For decades, the assumption inside defence and intelligence establishments has been simple: classified communications require classified hardware. Specialised, expensive, purpose-built devices sat at the heart of sensitive government operations, with consumer products regarded as fundamentally untrustworthy for anything above the level of routine correspondence. That assumption has now been formally challenged.
Apple announced on 26 February 2026 that the iPhone and iPad have become the first consumer devices approved to handle classified information up to the NATO Restricted level. The certification, which applies to devices running iOS 26 and iPadOS 26, has been formalised through inclusion on the NATO Information Assurance Product Catalogue, the alliance's official registry of vetted cybersecurity products that member states and military entities can rely on to meet operational security demands.
The evaluation was led by Germany's Federal Office for Information Security, known by its German acronym BSI (Bundesamt für Sicherheit in der Informationstechnik). BSI first approved the iPhone and iPad for governmental use by German authorities in 2022. That earlier certification, which covered classified German domestic data under the country's own information security framework, served as the foundation for the far more ambitious NATO-wide assessment. BSI conducted exhaustive technical assessments, comprehensive testing, and deep security analysis, ensuring Apple's built-in platform security capabilities met NATO nations' exacting operational and assurance requirements.
What makes the certification commercially and strategically significant is the scope of what it covers. This enables iPhone and iPad to be used with classified information up to the NATO restricted level without requiring special software or settings, a level of government certification no other consumer mobile device has met. The phrase "no special software or settings" carries real weight here. Traditionally, devices used in such environments required specialised hardware or heavily customised security layers. This means an off-the-shelf iPhone running iOS 26 can access restricted NATO data without requiring any specialised security software or custom hardware modifications.
The security architecture that satisfied BSI's auditors is built directly into Apple's platforms. Apple's approach allows users to benefit from protections such as best-in-class encryption, biometric authentication with Face ID, and features like Memory Integrity Enforcement. The evaluation reviewed encryption, secure boot processes, memory protection, and authentication systems. Apple's vice president of Security Engineering and Architecture, Ivan Krstić, characterised the milestone in stark terms, saying that prior to iPhone, secure devices were only available to sophisticated government and enterprise organisations after a massive investment in bespoke security solutions.
A critical caveat deserves to be stated plainly. This approval covers information at the NATO Restricted level, which is a specific classification used for data that requires protection but is not as sensitive as Confidential or Secret files. For higher classification tiers, purpose-built government terminals from specialised defence suppliers remain the required standard. The iPhone is not, in other words, about to appear in signals intelligence operations or land on the desk of a senior intelligence analyst handling top-secret material. The restricted classification sits at the base of NATO's hierarchy, covering information whose unauthorised disclosure could disadvantage alliance interests without necessarily threatening operational security at the highest levels.
There are legitimate questions about what this certification does and does not resolve. Critics of consumer technology in sensitive environments have long pointed not only to device security, but to the broader ecosystem surrounding it: cloud backup services, third-party application stores, data-sharing arrangements embedded in software agreements, and the commercial incentives of technology companies that may conflict with state security interests. A certification from BSI speaks to the platform's technical security architecture. It does not, on its own, resolve every concern about how a consumer technology giant handles government data in practice, or how procurement decisions across 32 NATO member nations should respond.
BSI president Claudia Plattner acknowledged the significance of the result while grounding it in a broader principle. "Secure digital transformation is only successful if information security is considered from the beginning in the development of mobile products," she said, adding that BSI was "pleased to confirm the compliance under NATO nations' assurance requirements."
For Australia, the implications are worth watching. Australia is a member of the Five Eyes intelligence alliance and a close partner of NATO through a range of security arrangements, including the AUKUS partnership. Australian government agencies have their own frameworks for evaluating and approving devices for use with sensitive information, administered through the Australian Signals Directorate. Whether the BSI certification carries weight in Australian procurement discussions remains an open question, but the direction of travel in allied nations is now clear: rigorous, independent testing of consumer hardware is producing results that specialist industry did not anticipate.
The honest assessment of this development sits somewhere between the marketing enthusiasm of Apple's press release and the scepticism of those who view any commercial device as inherently unsuitable for government use. The testing process that underpins this certification was genuine, lengthy, and conducted by a credible independent authority. The classification level it covers is real but limited. What the BSI's work has established is that it is possible, at least at the restricted tier, for mass-market consumer hardware to meet the standards that defence establishments have historically reserved for custom-built solutions. Whether that represents a quiet revolution in secure communications or simply a well-earned endorsement of one product tier is a debate that governments, not technology companies, will ultimately need to resolve.