Yes but so what? EU regulation is always like this, it contradicts itself and is impossible to interpret. Governments must be able to access encryption (unstated but obvious: without the target knowing they're being spied on), but the solution must also protect personal data and be "transparent".

"Which means that the right to put something that clones the authentication session on a targeted device would do the job, no need to ban maths."

You don't actually know that, you're just hoping that it means something like that. In reality, they will keep the rules vague and then attach massive fines to non-compliance so they get to do the following trick: make everyone involved in implementation super scared so they use a maximalist interpretation, then when people complain to the Commission they say "no we didn't intend that, our rules are actually super reasonable, go complain to the companies". Or one day the ECJ will 'discover' an interpretation that nobody knew about and everyone suddenly has to change the way they do things overnight, then the usual EU water carriers will post here on HN claiming everyone should always have known it from the start.

Same thing that was seen with GDPR, EU competition law and other cases. It's become a standard trick. Good law doesn't have this problem; the meanings and consequences are always clear.