EU has the NIS2 directive, the CRA (cybersecurity resiliency act), and a few sector specific ones (DORA for financial, MDR/IVDR for medical/diagnostical, and there's probably a bunch more)

these are slowly but surely pushing manufacturers/sellers/distributors to try to do the right things

it requires transparency about support period commitment, a bug tracker program, issuing updates (I guess in case there's a CVE), doing risk assessment during development, etc., and requirements kick in based on turnover (or headcount).

and it seems like the correct approach, these are already things good products come with