U.S. updates outbound investment rule, adopts BIOSECURE Act

In January of this year, the long-awaited Outbound Investment Security Program (OISP) of the U.S. Department of the Treasury came into force. These rules, summarized in our prior client update here, prohibit or require the notification of investments by U.S. persons and entities they control in companies linked to “countries of concern” (currently, China) in specified industries (currently, semiconductors, quantum computing, and the development of AI models).[1] There have been two significant developments regarding the OISP at the end or the year. On December 23, 2025, the Department of the Treasury (Treasury) issued additional guidance on the OISP in the form of Frequently Asked Questions.[2] The new FAQs clarify a number of issues that had been raised by practitioners and industry and clarify that a number of routine transactions in the public capital markets are not caught by the rule. Additionally, on December 18, 2025, President Trump signed the FY 2026 National Defense Authorization Act (NDAA) into law, which (among many other provisions) provides a statutory underpinning for the OISP and gives guidance that may further sharpen and clarify its application, to be implemented in future rulemaking.[3] In general, both sets of changes begin to address ambiguities in the original OISP and focus its application.

The NDAA contains two other provisions with implications for cross-border trade and investment. First, the adoption of the long-pending BIOSECURE Act will forbid the use of biotechnology equipment and services from targeted Chinese companies to support federal contracts, which will have a significant impact on biotechnology businesses. Second, the NDAA (as is often the case) updates U.S. sanctions programs, requiring a new reporting mechanism on whether additional companies should be added to the Non-SDN Chinese Military-Industrial Complex Companies List (CIMC List) and repealing the remaining Syria-specific sanctions laws.

Treasury issues OISP guidance

The Treasury FAQs amend the guidance originally provided in January of 2025 and provide certainty on a number of important points that previously required industry and practitioners to take a reasoned view (and risk). While the positions taken are entirely logical, they provide welcome certainty for capital markets.

• Follow-on offerings: Treasury has made it clear that follow-on offerings of publicly traded securities qualify for the publicly traded securities exemption (as does underwriting such offerings), so long as the securities are fungible with existing publicly traded securities (i.e., carry the same economic and voting rights and will carry the same identification number upon issuance).
• Convertible interests:  Treasury likewise clarified that contingent equity interests (convertible notes, options, etc.) convertible into publicly traded securities (or securities fungible with publicly traded securities) are considered equivalent to an investment in publicly traded securities and are exempt so long as the other conditions of the exemption are met, even if the convertible interest itself is not publicly traded.
• IPO subscriptions: Although IPO underwriting remains outside the scope of the publicly traded securities exemption (for the moment; see the discussion of the COINS Act below), Treasury has clarified that persons entering into an agreement to acquire shares in an IPO (e.g., by confirming an IPO allocation) are still eligible for the publicly traded securities exemption so long as the shares are actually acquired at a time when the shares are publicly traded, even if the agreement to acquire the shares is entered into prior to the commencement of trading.
• Passive investment exemption: Treasury has reversed its prior position and stated that merely possessing the right to make a proposal to shareholders is not a governance right inconsistent with passive investment. In the release adopting the OISP rules, Treasury took the view that the right to make shareholder proposals was a right beyond standard minority shareholder protections and disqualified the holder from relying upon the exception in the rules for passive investments in publicly traded securities.[4] Responding to substantial industry pushback, and in light of the fact that many jurisdictions have very low ownership thresholds for the right to make shareholder proposals (often 1% or less), Treasury has clarified that the right to propose (not appoint) a director, if available to all similarly situated shareholders, does not result in disqualification from the passive investment exemption. Presumably other widely available shareholder proposal rights would be similarly treated.

COINS Act: Congress weighs in on the OISP

Legislative proposals for an outbound investment review regime stretch back to the 2018 reform of CFIUS, but ultimately President Biden issued Executive Order 14105 under authority of the International Emergency Economic Powers Act (IEEPA),[5] starting a rulemaking process that culminated in the issuance of the current rules in October of 2024. The Comprehensive Outbound Investment National Security Act of 2025 (COINS Act), incorporated into the NDAA, both provides explicit legislative endorsement of the OISP regime and provides guidance on its future development.[6] The COINS Act does not immediately amend the OISP rules, but it does provide for future amendments to the regulations to be issued by the Treasury Department; this follows on a previously announced review of the OISP by the Trump administration as part of its America First Investment Policy (summarized in our previous client update here).[7] Interested parties should continue to monitor OISP rulemaking, as new opportunities for comment on proposed revisions are likely to arise.

Creation of a statute-based OISP regime

Subtitle C of the COINS Act amends the Defense Production Act, which also provides authorization for CFIUS, by adding new sections 801-809 to create an independent statutory basis for the Outbound Investment Rules. It also differs from the existing OISP rules in a number of important respects. The changes to the OISP regime outlined below are not self-executing, instead directing the Secretary of the Treasury is to issue new regulations within 450 days consistent with the statute; thus, the details and effective date of amendments to the OISP rules remain unclear. However, a number of important clarifications and changes appear in the statute.

