On 2026.02.26, Apple announced iPhone and iPad running iOS 26 and iPadOS 26 are certified for, and can be used with classified information up to the NATO restricted level without requiring special software or settings — a level of government certification no other consumer mobile device has met.
Apple mobile platforms running iOS 26 and iPadOS 26 are now listed on the NATO Information Assurance Product Catalogue in recognition of their built-in security capabilities.
Jason Van der Schyff and James Corera, writing in The Strategist, the Australian Strategic Policy Institute Blog:
What NATO’s decision reflects, then, is a broadening recalibration. For years, parts of the defence ecosystem defaulted to bespoke hardware and software stacks that were often costly, slow to field and difficult to sustain. Meanwhile, commercial platforms have evolved rapidly. Mass-market devices incorporate hardened silicon, secure enclaves—protected sections of the processor designed to safeguard sensitive data and encryption keys—hardware-rooted trust chains and continuous patch cycles operating at global scale.
The strategic shift is not that a phone is inherently secure, but rather that commercial engineering tempo can now intersect meaningfully with classified assurance frameworks.
But this milestone exposes the next layer of the problem.
An approved phone is still only an endpoint. Information and data, classified or otherwise, does not remain static within a device. It synchronises, authenticates, replicates and traverses infrastructure beyond the user’s physical control. Accreditation of an endpoint does not equate to systemic assurance across the full data lifecycle.
The strategic question therefore shifts. It is no longer whether we trust the device but whether we trust the pathways and key material protecting the data once it leaves the device.