EU has the NIS2 directive, the CRA (cybersecurity resiliency act), and a few sector specific ones (DORA for financial, MDR/IVDR for medical/diagnostical, and there's probably a bunch more)

these are slowly but surely pushing manufacturers/sellers/distributors to try to do the right things

it requires transparency about support period commitment, a bug tracker program, issuing updates (I guess in case there's a CVE), doing risk assessment during development, etc., and requirements kick in based on turnover (or headcount).

and it seems like the correct approach, these are already things good products come with

Or maybe it's "the NFPA doesn't need to prevent against your wires suddenly becoming aluminum because somebody discovered new math" like "DSA encryption has been broken" affects software.