S11: Software Liability Gets Real

EU DORA is enforced: boards are personally liable and 3-hour incident reporting for finance. The EU CRA will CE-mark every product with digital elements by December 2027. CISA is pushing secure-by-design and vendor-as-least-cost-avoider liability. All three regimes converge on one demand: a platform-emitted evidence chain that proves what was shipped, when, and signed by whom.

Regulation is a platform problem now. SBOM + in-toto attestation + signed build provenance + runtime event stream. If the platform cannot emit it on demand, the CISO carries the liability. This series wires the pipeline.