Not all companies store IP addresses. Or email addresses for that matter. And whether or not an email is PII depends on a lot of factors for your company but alone an email address is not legally PII.

>So basically everything uses pii even if it is only for bot and ddos protection

If I use Cloudflare for example, as DDoS mitigation, I am not storing PII, Cloudflare is and thus Cloudflare has to deal with the legalities of that.

Even just transferring is not allowed without consent. And if you are the "controller" (ie. you are using Cloudflare to serve your customers) you would take the fine, not Cloudflare. And IP and email are PII.