I appreciate Mozilla's advocacy work, but this write-up needs a little more meat on the bone - it's not clear at all from reading what the EU's new law actually does. Will the EU no longer be arresting security researchers following responsible disclosure practices? (And how would those be defined?)

The devil is always in the details with these things, so it would be nice to see a bit more detail here.