The BIOSECURE Act Just Became Law. If You Take Federal Grants, Your Supply Chain Is Now a Compliance Problem.

Seventy-nine percent of biopharma companies surveyed by BIO, the industry trade group, reported using at least one Chinese biotechnology contractor. That number, from a May 2025 survey, is about to become the most consequential statistic in federal research funding — because as of December 18, 2025, the BIOSECURE Act is law, and it will eventually bar federal dollars from flowing to any entity that relies on designated Chinese biotech firms for equipment, services, or data processing.

The law did not receive its own signing ceremony. It was tucked into the National Defense Authorization Act for Fiscal Year 2026, passed with bipartisan support, and signed by the President on December 18. But its reach extends far beyond defense procurement. Every organization that receives NIH grants, DOE awards, NSF funding, or any other federal financial assistance now faces a new compliance requirement: prove that your biotechnology supply chain does not include a "biotechnology company of concern."

What the Law Actually Prohibits

The BIOSECURE Act creates three interconnected restrictions. Federal executive agencies cannot procure biotechnology equipment or services from designated companies of concern. They cannot enter contracts with entities that use those companies' products or services in connection with federal work. And — the provision that hits the research community hardest — they cannot "expend loan or grant funds for biotechnology equipment or services provided by" a designated company.

That third restriction is the one that transforms this from a defense procurement issue into a research funding issue. An NIH-funded university lab that sequences genomes on a BGI platform, or a DOE-funded environmental science group that sends samples to a contract research organization using WuXi services, could find its federal funding in jeopardy once the implementing regulations take effect.

The definition of "biotechnology equipment or service" in the statute is deliberately broad. It covers devices, instruments, software, and consulting services used in "research, development, production, analysis, or detection" of biological material. Bioinformatic tools, data transmission services, genealogical analysis platforms, and disease detection systems all fall within scope. The law does not limit itself to hardware sitting on a lab bench — it reaches into the software and data layers that increasingly define modern biological research.

Who Is Already Designated — and Who Is Next

The law creates a new category called "biotechnology companies of concern" (BCCs) and uses the Department of Defense's existing 1260H list — the Chinese military companies list — as its initial designation mechanism. Any entity on the 1260H list that provides biotechnology equipment or services is automatically a BCC.

Today, that list includes BGI Genomics, Forensic Genomics International, and MGI Tech Co. — all subsidiaries or affiliates of the BGI Group, one of the world's largest genomic sequencing operations. For any researcher or institution that has purchased MGI sequencing platforms, used BGI's sequencing services, or collaborated on projects involving BGI data infrastructure, the compliance implications are immediate.

The companies that researchers are watching most closely, however, are not yet formally designated. WuXi AppTec, WuXi Biologics, and WuXi XDC — the trio of Chinese contract development and manufacturing organizations that provide services to a massive share of the global pharmaceutical pipeline — are not currently on the 1260H list. But the chairs of multiple Senate and House committees have sent formal letters to the Department of Defense recommending their addition, and the law grants OMB authority to designate additional companies through a separate administrative process.

OMB must publish a comprehensive BCC designations list by December 2026. The Federal Acquisition Regulation amendments implementing the prohibitions are expected by June 2028, with the actual restrictions taking effect 60 to 90 days after the FAR update. Existing contracts with later-designated companies receive a five-year safe harbor — but new grants and contracts entered after the effective date will be immediately subject to the restrictions.

The Research Community Feels the Squeeze First

For the 79 percent of biopharma companies with Chinese biotech contractors, the compliance timeline allows for an orderly transition. For university research labs funded by federal grants, the situation is more complicated.

Consider genomic sequencing — the most visible flashpoint. BGI and its subsidiary Complete Genomics have been gaining market share in academic sequencing cores, particularly at institutions looking for alternatives to Illumina's dominant (and expensive) platforms. Stanford's sequencing center recently purchased a Complete Genomics DNBSeq-T7 platform. The University of North Carolina's Integrated Genomics Cores evaluated MGI instruments as faster, cheaper, and more flexible than competing systems.

