The European Cyber Resilience Act

I don't see why; Nothing forces the software author to make the softare available to everyone in the world. If the author blocks EU IP addresses from their download side, that's not a GPL restriction.

Now if someone _else_ distributes the software within the EU -- say, Debian, will Debian face liability?

(FWIW, I have a really hard time seeing how any major Linux distribution could continue to exist under the CRA. Or should only RHEL or SLES face liability because those are commercial products, but CentOS/Fedora or OpenSUSE/Tumbleweed not be, as they're provided Gratis, As-Is?)