The main change GDPR brought to it (as I understand it) is that it introduced stricter rules about how consent works. But even though GDPR doesn't specifically require cookie warning, it does require that you get informed consent from people before you store personally identifiable information about them; in many cases this effectively means getting their permission before using tracking cookies.
So tl/dr, it's primarily PECR that covers cookie handling, but GDPR also plays a role.
It's covered by PECR. There's a good overview of the rules here: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
The main change GDPR brought to it (as I understand it) is that it introduced stricter rules about how consent works. But even though GDPR doesn't specifically require cookie warning, it does require that you get informed consent from people before you store personally identifiable information about them; in many cases this effectively means getting their permission before using tracking cookies.
So tl/dr, it's primarily PECR that covers cookie handling, but GDPR also plays a role.