ARTICLE
14 October 2025

BIOSECURE Included In Draft National Defense Authorization Act Of 2026

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
As of last night, the House and Senate versions of the National Defense Authorization Act of 2026 ("NDAA") both passed each respective chamber of Congress including an amendment...
United States Food, Drugs, Healthcare, Life Sciences
Matt Wetzel,Liza Craig, and Joshuah Turner

This alert reflects our preliminary analysis of BIOSECURE 2.0 (as we are calling it) immediately following the passage of both the House and Senate versions of the FY2026 NDAA. Given that this update is fast-moving, we will continue to monitor developments closely and update our guidance as more information becomes available.

As of last night, the House and Senate versions of the National Defense Authorization Act of 2026 (“NDAA”) both passed each respective chamber of Congress including an amendment that effectively will implement federal government contracting, loan, and grant restrictions similar to the 2024 BIOSECURE Act (H.R. 8333/S. 3558, introduced in May 2024) (“BIOSECURE 1.0”). We refer to this new amendment as “BIOSECURE 2.0.” As of October 10, BIOSECURE has NOT passed – the next step is for the House of Representatives and Senate to reconcile their versions of the NDAA. We do expect to see BIOSECURE 2.0 (as we are calling it) in the final.

How is this version similar to the original?

In many respects, the two laws are similar. BIOSECURE 2.0 – like BIOSECURE 1.0 – would:

  • Prohibit federal agencies from procuring or obtaining biotechnology equipment or services produced or provided by a “biotechnology company of concern.”
  • Prohibit federal agencies from entering into, extending or renewing government contracts with an entity that uses, in performance of that federal contract, biotechnology equipment or services from a “biotechnology company of concern” (either directly or through a sub-contractor).
  • Prohibit federal agencies from issuing grants or loans to purchase, obtain, or use biotechnology equipment or services produced by a “biotechnology company of concern.”
  • Prohibit government loan and grant recipients from using federal grant or loan money to enter into contracts with entities that use equipment from companies of concern, in performance of any federal prime or sub-contract.

How is this version different than the original?

BIOSECURE 2.0 differs from BIOSECURE 1.0 in several ways, but the most fundamental difference is how companies are identified. BIOSECURE 1.0 defined “biotechnology companies of concern” as biotechnology companies that are headquartered in or subject to the jurisdiction of a foreign adversary's government and poses a threat to national security. BIOSECURE 1.0 also explicitly identified four Chinese companies as “biotechnology companies of concern.” BGI, MGI, Complete Genomics, and WuXi AppTec, as well as their subsidiaries, parents, affiliates, and successors were designated initially, and BIOSECURE 1.0 provided the federal government with the opportunity to designate other companies as “biotechnology companies of concern” in the future.

By contrast, BIOSECURE 2.0 will implement a process-based identification system through which “biotechnology companies of concern” will be identified based on a whether the companies meet certain statutorily defined criteria. BIOSECURE 2.0 does not identify any specific companies by name in the legislative text.

In addition, BIOSECURE 2.0 provides more robust due process protections for companies facing designation. A notice of designation as a “biotechnology company of concern” must be issued to any company named in the designation, advising that a designation has been made, identifying the criteria relied upon and the information forming the basis for the designation (to the extent consistent with national security), advising that the company may submit information and arguments in opposition within 90 days, describing the review procedures, and where practicable, identifying mitigation steps that could result in rescission of the designation.

BIOSECURE 1.0 did not provide comparable procedural protections for the four named entities or any entities that would have been later designated as “biotechnology companies of concern” pursuant to the statute.

Does this version name specific Chinese entities?

No. Unlike BIOSECURE 1.0, the new version of BIOSECURE does not name specific Chinese entities in the legislative text. Instead, it establishes two categories for identifying biotechnology companies of concern:

  • A: Entities identified in the Department of Defense's annual list of Chinese military companies operating in the United States pursuant to section 1260H of the NDAA for 2021 (the “1260H List”).
  • B: Entities determined via a designation process to be subject to the administrative governance structure, direction, control, or operates on behalf of the government of a foreign adversary (i.e. China); is to any extent involved in the manufacturing, distribution, provision, or procurement of biotechnology equipment or service; and poses a risk to national security based on specific criteria.

