This is just how it works. I'm not making the rules. The CNIL send "mise en demeure" to companies that do not complies with the GDPR and even before that with the "loi informatique et libertés" and if the companies ignore the "mise en demeure" after some time the CNIL can fine them.

It also happens that the CNIL is notoriously more and more lenient on a lot of things.