The Compliance Paradox
GDPR was enacted in 2018 with the explicit goal of forcing organizations to take data protection seriously. Eight years later, WebPulse data shows European web infrastructure is still overwhelmingly legacy. WordPress, Drupal, and Joomla — frameworks with a combined 13,334+ CVEs — still power the majority of EU websites.
European organizations added cookie consent banners, published privacy policies, and appointed Data Protection Officers. What they didn't do: examine whether a framework with 11,334 known vulnerabilities is an appropriate foundation for GDPR-compliant data processing.
Article 25: Data Protection by Design
GDPR Article 25 requires 'data protection by design and by default.' Running a contact form that collects personal data on WordPress — a framework with 23 actively exploited vulnerabilities in CISA's catalog — is difficult to reconcile with 'by design.' The enforcement gap exists because regulators evaluate policies and procedures, not infrastructure. No DPA has yet audited a company's web framework choice. When one does, the precedent will force migration across the continent.
The Nordics Show What's Possible
Nordic countries show marginally higher modern framework adoption than southern and eastern Europe — but the 'Nordic digital leadership' narrative doesn't hold up in the data. Even Scandinavia runs majority legacy stacks. The EU needs a framework-level security standard, not just a data protection regulation. Until then, GDPR will continue to be implemented with cookie banners on vulnerable WordPress sites.
