iPhone and iPad running iOS 26 can now handle restricted NATO information without special software, though security experts warn consumer devices create new attack surfaces.

Apple announced Thursday that iPhone and iPad became the first consumer mobile devices approved to handle classified NATO information up to the restricted level, following extensive security testing by Germany’s Federal Office for Information Security.

The certification enables NATO personnel across all member nations to use standard iOS 26 and iPadOS 26 devices for restricted data without requiring specialized software, containerization or additional security layers—a milestone no other consumer device manufacturer has achieved.

Germany’s BSI conducted exhaustive technical assessments, comprehensive testing and deep security analysis to verify Apple’s built-in platform security capabilities met NATO nations’ operational and assurance requirements. The devices now appear on NATO’s Information Assurance Product Catalogue, formally recognizing that Apple’s hardware-software integration provides adequate protections for restricted classified information.

Also read: NATO Faces Escalating Cyberthreats: From Espionage to Disinformation

“Secure digital transformation is only successful if information security is considered from the beginning in the development of mobile products,” said Claudia Plattner, BSI’s president. The certification builds on Apple’s previous approval to handle classified German government data using native iOS and iPadOS security measures without third-party modifications.

Apple stressed that its security architecture differs fundamentally from traditional approaches requiring bespoke solutions. “Prior to iPhone, secure devices were only available to sophisticated government and enterprise organizations after a massive investment in bespoke security solutions,” said Ivan Krstić, Apple’s vice president of Security Engineering and Architecture. “Instead, Apple has built the most secure devices in the world for all its users, and those same protections are now uniquely certified under assurance requirements for NATO nations.”

The certification relies on Apple’s integrated security features including hardware-based encryption through the Secure Enclave processor, biometric authentication via Face ID, Memory Integrity Enforcement preventing code injection attacks, and comprehensive device encryption that protects data at rest and in transit. These capabilities operate across Apple’s custom silicon, operating system and applications without requiring users to enable special modes or install government-specific software.

NATO’s “restricted” classification represents the alliance’s lowest tier for classified information, covering data requiring protection but not meeting thresholds for confidential, secret or top secret designations. Restricted information typically includes operational planning details, logistics coordination and administrative documents that could aid adversaries if disclosed but would not directly compromise critical security operations.

The approval marks a pragmatic shift in how governments balance security requirements against operational flexibility. NATO personnel can now use familiar consumer devices rather than specialized hardened phones that typically cost thousands of dollars per unit, offer limited functionality and create friction in daily workflows. The consumer device approval potentially saves member nations substantial procurement costs while improving user adoption.

However, security experts note that consumer devices certified for government use introduce considerations absent from purpose-built secure communications platforms. Unlike specialized government phones designed exclusively for classified communications, iPhones and iPads run consumer applications, connect to public networks and integrate with cloud services creating expanded attack surfaces.

A cryptography professor at a known U.S. University, told The Cyber Express that he would still want to be cautious on this since in the past few years, Apple’s security architecture has been proven to have consumer threats, including nation-state adversaries targeting NATO countries. “The question isn’t whether Apple has good security—they do. It’s whether consumer devices designed for billions of users can adequately protect against targeted attacks by adversaries specifically hunting for NATO intelligence,” he said.

Also read: Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

The certification also raises questions about long-term support and update requirements. Consumer devices receive operating system updates for limited periods before Apple designates them obsolete. Government security requirements typically demand decades-long support commitments that conflict with consumer product lifecycles where devices become outdated within five years.

Apple has not disclosed whether NATO members negotiated extended support agreements, how the company will handle security vulnerabilities discovered in iOS 26 after consumer support ends, or whether classified data handling requires organizations to prevent users from installing consumer applications that could introduce risks.

The announcement follows Apple’s decade-long effort to gain U.S. government security clearances. The U.S. Department of War (formerly know as Department of Defense) approved iPhones for handling certain classified information in 2013-14, though those implementations required mobile device management software and container applications separating classified data from personal use—requirements NATO’s certification explicitly eliminates.

Despite concerns, the NATO approval represents validation that Apple’s security-by-design approach can meet rigorous government standards for protecting sensitive information, potentially encouraging other consumer technology manufacturers to prioritize security architecture capable of government certification rather than relying on post-hoc security layers.