BIOSECURE Included in Draft National Defense Authorization Act of 2026

Note: This alert reflects our preliminary analysis of BIOSECURE 2.0 (as we are calling it) immediately following the passage of both the House and Senate versions of the National Defense Authorization Act for Fiscal Year 2026. Since this update is fast-moving, we will continue to monitor developments closely and update our guidance as more information becomes available.

As of October 10, 2025, the House of Representatives and Senate versions of the National Defense Authorization Act for Fiscal Year 2026 (NDAA) both passed each respective chamber of Congress, with the Senate version including an amendment that effectively will implement federal government contracting, loan, and grant restrictions similar to the BIOSECURE Act (HR 8333/S 3558) — or BIOSECURE 1.0 as we are calling it — introduced in May 2024. We refer to this new amendment as BIOSECURE 2.0. As of October 10, BIOSECURE 2.0 has NOT passed — the next step is for the House and Senate to reconcile their versions of the NDAA.

How is BIOSECURE 2.0 similar to the original?

In many respects, the two acts are similar. BIOSECURE 2.0 — like BIOSECURE 1.0 — would prohibit:

• Federal agencies from
  
  • procuring or obtaining biotechnology equipment or services produced or provided by a “biotechnology company of concern”;
  • entering into, extending, or renewing government contracts with an entity that uses, in performance of that federal contract, biotechnology equipment or services from a biotechnology company of concern (either directly or through a subcontractor); and
  • issuing grants or loans to purchase, obtain, or use biotechnology equipment or services produced by a biotechnology company of concern.
• Government loan and grant recipients from using federal grant or loan money to enter into contracts with entities that use equipment from companies of concern, in performance of any federal prime contract or subcontract.

How is BIOSECURE 2.0 different from the original?

BIOSECURE 2.0 differs from BIOSECURE 1.0 in several ways, but the most fundamental difference is how companies are identified. BIOSECURE 1.0 defined “biotechnology companies of concern” as biotechnology companies that are headquartered in or subject to the jurisdiction of a foreign adversary’s government and pose a threat to national security. BIOSECURE 1.0 also explicitly identified four Chinese companies as biotechnology companies of concern. BGI (formerly known as Beijing Genomics Institute), MGI Tech, Complete Genomics, and WuXi AppTec, as well as their subsidiaries, parents, affiliates, and successors, were designated initially, and BIOSECURE 1.0 provided the federal government with the opportunity to designate other companies as biotechnology companies of concern in the future.

By contrast, BIOSECURE 2.0 will implement a process-based identification system through which biotechnology companies of concern will be identified based on whether the companies meet certain statutorily defined criteria. BIOSECURE 2.0 does not identify any specific companies by name in the legislative text.

In addition, BIOSECURE 2.0 provides more robust due process protections for companies facing designation. A notice of designation as a biotechnology company of concern must be issued to any company named in the designation, advising that a designation has been made; identifying the criteria relied upon and the information forming the basis for the designation (to the extent consistent with national security); advising that the company may submit information and arguments in opposition within 90 days; describing the review procedures; and, when practicable, identifying mitigation steps that could result in rescission of the designation.

BIOSECURE 1.0 did not provide comparable procedural protections for the four named entities or any entities that would have been later designated as biotechnology companies of concern pursuant to the statute.

Does BIOSECURE 2.0 name specific Chinese entities?

No, it does not. Unlike BIOSECURE 1.0, the new version of BIOSECURE does not name specific Chinese entities in the legislative text. Instead, it establishes two categories for identifying biotechnology companies of concern:

1. Entities identified in the Department of Defense’s annual list of “Chinese military companies operating in the United States pursuant to section 1260H” of the NDAA for FY 2021 (the 1260H list).
2. Entities that are determined via a designation process to meet the following criteria:
   
   • “Is subject to the administrative governance structure, direction, control, or operates on behalf of the government of a foreign adversary” (e.g., China).
   • “Is to any extent involved in the manufacturing, distribution, provision, or procurement of biotechnology equipment or service.”
   • Poses a risk to national security based on specific criteria.

It also includes any subsidiary, parent, affiliate, or successor entity of one of these entities.

What is the 1260H list and how often is it updated? 

The 1260H list (also known as the 1260H CMC List) is a roster of “Chinese military companies” (CMC) operating, directly or indirectly, in the United States. The Department of Defense (DOD) publishes the 1260H list annually in the Federal Register. Entities that are on the 1260 H list are

• directly or indirectly owned, controlled by, or acting on behalf of the Chinese military or related authorities (e.g., People’s Liberation Army, Central Military Commission); or
• contributing to the Chinese military-civil fusion (a broad set of connections to China’s defense-industrial complex) and engaging in commercial services, manufacturing, production, or export in the US or its territories.

Any newly identified CMCs that are added to the 1260H list will automatically be designated a biotechnology company of concern and become subject to the prohibitions of BIOSECURE 2.0. Upon enactment, all entities currently on the 1260H list, last updated on January 27, 2025, will be designated immediately as biotechnology companies of concern.

What is the designation process for identifying other companies of concern?

The designation process identifying other companies of concern involves multiple steps:

1. The secretary of the DOD, in coordination with the attorney general, the secretary of the Department of Health and Human Services (HHS), the secretary of the Department of Commerce (DOC), the director of national intelligence, the secretary of the Department of Homeland Security (DHS), the secretary of state, and the national cyber director, provides a list of suggested entities to the director of the Office of Management and Budget (OMB).
2. The OMB director then evaluates whether each entity
   • “is subject to the administrative governance structure, direction, control, or operates on behalf of the government of a foreign adversary;
   • “is to any extent involved in the manufacturing, distribution, provision, or procurement of biotechnology equipment or service; and
   • “Poses a risk to the national security of the United States.”
3. The national security risk criteria include: “engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies; providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or obtaining human multiomic data via biotechnology equipment or services without express and informed consent.”
4. A notice of designation must be issued to any company named in the designation, and the company may submit information and arguments in opposition within 90 days.
5. The OMB director reviews all information submitted in opposition and issues a final determination before the designation is made publicly available.

