NIST 800-88 versus DIN 66399: two standards side by side
Anyone serving an international client or parent company will sooner or later face two different vocabularies for the same subject. American contracts refer to "NIST 800-88 Purge" or "Destroy". European contracts refer to DIN 66399 P-5 or H-4. They are not translations of each other; they ask different questions. Mixing them up leads to audit surprises.
NIST 800-88: a process standard
The American standard NIST Special Publication 800-88 (Guidelines for Media Sanitization) splits media sanitisation into three levels in order of severity:
- Clear: overwriting all user data through standard interfaces. Suitable for reuse inside your own organisation.
- Purge: stronger methods such as the secure-erase command, cryptographic erasure, or degaussing for magnetic media. Suitable for reuse outside the organisation.
- Destroy: physical destruction such as shredding, melting, incinerating. For end-of-life when the medium no longer needs to function.
NIST looks at the goal: after sanitisation, can you reasonably rule out recovery of the data? The standard does not specify exact particle sizes but does specify which method is appropriate for which media class. For an SSD, for example, "Clear" by overwriting is unreliable (wear levelling), so Purge or Destroy is required. Read our article on SSD destruction.
DIN 66399: a specification standard
The German and de facto European standard DIN 66399 looks instead at the result: how big are the fragments after destruction? The standard splits by medium type:
- P (Paper): P-1 to P-7, based on the surface area of paper shreds in mm².
- F (Film): film and microfilm.
- O (Optical): CD, DVD, Blu-ray.
- T (Magnetic): hard drives, magnetic tape.
- H (Hard drive): hard drives specifically.
- E (Electronic): electronic media with memory chips, so SSDs, USB sticks, memory cards.
For each medium type, DIN sets three protection classes (1 = normal, 2 = elevated, 3 = especially sensitive) and seven security levels (1 to 7). Read our article on DIN 66399 P-5 and P-6 for the paper details.
A translation table
The two standards overlap but do not fully cover each other. A simple translation table for hard drives:
| NIST 800-88 | DIN 66399 (HDD) | Method |
|---|---|---|
| Clear | n/a (DIN is physical only) | Software overwrite |
| Purge | H-2 / H-3 | Degaussing or crypto-erasure |
| Destroy | H-4 / H-5 | Crushing or shredding to fragments |
| Destroy (defence) | H-6 / H-7 | Fine shredding |
For paper the translation is trickier the other way around, because NIST does not prescribe specific particle sizes for paper. An American contractual "cross-cut shredding" broadly corresponds to DIN P-3 or P-4.
Rule of thumb: NIST describes the policy (which level when), DIN describes the implementation evidence (which particle size in the end). Together the two give full coverage.
Which standard for which organisation?
- American parent companies or customers. NIST 800-88 in contracts, ask the supplier for DIN classification as evidence.
- EU organisations with GDPR obligations. DIN 66399 is dominant in the European supplier market, and GDPR supervision sees the DIN standard as an "appropriate technical measure".
- Defence or high-security. Ask for both: NIST Destroy plus DIN H-6 or H-7.
- Multinationals with mixed data. Reference both standards in your policy and pick a supplier that can certify against both on the same certificate.
Combination with method choice
How you choose between degaussing, crushing or shredding depends on which standard level you are targeting. If you want to meet NIST Purge, degaussing is enough for HDDs. For NIST Destroy you must shred or crush plus degauss. For DIN H-5 shredding is required; degaussing alone does not suffice.
What belongs on your certificate?
A good destruction certificate names both standards where relevant. Example: "Destroyed in line with DIN 66399 P-5, equivalent to NIST 800-88 Destroy." That gives the auditor evidence for both regimes in one line and prevents you from re-deriving it at the next audit.
A final certificate with both standards.
Our certificates state DIN 66399 P-5 and NIST 800-88 Destroy where applicable, for paper and hardware alike.
Request a quoteDoes your customer or parent company specify a particular standard in the contract? Email us via desnipperaar.nl and we will deliver a certificate that satisfies both.