There can be an infinite amount of certificates for a single domain.

When you setup a connection to a website you basically get a response back that has been signed with a certificate.

Your Browser / OS has a list of certification authorities that it deems trustworthy.

So when you get the response the browser checks if the certificate was issued by a trusted CA.

Now, if the EU forces browsers to trust their CA they can facilitate a man-in-the-middle attack.

In this instance they will intercept the TLS Handshake and give you back a response that was signed by their certificate. Your Browser deems the certificate valid and sets up a secure tunnel to the EUs Server.

From then on they can forward packets between you and the real website while being able to read everything in cleartext