For example, if you're a CDN business, and naturally need to fight DDOS attacks, then storing exact IP addresses for all requests for a few weeks easily falls under "legitimate interest" (GDPR 6.1.f). On the other hand, if you're a political news site, then storing IP addresses and URL for the purpose of determining political preferences of people without their consent is very clearly illegal, taking into account that IP address can often be static and so identify specific person.
Yes, it means that you have some decisions to do yourself, and the regulator might disagree with your decisions, but that's true about pretty much every new law, no?