It also includes any subsidiary, parent, affiliate, or successor entity of one of these entities.

What is the 1260H List and how often is it updated?

The  1260H list (also known as the 1260H CMC List) is a roster of “Chinese military companies” operating, directly or indirectly, in the United States. The Department of Defense publishes the 1260H List annually in the Federal Register. Entities that are on the 1260 H list are:

  • directly or indirectly owned, controlled by, or acting on behalf of the Chinese military or related authorities (e.g., PLA, Central Military Commission); or
  • contributing to the Chinese military civil fusion (a broad set of connections to China's defense-industrial complex), and engaging in commercial services, manufacturing, production, or export in the U.S. or its territories.

Any newly identified “Chinese military companies” that are added to the 1260 H list will automatically be designated a “biotechnology company of concern” and become subject to the prohibitions of BIOSECURE 2.0. Upon enactment, all entities currently on the 1260H list, last updated on January 27, 2025, will immediately be designated as “biotechnology companies of concern.”

What is the Designation Process for Identifying Other Companies of Concern?

The designation process identifying other companies of concern involves multiple steps:

  • The Secretary of Defense, in coordination with the Attorney General, the Secretary of Health and Human Services, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of State, and the National Cyber Director, provides a list of suggested entities to the Director of the Office of Management and Budget.
  • The Director of the Office of Management and Budget then evaluates whether each entity is:
    • Subject to the administrative governance structure, direction, control, or operates on behalf of the government of a foreign adversary;
    • To any extent involved in the manufacturing, distribution, provision, or procurement of biotechnology equipment or service; and
    • Poses a risk to national security.
  • The national security risk criteria include: engaging in joint research with, being supported by, or being affiliated with a foreign adversary's military, internal security forces, or intelligence agencies; providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or obtaining human multiomic data via biotechnology equipment or services without express and informed consent.
  • A notice of designation must be issued to any company named in the designation, and the company may submit information and arguments in opposition within 90 days.
  • The Director of the Office of Management and Budget reviews all information submitted in opposition and issues a final determination before the designation is made publicly available.

How often is the list of “biotechnology companies of concern” reviewed?

BIOSECURE 2.0 provides the government some discretion regarding the review and update of the list. The Director of the Office of Management and Budget, in coordination with multiple agency heads, shall periodically, though not less than annually, review and, as appropriate, modify the list of “biotechnology companies” of concern.

Is WuXi on the list of Chinese entities?

There are no companies explicitly identified in the new legislation; however, WuXi AppTec and others could potentially be designated as a biotechnology company of concern through one of two pathways:

  • If WuXi AppTec appears on the 1260H List in the future, it would automatically qualify as a biotechnology company of concern under Category A.
  • Through the evaluation process where the Secretary of Defense, in coordination with the Attorney General, the Secretary of Health and Human Services, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of State, and the National Cyber Director, provides a list of suggested entities to the Director of the Office of Management and Budget.

Wuxi does not currently appear on the 1260H List.

When does this go into effect?

If passed, there would be a multi-stage implementation timeline:

Stage 1: List Publication – Not later than one year after the date of enactment, the Director of the Office of Management and Budget will publish a list of entities that constitute biotechnology companies of concern.

Stage 2: Guidance Development – Not later than 180 days after publication of the list of biotechnology companies of concern, and any update to the list, the Director of the Office of Management and Budget, in coordination with multiple agency heads, will establish guidance as necessary to implement the requirements of this section.

Stage 3: FAR Revision – Not later than one year after the date of establishment of guidance, and as necessary for subsequent updates, the Federal Acquisition Regulatory Council will revise the Federal Acquisition Regulation as necessary to implement the requirements of this section.

Stage 4: Prohibitions Take Effect

  • For 1260H List companies – the prohibitions take effect 60 days after the Federal Acquisition Regulation is revised.
  • For other biotechnology companies of concern determined through the evaluation process, the prohibitions take effect 180 days after the Federal Acquisition Regulation is revised.

