BIOSECURE Act: What You Need to Know

The National Defense Authorization Act for Fiscal Year 2026, signed into law on 18 December 2025, includes the BIOSECURE Act (the Act), which establishes a new framework governing the use of certain biotechnology equipment and services in connection with US federal procurement and federal funding. The Act introduces restrictions tied to entities designated as “biotechnology companies of concern” and is expected to have significant implications for life sciences companies, government contractors, research institutions, universities, and others whose operations intersect with federal contracts, grants, or loans. Although the restrictions will not take effect immediately, the Act initiates a regulatory process that will require advance planning for many organizations.

Overview of the Act

The Act reflects broad national security concerns that foreign adversaries have leveraged biotechnology platforms, laboratory equipment, and associated data services to gain access to sensitive biological information, including human multiomic and genomic data, or otherwise exert influence over critical biotechnology supply chains. Concerns around the biotechnology sector have been long-standing, most recently manifested in Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” which focuses on prohibiting access to genomic and similar types of sensitive personal data.

To address these concerns, the Act restricts both federal agencies and recipients of federal funds from procuring or using certain biotechnology equipment and services associated with designated biotechnology companies of concern. While the statutory prohibitions operate formally through federal procurement and funding mechanisms, their practical impact may extend beyond strictly covered federal work, particularly where designation risk affects commercial and research relationships more broadly.

Scope of the restrictions

Under the Act, executive agencies are generally prohibited from procuring or obtaining biotechnology equipment or services from a biotechnology company of concern. In addition, agencies may not enter into, extend, or renew contracts with entities that use covered biotechnology equipment or services from such companies in the performance of federal contracts. Parallel restrictions apply to federal grants and loans, limiting the use of federal funds for biotechnology equipment or services provided by biotechnology companies of concern, including in arrangements involving subrecipients or downstream funding.

As a result, the Act may affect not only prime federal contractors, but also subcontractors, vendors, research partners, and grant recipients whose products or services are used in connection with federally funded activities. Organizations that do not view themselves as part of the federal contracting ecosystem may nevertheless face compliance considerations depending on how implementing regulations are structured.

Key Definitions Driving Coverage

The Act defines “biotechnology equipment or service” broadly to include equipment and services used in the research, development, production, analysis, detection, or provision of information relating to biological materials. The definition extends beyond physical laboratory instruments to encompass components, accessories, and associated digital features, including software, firmware, data storage, transmission, and related services. This expansive approach suggests that the Act could reach a wide range of laboratory platforms, sequencing and genomics technologies, bioinformatics tools, contract research and manufacturing services, and data-handling infrastructure.

Whether an entity is treated as a “biotechnology company of concern” will depend on designation rather than categorical inclusion in the statute itself. Companies may be captured either through their inclusion on the Department of Defense’s list of Chinese military companies operating in the United States, provided they have a biotechnology nexus, or through a separate Office of Management and Budget (OMB)-led interagency designation process. That process is intended to apply statutory criteria focused on foreign adversary control or influence and national security risk, including risks associated with access to sensitive biological data. The Act contemplates notice and review procedures associated with these designations and directs OMB to maintain and update the relevant list. Prior versions of the legislation specifically identified individual companies—the legislation as enacted removed these identifications and instead directed OMB to develop the designation process described above.

Implementation Timeline

The Act establishes a phased implementation process. OMB is required to publish an initial list of biotechnology companies of concern within one year of enactment, by 18 December 2026. After publication of the list, OMB has up to 180 days to issue implementing guidance for federal agencies. The Federal Acquisition Regulatory Council must then amend the Federal Acquisition Regulation (FAR) within one year after OMB issues that guidance. The statutory prohibitions take effect only after these regulatory steps are completed, with different compliance timelines applying depending on the basis for a company’s designation.

This staged rollout provides affected organizations with time to assess exposure and plan for compliance. However, transitioning away from entrenched biotechnology platforms, laboratory instruments, or service providers can be time- and resource-intensive, making early planning advisable.

Exceptions, Waivers, and Transition Considerations

The Act includes provisions intended to reduce abrupt disruption. These include limited transition concepts for certain existing relationships, waiver authority subject to OMB involvement and congressional notification, and exceptions for specified categories of activity such as certain intelligence functions, emergency public health responses, and particular overseas healthcare services supporting US government personnel. The practical availability and scope of these mechanisms will depend on how they are implemented through agency guidance and FAR rulemaking.

Practical Considerations for Affected Organizations

Entities most likely to be affected by the Act include federal contractors and subcontractors performing work that relies on biotechnology equipment or services; life sciences companies that sell into federal channels or rely on contract research or manufacturing partners; universities, hospitals, and nonprofit research institutions receiving federal research funding; and data-centric biotechnology and bioinformatics providers that handle or enable the processing of biological or multiomic data. For these organizations, compliance risk may arise not only from direct procurement decisions, but also from shared platforms, mixed-use environments, and embedded third-party relationships.

Even before implementing regulations are issued, organizations should consider evaluating their use of biotechnology equipment and services in connection with federal contracts or federally funded projects, mapping relationships with third-party providers that could fall within the Act’s scope, and monitoring developments related to the designation of biotechnology companies of concern. As regulatory details are clarified, these early assessments can help reduce the risk of compressed timelines and operational disruption.

Looking Ahead

Several important questions remain open and will be addressed through forthcoming guidance and rulemaking. These include how diligence obligations will be operationalized across complex supply chains, how mixed-use environments will be treated, the extent of transition relief for existing contracts and grants, and the transparency and procedural safeguards associated with company designations. As these issues are resolved, the practical contours of the Act will become clearer.

The Act represents a significant development at the intersection of national security, biotechnology, and federal procurement and funding policy. Although its requirements will phase in over time, organizations with federal touchpoints should begin considering their potential exposure now to position themselves for compliance once the regulatory framework is finalized.

Lawyers and policy professionals in our Public Policy and Law; International Trade, Investment Controls, and National Security; and Government Contracts and Procurement Policy practice groups have followed the Act as it advanced through Congress and are able to advise clients as agencies move to implement the legislation.