Apple has announced that the iPhone and iPad have met the information assurance requirements set by NATO nations. This certification permits these consumer devices to handle classified information up to the “NATO restricted” level without the need for additional security software or specialized device settings.
According to the announcement, they are currently the only consumer mobile devices to achieve this specific level of government certification.
Certification Process and Background
The approval follows a comprehensive technical assessment, testing phase, and security analysis conducted by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI).
- Previous Approvals: Prior to the broader NATO certification, the BSI had evaluated and approved iPhones and iPads for handling classified German government data, relying solely on native iOS and iPadOS security measures.
- Current Scope: The new certification specifically applies to devices running iOS 26 and iPadOS 26, officially extending the approval for restricted data use across all NATO member nations.
- Official Registry: Following the BSI’s evaluation confirming that the devices meet operational and assurance requirements, iOS 26 and iPadOS 26 have been added to the official NATO Information Assurance Product Catalogue.
Evaluated Security Architecture
The NATO certification relies on the native security infrastructure designed into Apple’s platforms. The assessment evaluated how security measures are integrated across device hardware, software, and Apple silicon processors. Key built-in components that contributed to meeting the compliance standards include:
- System Encryption: Native data-at-rest and data-in-transit encryption protocols.
- Biometric Authentication: Access control managed via Face ID.
- Hardware Protections: Features such as Memory Integrity Enforcement.
Because these integrated protections met the stringent international security requirements for restricted data, the devices do not require third-party modifications to be compliant.