to a restaurant owner, and he sells them? Then the commercial entity assumes the risks and is supposed to safety check them.
Shockingly it's actually the fact you gave them food poisoning that decides that one. But I wouldn't be surprised if the Europeans thought that in need of fixing too.
There is a difference between being held accountable if your negligence ends up hurting someone vs. proactive audits and reporting requirements - the second has overhead even for those that already have high standards, overhead that is unreasonable outside a business setting.
Proactive audit system seems to be better one to me. It is more predictable - you know in advance which rules you are supposed to follow. It also allows for widely accepted risk standard know in advance to both customers and providers.
The "do what you want and we will punish you hard if luck strikes badly" is less predictable. It has unfair results. It leads to both excessive risk avoidance (because if you are unlucky punishment is disproportionate) and risk taking customer is unable to proactively avoid.
Because it's not a business. Health regulations for restaurants also don't apply to your kitchen at home, even if you are inviting friends for dinner.