According to Apple’s statement, iPhones and iPads running iOS 26 and iPadOS 26 underwent detailed security testing and evaluation conducted by Germany’s Federal Office for Information Security – the Bundesamt für Sicherheit in der Informationstechnik, BSI. Based on this assessment, the built-in protection mechanisms – including high-grade encryption, Face ID biometric authentication, and features such as Memory Integrity Enforcement – were deemed compliant with international and government security standards, even for data subject to NATO restrictions.
With this certification, iPhone and iPad devices may be used to handle information classified at the “restricted” level across the North Atlantic Treaty Organization without requiring additional software installations or specialized hardware configurations. Apple emphasized that no other consumer mobile device has previously received this level of certification – until now, similar capabilities required dedicated secure devices or specialized solutions.
According to the company, the certification has been listed in the NATO Information Assurance Product Catalogue, formally confirming compliance with security criteria used by NATO member states. Apple stated that its devices are designed with security at their core – both at the hardware and software levels – and that these safeguards have now been recognized by international governmental institutions as sufficient for restricted-information environments.
Previously, iPhone and iPad devices had obtained comparable approval only for handling classified data within the German government context, but NATO-level certification broadens their potential use across member states’ government and defense environments.
Although the certification applies to the restricted level – the lowest classification tier within NATO – the recognition of consumer devices as meeting such standards is widely seen as an important step toward expanding the role of mainstream mobile hardware in secure systems. In practice, this could mean that devices used daily by millions of people may become part of more advanced IT infrastructures handling strategically sensitive data, provided the broader system meets additional security certification requirements.