The US BIOSECURE Act: is your supply chain at risk?

Introduced in the 188th Congress in May 2024, the BIOSECURE Act seeks to restrict US federal government bodies, agencies and federal funding recipients from procuring or contracting with certain foreign-linked biotechnology companies. The restriction is based on national security reasons arising from these companies' access to large biological datasets that could potentially be exploited. 

The bill swiftly gained momentum, with the House passing it by 306-81 votes in September 2024. However, it was not enacted that year and did not make the final Fiscal Year (FY) 2025 National Defense Authorization Act (NDAA). In October 2025, a revised version was passed by the Senate as an amendment to the FY2026 NDAA. The revisions appear to have addressed industry concerns, including removing a fixed list of named companies of concern. 

After a period of inactivity, there are strong prospects that the bill will be enacted by the end of 2025 due to bipartisan support and its alignment with the Trump administration's broader de-risking policy. The final requirements, timing, and listed entities of concern will depend on the version that is ultimately enacted and the implementing guidance issued.

If enacted, the new law is likely to compel some companies to reconsider existing relationships with certain foreign-linked biotech firms. This could prove disruptive, given that many US-developed drugs in mid- and late-stage trials currently rely on those firms for manufacturing or data services, potentially leading to delays, increased costs and disruption to clinical trials or drug launches. 

While affected companies will need to reassess and strengthen existing supply chains or identify alternative suppliers to ensure compliance and business continuity, the Act is also expected to pave the way for new partnerships in other jurisdictions, such as India. 

Core provisions

At its core, the Act would bar US executive agencies from procuring biotechnology equipment or services from a "biotechnology company of concern" and bar agencies from entering into, extending, or renewing contracts with entities that use such equipment or services when performing federal work. It would also restrict the use of federal loans or grants to procure such items or services.

Designation of 'biotechnology companies of concern'

Earlier versions of the bill expressly named certain China-based companies and tasked the Office of Management and Budget (OMB), in consultation with national security and health agencies, with designating additional companies of concern linked to "foreign adversaries" (defined to include China, Russia, Iran, and North Korea). 

The 2025 Senate version will designate companies of concern through a process tied to existing national security listings (for example, the Department of Defense "1260H" list). The OMB will also have authority to add new entities. Companies should regularly monitor the OMB's list. 

Definition of 'biotechnology equipment or services'

The definition is broad, covering instruments, medical devices, software, and digital components used in the research, development, production, analysis, detection, storage, or transmission of biological materials, as well as consulting and support services. 

Exceptions and waivers 

An emergency procurement exception is included, which allows agencies to acquire medical items, countermeasures and related supplies necessary during a declared public health emergency. 

Grandfathering 

There is a "grandfathering" period of five years for existing commercial contracts with OMB-identified entities, although this grace period does not extend to companies on the 1260H List. For those companies, the prohibitions will take effect 60  days after the Federal Acquisition Regulation (FAR) is updated.  

Implementation and guidance 

The OMB has up to one year to publish the list of companies of concern, after which it has up to 180 days to publish guidance on implementation of the prohibitions. The FAR Council is then required to revise the FAR regulations, following which the prohibitions for companies on the 1260H list will take effect in 60 days.

Prohibitions for other companies of concern will take effect in 180 days. 

Compliance  

In practice, compliance would likely be operationalised through representations and certifications in solicitations and awards, contract clauses with flow‑down obligations to subcontractors, and potential audit or attestation regimes. Agencies may require contractors and grant recipients to certify that they do not use covered equipment or services from designated entities in performance, with monitoring through FAR‑level clauses and agency guidance. Details will depend on the final enacted text and implementing rules.

Preparing for implementation

Companies may wish to take proactive steps in anticipation of imminent enactment of the bill:

• Map exposure and conduct due diligence. Draw up and inventory all biotechnology equipment or services used across research and development (R&D), clinical operations, manufacturing, quality and data environments. Identify direct and indirect links to potentially designated entities (contract research organisations (CROs), contract development and manufacturing organisations (CDMOs), labs, data processors, instrument vendors) and prioritise high-impact dependencies.
• Identify federal and non-federal work. Identify which programmes, sites and systems support federal contracts, grants or cooperative agreements. Where possible, aim to ring-fence those activities from covered equipment or services to preserve eligibility.
• Investigate alternative vendors and suppliers. Qualify substitute vendors and equipment, assess technology-transfer requirements and map regulatory revalidation or bridging strategies. Stress-test timelines against phased effective dates. Consider and budget for consequential cost impacts.
• Strengthen contracting positions. Add protective clauses to CRO/CDMO and supplier contracts covering regulatory changes, termination rights, technology transfer, data controls and audit rights. Ensure downstream providers are bound by the same terms.
• Governance. Establish a cross-functional team covering legal, compliance, procurement, quality, IT/data and regulatory functions to monitor entity designations and government guidance, update internal policies and manage certifications.

EU position 

The EU framework for screening foreign direct investment (FDI) under Regulation (EU) 2019/452 (the FDI Screening Regulation) represents the closest structural parallel in the European Union.

The legislation identifies several factors that Member States and the European Commission may consider when assessing whether foreign direct investment is likely to affect security or public order. These include critical infrastructure, critical technologies, supply of critical inputs, access to sensitive information (including personal data), and the freedom and pluralism of the media. Notably, under the FDI Screening Regulation, health is referred to as a "critical infrastructure" sector and biotechnologies are identified as "critical technologies".

Unlike the BIOSECURE Act, the FDI Screening Regulation does not establish a list of prohibited biotechnology companies of concern, nor does it impose upfront restrictions on procurement or contracting with specific foreign linked entities. Instead, it provides Member States with a framework to scrutinise FDI on a case-by-case basis. Where justified on security or public order grounds, it empowers them to block transactions or impose conditions, where access to critical technologies, critical inputs or sensitive data risk being undermined.

The ongoing revision of the FDI Screening Regulation, currently under trilogue negotiation following the Council's amendments in June 2025, is expected to expand and harmonise the scope of mandatory screening across Member States. This development comes at a time where the European Commission’s life sciences strategy, published this summer, identified a "low level of involvement" with institutional and foreign investors, constraining "the sector's ability to grow and scale".

For EU pharmaceutical, biotech, medtech and diagnostics businesses operating in the US federal market, these parallel regulatory developments have a potential to create practical constraints on supply chain configurations.

Osborne Clarke comment

If enacted, the law would have far-reaching consequences for biotech companies that contract with, receive grants from, or otherwise engage with executive agencies and for universities and academic medical centres supported by federal funding.

Affected agencies include the National Institutes of Health, the Department of Defense, the Department of Veterans Affairs, and agencies within the Department of Health and Human Services, such as the Food and Drug Administration and the Centers for Disease Control and Prevention.

Companies using any covered equipment or services from designated entities in performing government contracts or grants would be deemed ineligible, forcing them to choose between federal business and relationships with biotechnology companies of concern.

Given that many biopharma sponsors depend on China-based CDMOs and CROs for development, analytics and manufacturing, the new Act could compel substantial supply chain re-engineering, technology transfers and regulatory revalidations, potentially leading to increased costs, delays and drug supply disruptions. 

Firms without federal contracts may also experience indirect effects as upstream suppliers, clinical partners, or academic collaborators adapt to compliance requirements. However, new partnerships with biotech companies from non-affected countries may begin to emerge.