When the ban happens it'll be really easy to implement without requiring only government approved hosts or any such distributed measures requiring enforcement. Certificate Authorities.
There are just a handful of corporations get to decide which websites are visitable every 90 days. Put a bit of legal pressure on the corporate certificate authorities and there's instant centralized control of effectively the entire web thanks to corporate browser HTTPS-only defaults and HTTP/3 not being able to use self-signed certs for public websites.
The full list of CAs with root certs in corporate browsers is fairly short. That's all that matters. If your CA isn't in $browser/$os cert root store then it's not going to be useful.
$ ls -lathr /etc/ssl/certs/ | wc -l
265
And of those far fewer are going to actually be giving out certs to human people. CAs are the chokepoint but I acknowledge that saying 'a handful' was hyperbolic. A few dozen.
There are just a handful of corporations get to decide which websites are visitable every 90 days. Put a bit of legal pressure on the corporate certificate authorities and there's instant centralized control of effectively the entire web thanks to corporate browser HTTPS-only defaults and HTTP/3 not being able to use self-signed certs for public websites.