The other shoe has finally dropped.
Following its passage in the House of Representatives last week, the U.S.FY2026“National Defense Authorization Act (2026 NDAA)” was passed by the Senate in the early hours of December 18 (Beijing time) with a vote of 77 in favor and 20 against. With this, the 2026 NDAA has now completed the major legislative procedures in both chambers of Congress and will be sent to the White House, where it will take effect immediately upon signature by the U.S. President.
This bill has drawn attention from the biopharmaceutical industry because it incorporates the previously contentious Biosecurity Act.
In the United States, there are two legislative pathways for a bill: standalone legislation and omnibus legislation. The Biosecurity Act is being enacted through the latter approach, i.e., as a provision within the National Defense Authorization Act (NDAA) to streamline the deliberation and voting processes. After nearly two years, the U.S. Biosecurity Act is on the verge of completing its legislative process. Under the Biosecurity Act, U.S. administrative agencies will be prohibited from engaging in direct or indirect cooperation with biotechnology companies of concern.
Although the final enacted Biosecurity Act is somewhat milder than the initial proposal—for instance, it no longer names specific companies, establishes appeal and removal mechanisms for listed entities, and provides a grace period of up to nearly eight years—the industry views its implementation as having profound negative implications for the development of the Chinese and U.S. biopharmaceutical sectors.
Two Bans
In the U.S. Fiscal Year 2026 National Defense Authorization Act, the Biosecurity Act is included as a standalone section (Sec. 851), titled “PROHIBITION ON CONTRACTING WITH CERTAIN BIOTECHNOLOGY PROVIDERS,” i.e., the Prohibition on Contracting with Certain Biotechnology Providers Act, which is consistent with multiple previous versions of the Biosecurity Act proposals.
Specifically, the core provisions of the "Biosecurity Act" are two prohibitions targeting biotechnology companies of concern.First, prohibit the heads of U.S. executive agencies from procuring or acquiringNotable Biotechnology Companiesany biotechnology equipment or services produced or provided; second, prohibiting heads of U.S. executive agencies from engaging with eligibleEntityEntering into, renewing, or extending contracts, and allocating or expending loan or grant funds for these purposes. If loans or grants have already been disbursed when the Biosecurity Act takes effect, recipients are still prohibited from using such funds.
Among them, the eligible entities referred to in the second prohibition include two categories. The first category comprises those that, in the course of performing contracts with the administrative agency, have utilized [materials/data] obtained after the effective date of the Biosecurity Act and provided byNotable Biotechnology CompaniesProduced or ProvidedBiotechnology Equipment or Servicesentity; the second category, where the contract signed is known to require the use of data obtained after the effective date of this clause, byNotable Biotechnology CompaniesManufactured or ProvidedBiotechnology Equipment or Servicesentity.
Under the second prohibition, in addition to direct transactions with covered biotechnology companies, transactions with competitor companies that use or will use biotechnology equipment or services provided by covered biotechnology companies are also prohibited. Such transactions include not only contractual agreements but also financial transactions such as loans and grants. This point is critical, as many companies and projects in the United States that have adopted or may adopt biotechnology have received funding support from the federal government.Consequently, the second prohibition under the Biosecurity Act is likely to affect a substantial number of biotechnology-related projects conducted in the United States.
Several Keywords
To fully understand this ban, it is necessary to clarify several key terms: covered biotechnology companies, effective date, and biotechnology equipment or services. We will examine each of these in turn.
First, the highly anticipated biotechnology companies. Both prohibitions center on “covered biotechnology companies,” the core keyword of the Biosecurity Act. Entities on the list of covered biotechnology companies include specific entities listed under Section 1260H, other entities designated through specified procedures, and entities with certain affiliations.
