They aren't but the nature of the process is "Everyone gets an opinion" that takes a lot of time. So they spent over a year soliciting opinions, sorting out legal issues etc, and came up with "we need some kind of authorization system on top of whois" but they've got to build it and they have 0 competence in that realm, so it will need to be put back out to committee. A process will have to be devised, a spec written, spec adopted etc. Its a huge slow bureaucracy. 2 years is fine to expect a business to be compliant with something, for a pseudo governmental organization its not nearly enough time.
That simply not true. The EU data protection Working Party (Article 29 aka. WP29) has being telling them since 2003 that Whois is not compatible with EU law [0]. That's well over a decade.
GDPR was announced over 2 years ago, why are they only just starting now?