Have you ever seen an actual EU-wide decision on such matters and an actual application?

The closest I can think of is GDPR which has its great aspects and also the cookies law (which is incorrectly interpreted). And some things like private IPs being PIIs which promotes nonsnsical "authorities notifications" that are not used afterwards.

We have consulting companies doing yearly audits on companies to close the books. And yet hacks happen all the time. Without consequences.

There is an ocean between what is announced and lives on paper vs. the reality of the application. If you work in compliance and cubersecurity you see this everyday.