Whereas they both, essentially, tackle Security of information services (is Privacy an aspect of Security or an area of its own?), there are differences with different implications at the governance level:
- the GDPR is a regulation and is applicable straightaway, that is, there is no need to be ratified by national institutions. The NIS directive does need to be made a local law.
- Whereas GDPR is all about Privacy, NIS is about Availability of services. An example if a water operator whose control systems were compromised and became unable to deliver cleanwater.
- They both protect the common consumer and citizen but whereas GDPR directly protects the Privacy of consumers, NIS is more indirect as, I presume, action will be taken from the regulators themselves, and of each sector.
- Penalties (still tbd) are still substantial but whereas GDPR can potentially kill a business overnight -- with fines up to 20M --, Utilities are much less vulnerable. First, Utilities are very large companies where provisioning for fines is always a mitigation option in the risk register; second, they are usually too big to fail so that an Essential Service provider cannot just be stopped overnight.
- GDPR object is citizens-consumers. Operators of "Essential Services" is still to be defined (it is part of the consultation).