Those purchasing decisions, made on scientific and economic merit, are now compliance liabilities. Any lab running federally funded samples on BGI or MGI equipment after the restrictions take effect will need to demonstrate that the work is not connected to federal grants — a nearly impossible distinction in most university environments where federal funding permeates the research infrastructure.

The cost implications ripple outward. Illumina, the dominant sequencing platform provider, faces less competitive pressure in a market where its primary low-cost competitor is banned from federally funded research. Element Biosciences, Ultima Genomics, and other emerging competitors may benefit from redirected demand, but none have achieved the scale or installed base to fully replace BGI's capacity in the near term. Academic sequencing costs, which had been declining as competition increased, could reverse course.

International collaboration faces its own disruption. The Earth BioGenome Project — a 10-year, 25-country effort to sequence the genomes of all known eukaryotic species — has BGI as a central participant. Smithsonian Institution researchers have expressed concern that the BIOSECURE Act could force American scientists out of this and similar large-scale international genomics initiatives where Chinese institutions provide essential sequencing infrastructure.

The Hidden Compliance Problem: Biotech Is Everywhere

The most underappreciated aspect of the BIOSECURE Act is how far beyond obvious biotech companies its reach extends. As compliance attorneys have been warning since the law's passage, organizations that do not think of themselves as biotechnology users may discover that they are.

A defense contractor building aircraft maintenance software might embed an occupational health monitoring module that processes biological data through a third-party analytics platform. If any vendor in that supply chain — even several tiers removed — uses a designated BCC's bioinformatic tools or data services, the prime contractor faces compliance exposure.

The same logic applies to research institutions. A university hospital system running clinical trials on an NIH grant might use a contract research organization for sample analysis. If that CRO outsources any biomarker work to a laboratory using BGI instrumentation, the grant recipient has a potential compliance problem — even if no one in the university's grants office is aware of the subcontractor's equipment choices.

This cascading liability structure means that compliance is not a one-time audit. Biotechnology companies are acquired frequently, supply chains shift, and the designation list will evolve as OMB exercises its authority to add new companies. Organizations will need continuous monitoring systems, not just point-in-time assessments.

What Grant Recipients Should Do Now

The June 2028 FAR implementation date gives organizations approximately two years to prepare. That sounds generous until you consider the scope of what compliance requires:

Map your biotech supply chain. Every research group, core facility, and contract service provider that touches federally funded work needs to be assessed for biotechnology equipment and service dependencies. This is not limited to obvious cases like sequencing platforms. Software tools, data storage services, diagnostic instruments, and consulting relationships all fall within the statute's broad definitions.

Assess your equipment inventory. University core facilities that purchased BGI, MGI, or Complete Genomics instruments face the most immediate decision: continue operating the equipment on non-federal work (if separable) or begin transitioning to alternative platforms before the restrictions take effect. Instrument replacement cycles typically run 3 to 5 years, so procurement decisions made in 2026 will determine compliance posture in 2028.

Review your CRO and CDMO relationships. Any federally funded research that uses external laboratories, contract manufacturers, or analytical services needs a disclosure and certification process. Ask your service providers directly: do you use equipment or services from any entity on the DoD 1260H list, and are you prepared to certify compliance with BIOSECURE Act requirements?

Build disclosure processes. The BIOSECURE Act, like other supply chain security regulations, will require organizations to disclose compliance issues when discovered. Establishing internal reporting pathways now — before the regulations are finalized — reduces the risk of a costly discovery under enforcement pressure later.

Watch the OMB designation timeline. The December 2026 BCC list publication will be the single most important compliance event before the FAR amendments. If WuXi and other widely used Chinese service providers are formally designated, the pharmaceutical and clinical research industries will face a transition far larger than the current BGI-focused disruption.

The BIOSECURE Act represents a fundamental shift in how the federal government thinks about biotechnology security — one that treats supply chain integrity as a condition of federal funding, not merely a preference. For the research community, the compliance burden is real and the timeline is shorter than it appears. Organizations that start mapping their exposure now will be far better positioned than those that wait for the final regulations to force their hand, and grant management platforms like Granted can help track which of your active and pending awards carry biotech compliance obligations worth monitoring.