Total Timeline: Assuming the amendment is enacted, the earliest the prohibitions would take effect is approximately 2.5 to 3 years from enactment (1 year for list publication + 180 days for guidance + 1 year for FAR revision + 60-180 days for prohibitions to take effect).

This is longer than the original draft, where prohibitions for named entities take effect 60 days after issuance of OMB guidance or 120 days after enactment, whichever is earlier.

Are existing contracts safe from the ban? Is there a wind-down/uncoupling period?

Yes, there is some protection for existing contracts.

Unlike BIOSECURE 1.0, which would have given companies until January 1, 2032 to wind-down relationships with the named Chinese biotech, BIOSECURE 2.0 treats this question differently.

BIOSECURE 2.0's restrictions will go into effect immediately for contracts with entities on the 1260H List. The current 1260H List is available here:  Entities Identified as Chinese Military Companies Operating in the United States

For contracts with entities that are named in the future, the new legislation provides a 5-year transition period. Put another way, prior to the date that is 5 years after the Federal Acquisition Regulation revision, the prohibitions on contracting with entities using equipment from companies of concern will not not apply to biotechnology equipment or services produced under contracts or agreements, including previously negotiated contract options, entered into before the effective date.

This means:

  • Existing contracts entered into before the effective date of the prohibitions are effectively grandfathered for 5 years after an entity is named and FARs are revised
  • This includes previously negotiated contract options
  • Protection lasts for up to 5 years after the FAR revision
  • This gives entities time to complete existing contracts, identify alternative suppliers, transition to compliant biotechnology providers, and minimize business disruption

What are “biotechnology equipment or services”?

Biotechnology Equipment includes:

  • Equipment, including genetic sequencers, or any other instrument, apparatus, machine, or device, including components and accessories, that is designed for use in the research, development, production, or analysis of biological materials as well as any software, firmware, or other digital components specifically designed for use in and necessary for the operation of such equipment. This encompasses:
    • Genetic sequencers
    • Mass spectrometers (explicitly mentioned in the original BIOSECURE Act)
    • Polymerase chain reaction (PCR) machines (explicitly mentioned in the original BIOSECURE Act)
    • Any other instruments, apparatus, machines, or devices designed for biological research, development, production, or analysis
    • Components and accessories for such equipment
    • Software, firmware, or other digital components specifically designed for and necessary for the operation of such equipment

Biotechnology Services include:

  • Any service for the research, development, production, analysis, detection, or provision of information, including data storage and transmission related to biological materials, advising, consulting, or support services with respect to the use or implementation of such equipment, disease detection, genealogical information, and related services, as well as any other service, instrument, apparatus, machine, component, accessory, device, software, or firmware that the Director of the Office of Management and Budget determines appropriate in the interest of national security. This encompasses:
    • Research, development, production, analysis, or detection services related to biological materials
    • Data storage and transmission services related to biological materials
    • Advising, consulting, or support services regarding the use or implementation of biotechnology equipment
    • Disease detection services
    • Genealogical information services
    • Contract research organization (CRO) services involving biotechnology
    • Laboratory testing services
    • Any other services that the Director of OMB determines appropriate in the interest of national security

The term “biotechnology equipment or services produced or provided by a biotechnology company of concern” is not construed to refer to any biotechnology equipment or services that were formerly, but are no longer, produced or provided by biotechnology companies of concern.

What else does BIOSECURE 2.0 Require?

It will require the U.S. Intelligence Community to complete a comprehensive risk assessment addressing how foreign adversaries collect, store, or exploit multiomic data and submit that report to Congress plus ongoing reporting about “nefarious activities” by biotechnology companies, including selling, licensing, transferring, or sharing Americans' multiomic data with foreign governments and others. The term “multiomic” means data types that include genomics, epigenomics, transcriptomics, proteomics, and metabolomics. This is a critical definition because much of the national security concern centers on foreign adversary access to this type of sensitive biological and genetic information about U.S. citizens.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matt Wetzel
Matt Wetzel
Photo of Liza Craig
Liza Craig
Photo of Joshuah Turner
Joshuah Turner
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More