The only mitm that can be done is at the server itself or in a website pretending to be the requested server. But for this to work, you need to have the private and public keys of the server you want to act like.

Maybe I misunderstand what you’re saying, but since the wide majority of EU citizens use their ISP’s DNS, it’s trivial for them to mandate a domain redirection to another server which would act as a proxy of the original (and thus only need the original server’s public key).

So far, the only protection we have against that are:

1. Changing DNS (WAY too complicated for the average user, also brings the DNS’ own contry’s censorship)
2. The fact that they wouldn’t have a valid certificate for it because any sensible CA would see it for what it is: a MITM.

That’s why, to my understanding, this is such a big deal. At any point, ANY EU gov (and I want to emphasis that part because ot’s important in the context of tjhs law) can request a change of DNS from their ISP’s DNS (many already do right now) and emit a fully trusted certificate for the domain they want to MITM.

… until the EU and maybe even the US rolls around and slaps Microsoft with an antitrust lawsuit. Sounds like a best case scenario :D