Although GDPR took effect two years ago, the European Commission (EC) issued a report card today that found its sweeping set of privacy protections remains a work in progress. The General Data Protection Regulation policy represents a big step toward limiting the power of major digital platforms such as Google, Facebook, and Twitter, but enforcement across member states remains a challenge.

In the report, the EC patted itself on the back for raising awareness about privacy across Europe, as well as for a growing number of enforcement actions against tech companies. But the report also found GDPR’s impact continues to be limited, due to fragmentation across its member states and insufficient resources at some of the leading data privacy authorities.

While it’s hardly a final judgment, the two-year evaluation will be closely scrutinized by countries considering their own data privacy regulations, and likely by tech companies themselves. The perceived success or failure of GDPR could have a big impact on whether such companies will face an array of tougher regulation and enforcement.

“The general view is that two years after it started to apply, the GDPR has successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data,” the report says. “However, a number of areas for future improvement have also been identified.”

On the positive side, the report cites a survey that found 69% of the EU population (aged 16 or older) were aware of GDPR and 71% of people had heard of their national data protection authority. The adoption of GDPR has also encouraged other countries — such as Australia and New Zealand — to consider similar measures.

But the report identifies a host of weaknesses that need to be addressed. One of the most fundamental is that the set of rules remains highly fractured. While the EU adopted the overall GDPR, member states still had to pass laws that harmonized local rules with the new regulations. And while GDPR was fairly detailed, it included enough generalization that the rules enacted by each member state vary quite a bit. “Developing a truly common European data protection culture between data protection authorities is still an on-going process,” the report says.

The enforcement of GDPR rules falls to the authorities in individual member states. And the differences in rules across countries make it difficult for those authorities to cooperate on cases and take joint enforcement actions. In one example, the EC noted that countries still have different ages of consent for children. In rare cases when cooperation happens, authorities have to favor the weaker of two sets of rules. The different applications also confuse multinational companies operating in the region.

“This fragmentation also creates challenges to conducting cross-border business, innovation, in particular, as regards new technological developments and cybersecurity solutions,” the report says.

Budgets for data protection increased by 49% between 2016 and 2019, and enforcement staffing for data authorities has grown 42%. Still, governments in Ireland and Luxembourg, where many tech companies have their international headquarters, lack the resources needed to handle their immense caseloads, the report says.

The EC plans to study national legislation adopted in the wake of GDPR to find ways to reconcile these rules across the continent. And the regulatory body is once again urging member states to invest enough to allow the legislation to deliver on its promise.