Specifically, the first category of listed entities refers to those included in the list of Chinese military-industrial companies operating in the United States, which is published annually by the U.S. Department of Defense in the Federal Register, andCompanies that, to a certain extent, engage in the manufacturing, distribution, provision, or procurement of biotechnology equipment or services. Due to the release of this listPursuant to the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021Section 1260H; entities under this section are also referred to by external parties as Section 1260H entities。
A brief elaboration is warranted here. Section 1260H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 is another provision drawing significant attention from Chinese and U.S. enterprises, apart from the Biosecure Act (hereinafter referred to as “Section 1260H”). As a core clause establishing a list-based management system for “Chinese military companies,” Section 1260H requires the U.S. Secretary of Defense to identify and publish a list of Chinese military companies operating directly or indirectly in the United States, thereby addressing the potential national security implications posed by China’s military-civil fusion enterprises. Currently, domestic companies such as BGI Genomics, MGI Tech, and OriginCell have been included on this list, while Complete Genomics, BGI Spatial Transcriptomics, Novogene, and Annoroad Gene Technology have been proposed by U.S. lawmakers for inclusion.
Class II listed entities are those designated based on the Entity Recommendation List. The Entity Recommendation List is proposed by the U.S. Secretary of Defense, in coordination with the Attorney General, the Secretary of Health and Human Services, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of State, and the National Cyber Director. Within one year after the enactment of the Biosecurity Act, the Office of Management and Budget shall publish a list of covered biotechnology companies of concern that are not Section 1260H entities.
Criteria for inclusion on the list of covered biotechnology companies outside Section 1269H entities include entities that are determined to be subject to the jurisdiction, direction, or control of a foreign adversary’s government, or operating on behalf of such government, and that participate to some extent in the manufacturing, distribution, provision, or procurement of biotechnology equipment or services, while posing a threat to U.S. national security. The term “posing a risk to U.S. national security” specifically refers to engaging in joint research with, receiving support from, or having affiliations with the military, domestic security forces, or intelligence agencies of a foreign adversary; providing multi-omics data obtained through biotechnology equipment or services to a foreign adversary’s government; or obtaining human multi-omics data through biotechnology equipment or services without explicit and informed consent.
Category 3 refers to subsidiaries, parent companies, or successor entities of the aforementioned two categories of entities, provided that such subsidiary entities are also determined to be subject to the administrative governance structure of a foreign adversary’s government, or are directed, controlled by, or operate on behalf of such government, and participate to some extent in the manufacturing, distribution, provision, or procurement of biotechnology equipment or services, thereby posing a threat to U.S. national security.
This list is not static. The Biosecurity Act requires that the list of Covered Biotechnology Companies be reviewed at least annually, with entities added or removed as appropriate. Furthermore, biotechnology companies already included on the list may submit relevant information and supporting arguments to the Director of the Office of Management and Budget (OMB) to request removal if they believe they no longer meet the criteria. The Director shall review the request and respond within 90 days of receipt.
Next is the effective date.The two prohibitions under the “Biosecurity Act” require amendments to the Federal Acquisition Regulation to take effect, which could be a rather lengthy process.
Following the release or update of the list of covered biotechnology companies, the Director of the U.S. Office of Management and Budget shall, in coordination with the U.S. Secretary of Defense, the Attorney General, the Secretary of Health and Human Services, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of State, and the National Cyber Director, develop guidance. Subsequently, the Federal Acquisition Regulatory Council shall revise the Federal Acquisition Regulation based on such guidance.
Under the Biosecurity Act, the grace period for issuing guidance is 180 days after the publication or update of the list of covered biotechnology companies; the grace period for amending the Federal Acquisition Regulation (FAR) is one year after the issuance of such guidance; and there remains a grace period of several months between the amendment of the FAR and the effective date of the two prohibitions under the Biosecurity Act. Specifically, the grace period for the prohibitions to take effect is 60 days for designated entities and 90 days for other entities.
In other words, for entities listed under Section 1260H, there is a grace period of up to more than one year between the completion of the legislative process for the Biosecurity Act and its final entry into force; whereas for designated entities other than those under Section 1260, the maximum grace period exceeds two years.
Finally, let us examine biotechnology equipment or services.The biotechnology equipment or services referred to in the Biosecurity Act fall into three major categories. The first category includes various types of equipment designed for use in the research, development, production, or analysis of biological materials, such as gene sequencers, or other instruments, devices, machines, and equipment (including their components and accessories). Additionally, software, firmware, or other digital components that are specifically designed for these devices and essential to their operation also fall within the scope of biotechnology equipment or services.
