They are not legislating specific APIs. They are legislating that an API has to be provided, just like other laws legislate that you have to provide accessibility APIs, but the details of the APIs are left up to the companies.

I work in aviation, a highly regulated field. And that's a good thing. It does take some work to regulate well; there has been a migration in aviation to more prescriptive regulation about how things need to be, to less prescriptive like what the ultimate performance needs to be. But yeah, the aviation regulations aren't that you have to implement something a specific way, but that you have to be able to show that your aircraft has no more than a certain probability of catastrophic failure (where the probability varies base on certain things like the size and type of aircraft).

For this age verification law, all that is required is that there is an API provided for this purpose, and there is a way for the owner of the machine to set up user accounts with age information indicated, and that the APIs need to provide several rough age ranges, not specific birthdays.

Years later: "The current measures are a step in the right direction, but we have found them insufficient. We are now requiring the use of this specific proprietary binary blob for any action related to the verification process. It will conveniently run as a daemon so its exposed API will be accessible to any application that needs to query it, and it will automatically update itself so you don't have to worry about it, just set it up once and forget about it."

It might also include some additional text like "we have decided to collaborate with systemd to integrate this proprietary binary blob, to maximize the reach and eliminating any pains in the setup process caused by the vibrant ecosystem of package managers, while at the same time avoiding disrupting the development process of the Linux kernel".