That depends on how the GDPR is implemented within the country. E.g. above is factual for Belgium, but _not_ factual for The Netherlands. "Autoriteit Persoonsgegevens" has been notifying everyone to comply, government website or not. It's a steep learning curve though, there's also an multi-year effort to have government websites make use of TLS/certificates.
Edit: A reference: https://www.rijksoverheid.nl/onderwerpen/privacy-en-persoons...:
"Sinds 25 mei 2018 moeten overheden, bedrijfsleven en verenigingen voldoen aan de Algemene Verordening Gegevensbescherming (AVG)."
"Since 25 May 2018, governments, businesses and associations must comply with the General Data Protection Regulation (AVG)."
Overheid.nl is the official government site.