Category II: Research, development, production, analysis, testing, or information provision services related to biomaterials, including data storage and transmission services. Specifically, this refers to consulting, advisory, or support services related to the use or application of the aforementioned instruments, devices, machines, or equipment, as well as disease detection, lineage information, and related services.
Category III: Other services, instruments, devices, machines, components, accessories, equipment, software, or firmware used for the research, development, production, or analysis of biological materials, as determined appropriate by the Director of the U.S. Office of Management and Budget in coordination with the heads of executive agencies, based on national security interests.
“Has the Biosecurity Bill Become More Moderate?”
Since its introduction in late 2023, the legislative path of the "Biosecurity Act" has been fraught with twists and turns.
In December 2023, the U.S. Senate introduced Bill S.3558, which was the earliest version of the Biosecure Act. The S.3558 bill proposed that, from the perspective of national biosecurity, contracts with five Chinese biotechnology suppliers, including WuXi AppTec, BGI, and their affiliated companies, should be prohibited. In January 2024, the U.S. House of Representatives introduced a draft of the Biosecure Act, designated as “H.R.7085.”
In May 2024, the U.S. House of Representatives introduced the well-known H.R. 8333 bill after revisions, which is widely recognized as the first version of the Biosecurity Act. However, this version of the Biosecurity Act failed to be included in that year’s National Defense Authorization Act for “ride-along” legislation, and its independent legislative path was also interrupted in September of the same year.
Subsequently, discussions surrounding the Biosecurity Act subsided for a time until the summer of 2025, when U.S. Senators Bill Hagerty and Gary Peters introduced a new version of the Biosecurity Act. In October 2025, the National Defense Authorization Act for Fiscal Year 2026 was passed by the Senate, with the new version of the Biosecurity Act incorporated as an amendment, thereby clarifying its legislative prospects.
It is widely believed that, compared to the earliest version of the Biosecurity Act, the final legislative text has undergone a series of adjustments under external pressure and has become considerably more moderate. The most direct evidence of this moderation in the Biosecurity Act is the removal of specific company names; the five Chinese enterprises, including BGI Genomics and WuXi AppTec, are no longer mentioned anywhere in the document. However, as companies such as BGI Genomics and MGI Tech have already been listed under Section 1260H, they remain inevitably affected.
In VCBeat’s view, while the Biosecurity Act did make some adjustments more favorable to the industry, the most significant change in the final text, compared with the September 2024 version of H.R. 8333, is that it leaves slightly more room for maneuver.
On one hand, the list of biotechnology companies of concern is subject to appeal, and some companies may be removed. Under the final Biosecurity Act, biotechnology companies already listed as entities of concern may submit relevant information and supporting arguments to the Director of the U.S. Office of Management and Budget (OMB) if they believe they no longer meet the criteria, thereby applying for removal from the list. This provision was absent in earlier versions of the bill. On the other hand, a uniform five-year grace period is granted for contracts existing before the ban takes effect. In contrast, under H.R. 8333, existing contracts with entities designated under Section 1260H would no longer benefit from any grace period starting January 1, 2032.
Overall, whether by redacting specific company names or by introducing removal mechanisms and grace periods, the impact of these mitigating measures remains very limited.
After all, the impact of the legislation extends beyond short-term orders, striking at the heart of incremental business growth. Taking leading Chinese CROs as an example, nearly two-thirds of their revenue has historically come from U.S. clients. Although the extended grace period may help preserve existing orders, potential customers may already be inclined to avoid Chinese suppliers during the early decision-making stages. Of course, the ban does not only affect Chinese enterprises. Data shows that nearly 80% of U.S. biopharmaceutical companies collaborate with Chinese suppliers. Once supply chains with Chinese firms are severed, the domestic drug R&D supply chain in the United States could face the risk of paralysis, while building a new supply chain is far from a task that can be accomplished in the short term.
Now that the Biosecurity Act has been officially released, VCBeat will continue to monitor its subsequent impact.