Why do you think that? It can take a few years for national laws bring in place, but that also depends on how much certain countries push it. Regarding Internet traffic I assume a few specific countries that route most of the traffic would be enough to stop operation for the most part.

Have you ever seen an actual EU-wide decision on such matters and an actual application?

The closest I can think of is GDPR which has its great aspects and also the cookies law (which is incorrectly interpreted). And some things like private IPs being PIIs which promotes nonsnsical "authorities notifications" that are not used afterwards.

We have consulting companies doing yearly audits on companies to close the books. And yet hacks happen all the time. Without consequences.

There is an ocean between what is announced and lives on paper vs. the reality of the application. If you work in compliance and cubersecurity you see this everyday.