The proposed certificate authorities can generate certificates for any entity, not just EU sites and not just new ones. They would have to be treated as valid, per the regulation.
Trust is the critical component in the PKI infrastructure. When it’s subverted and you can’t just remove the offending authorities, then it’s not really working properly anymore.
Seems like moving to something like DANE would be a good way forward. Seems like having the site owners tell the public what cert should be expected via DNS with appropriate signatures would obviate the need for CAs. (Yes I realize that this just moves the trust anchor to the DNS root authority, but it does reduce the number of authorities you need to trust).
Lots of things would help protect against this, but this regulation purports to prevent the browser vendor from implementing any stronger security mechanisms than those specified by the regulation. If DANE prevented a certificate from one of these governmental CAs from being accepted, this regulation would try to prevent using DANE.
Trust is the critical component in the PKI infrastructure. When it’s subverted and you can’t just remove the offending authorities, then it’s not really working properly anymore.