Cookies can be divided into subcategories and depending on what type they are, they may or may not be covered under this ruling.
Heres a nice breakdown of what does and doesn't have to be included in the reject all option https://gdpr.eu/cookies/ and also a bit of info about the ePrivacy directive that seems to be what the TDDDG law is based on.
So websites with competent cookie management shouldn't break if a user "rejects all"
The ePrivacy Directive from 2002 already covers this so each EU country should have their own laws regulating cookies with regards to this directive.
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058
(25)
So this should have been a thing since even before GDPR was introduced. Cookie banners or some other form of informed consent like Do Not Track should have been standard and enforced at a country level even before Facebook, Youtube and co even got off the ground.
The story above says its a violation of the German TDDDG law that seems to be based on the ePrivacy Directive so this is them finally using the regulations of cookies that was established over 2 decades ago.
The legislation does exist, it just looks different in each country and no country was bothered to really enforce the law but now it seems GDPR has enabled countries to throw around the whole weight of the EU as opposed to just one country's weight since its unified across the EU.
I've only had to complain to 2 websites (One pretty big website and one small local website) about not having an explicit option to reject specific cookies as outlined in the ePrivacy directive and both websites are now compliant. So it does exist and it does work but nobody is willing to or doesn't know they can make complaints about websites that don't comply with cookie consent.
The EU can't monitor every single website, its just not realistic so its up to users to be informed of their rights and be willing to complain to these websites and then to their local regulator if those websites don't comply.