How often is the list of biotechnology companies of concern reviewed?

BIOSECURE 2.0 provides the government some discretion regarding the review and update of the list. The OMB director, in coordination with multiple agency heads, “shall periodically, though not less than annually, review and, as appropriate, modify the list of biotechnology companies of concern.”

Is WuXi AppTec on the list of Chinese entities?

There are no companies explicitly identified in the new legislation; however, WuXi AppTec and others could potentially be designated as a biotechnology company of concern through one of two pathways:

1. If WuXi AppTec appears on the 1260H list in the future, it would automatically qualify as a biotechnology company of concern under category A.
2. Through the evaluation process in which the secretary of the DOD, in coordination with the attorney general, the HHS secretary, the DOC secretary, the director of national intelligence, the DHS secretary, the secretary of state, and the national cyber director, provides a list of suggested entities to the OMB director.

Wuxi AppTec does not currently appear on the 1260H list.

When does BIOSECURE 2.0 go into effect?

If BIOSECURE 2.0 is passed, there would be a multistage implementation timeline:

Stage 1: List Publication

Not later than one year after the date of enactment, the OMB director will publish a list of entities that constitute biotechnology companies of concern.

Stage 2: Guidance Development

Not later than 180 days after publication of the list of biotechnology companies of concern, and any update to the list, the OMB director, in coordination with multiple agency heads, will establish guidance, as necessary, to implement the requirements of this section.

Stage 3: FAR Revision

Not later than one year after the date of establishment of guidance, and as necessary for subsequent updates, the Federal Acquisition Regulatory Council will revise the Federal Acquisition Regulation (FAR) as necessary to implement the requirements of this section.

Stage 4: Prohibitions Take Effect

For 1260H list companies, the prohibitions take effect 60 days after the FAR is revised.

For other biotechnology companies of concern determined through the evaluation process, the prohibitions take effect 180 days after the FAR is revised.

Total BIOSECURE 2.0 Timeline

Assuming the amendment is enacted, the earliest the prohibitions would take effect is approximately two and a half to three years from enactment (one year for list publication, plus 180 days for guidance, plus one year for the FAR revision, plus 60 to 180 days for prohibitions to take effect).

This timeline is longer than the original draft’s, in which prohibitions for named entities take effect 60 days after issuance of OMB guidance or 120 days after enactment, whichever is earlier.

Are existing contracts safe from the ban? Is there a wind-down/uncoupling period?

Yes, there is some protection for existing contracts.

Unlike BIOSECURE 1.0, which would have given companies until January 1, 2032, to wind down relationships with the named Chinese biotechnology companies, BIOSECURE 2.0 treats this question differently.

BIOSECURE 2.0’s restrictions will go into effect immediately for contracts with entities on the 1260H list. Read the current 1260H list, “Entities Identified as Chinese Military Companies Operating in the United States.”

For contracts with entities that are named in the future, the new legislation provides a five-year transition period. Put another way, prior to the date that is five years after the FAR revision, the prohibitions on contracting with entities using equipment from companies of concern will not apply to biotechnology equipment or services produced under contracts or agreements, including previously negotiated contract options, entered into before the effective date.

This means:

• Existing contracts entered into before the effective date of the prohibitions, including previously negotiated contract options, are effectively grandfathered for five years after an entity is named and the FAR is revised.
• Protection lasts for up to five years after the FAR revision.
• Entities have time to complete existing contracts, identify alternative suppliers, transition to compliant biotechnology providers, and minimize business disruption.

What is “biotechnology equipment or services”?

Biotechnology equipment includes:

“Genetic sequencers, or any other instrument, apparatus, machine, or device, including components and accessories […] that is designed for use in the research, development, production, or analysis of biological materials as well as any software, firmware, or other digital components that are specifically designed for use in, and necessary for the operation, of such equipment.” This also encompasses:

• Mass spectrometers (explicitly mentioned in the original BIOSECURE Act)
• Polymerase chain reaction machines (explicitly mentioned in the original BIOSECURE Act)

Biotechnology services include:

“Any service for the research, development, production, analysis, detection, or provision of information, including data storage and transmission related to biological materials […] advising, consulting, or support services with respect to the use or implementation” of such equipment, “disease detection, genealogical information, and related services,” as well as “any other service, instrument, apparatus, machine, component, accessory, device, software, or firmware” that the OMB director “determines appropriate in the interest of national security.” This also encompasses:

• Contract research organization services involving biotechnology
• Laboratory testing services
• Any other services that the OMB director determines appropriate in the interest of national security

The term “biotechnology equipment or services produced or provided by a biotechnology company of concern” is not construed to refer to any biotechnology equipment or services that were formerly, but are no longer, produced or provided by biotechnology companies of concern.

What else does BIOSECURE 2.0 require?

BIOSECURE 2.0 will require the US intelligence community to complete a comprehensive risk assessment addressing how foreign adversaries collect, store, or exploit multiomic data and submit that report to Congress, plus ongoing reporting about “nefarious activities” by biotechnology companies, including selling, licensing, transferring, or sharing Americans’ multiomic data with foreign governments and others. The term “multiomic” means data types that include genomics, epigenomics, transcriptomics, proteomics, and metabolomics. This is a critical definition because much of the national security concern centers on foreign adversary access to this type of sensitive biological and genetic information about US citizens.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.