• Expansion of covered sectors/technologies: This is the least surprising change. The COINS Act adds hypersonic systems and supercomputing to the original targeted industries of semiconductor design and manufacturing, AI system development, and quantum computing.[8] Expansion of the sectors covered was anticipated in the original OISP, and the America First Investment Policy previously indicated that the Trump administration was considering expanding the OISP to impose additional restrictions in the semiconductor, artificial intelligence, quantum, biotechnology, hypersonics, aerospace, advanced manufacturing, and directed energy sectors.
• Expanded list of “countries of concern”: The People’s Republic of China, including the Hong Kong and Macau SARs, remains covered.as under the existing OISP; subtitle C adds Cuba, Iran, North Korea, Russia and Venezuela (so long as the Maduro regime remains in place), to the list of “countries of concern.” However, given existing sanctions restrictions, the practical impact is likely minimal.
• Narrowing of “covered foreign person” definition: The first major change implemented by the COINS Act is a substantial narrowing of the companies in which investment is restricted.[9] Like the existing OISP, the COINS Act restricts investments in persons in the targeted industries that are (1) foreign persons incorporated in, with their principal place of business in, or organized under the laws of a country of concern, (2) entities owned by the governments of those countries, and (3) any majority-owned subsidiaries of such persons. However, it omits or substantially alters two categories in the existing OISP:
  • Elimination of financial metrics. The COINS Act omits the current OISP’s test capturing companies with 50% or more of their revenues, net income, operating expenses or capital expenditures attributable to affiliates in a country of concern. This provision has posed significant interpretive and due diligence challenges for U.S. persons under the existing rules, in some cases capturing even U.S. public companies. How this will be implemented, though, and how it might apply to the common PRC structure of offshore holding companies controlling Chinese businesses, remains uncertain, particularly in light of the continuing prohibition on “indirect” investments.
  • Ownership by citizen of a country of concern is no longer a trigger, only ownership by political elites. The OISP currently captures any entity 50% or more owned by one or more foreign persons (i.e., neither U.S. citizens nor permanent residents) who are Chinese citizens or permanent residents. The COINS Act effectively eliminates the test based on the nationality of individual shareholders, limiting it to entities 50% or more owned by members of the Central Committee of the Chinese Communist Party or the political leadership of a country of concern, directly or indirectly.
• Narrowing of covered transaction types: The definition of “covered national security transaction” under the COINS Act is narrower in several respects and contains more exceptions than the corresponding definition of “covered transaction” in the existing OISP and related exceptions. The key differences are as follows:
  • Exception for underwriting and other ancillary transactions: Transactions ancillary to the provision of services by financial institutions, including temporary acquisition of equity for facilitating underwriting, are not covered national security transactions under the COINS Act. The existing OISP explicitly covers underwriting of offerings by U.S. and U.S.-controlled institutions. Services such as bank lending, payment settlement and clearing, and prime brokerage are also explicitly excluded; the existing OISP rules simply omit them from the list of covered activities. [10]
  • Allowance for a de minimis exception: The COINS Act contemplates, but does not specify, an exemption for investments of de minimis value, which Treasury declined to do in the initial OISP.[11] Note, however, that there is no exception for investments in covered foreign persons engaged in de minimis activities relating to prohibited or notifiable technologies.
• Expansion of recusal requirements for U.S. persons: The COINS Act does not change the applicability of the OISP to U.S. persons’ controlled foreign entities (so that both the prohibited investment and notifiable investment regimes will still apply to controlled companies). However, it does expand the provision barring U.S. persons and entities from “knowingly directing” prohibited transactions by foreign persons (for example, as executives of non-U.S. companies or investment managers for non-U.S. investors). Under the current OISP, the “knowingly directing” rule only applies to participation in prohibited investments; the COINS Act provision, though, also applies to notifiable investments, apparently indicating that U.S. persons will also have to recuse themselves from or otherwise avoid investment decisions on behalf of foreign persons in that broader category. The details remain to be seen in implementing regulations.
• Addition of process for transaction-specific guidance: The COINS Act requires the creation of a process by which parties can request non-binding feedback on whether a potential investment would constitute a covered national security transaction. Such feedback would be either confidential or published as anonymized guidance to the public. This is a major change to the original OISP process (which leaves the identification of prohibited and notifiable transactions entirely to the parties at their own risk) and hints at the evolution of a pre-transaction review regime for transactions raising issues. It remains to be whether Treasury’s Office of Investment Security (OIS) will be given adequate resources to meet this goal, though the NDAA does provide for limited additional funding and staffing.
• Process for review of non-notified transactions: This is not new, as OIS has already been reaching out to parties to potentially covered transactions under existing authorities. However, the COINS Act calls attention to and formalizes that process.

Authorization of existing IEEPA-based rules

Subtitle B of the COINS Act firms up the underpinning of the existing OISP by confirming that the President has authority to exercise powers under the International Emergency Economic Powers Act (IEEPA) to prohibit U.S. persons from “investing in or purchasing significant amounts of equity or debt instruments” of certain Chinese-connected or Chinese-controlled companies and the civil and criminal penalties of IEEPA apply to violations of those rules.[12] The existing OISP regime was created under the authority of IEEPA, and at first glance Subtitle B endorses that action.

Interestingly, though, Subtitle B’s authorization also incorporates language paralleling the new DPA provisions limiting the Chinese entities covered to exclude those caught by the 50% financial tests and entities owned by individual Chinese citizens. Furthermore, Subtitle B adds a requirement that a “covered foreign person” subject to the Outbound Investment Rules be “knowingly engaged in significant operations in the defense and related materiel sector or the surveillance technology sector of the economy of a country of concern.”[13] Whether those provisions would be read as an implicit limitation of IEEPA authority, or whether it will have any practical impact on enforcement pending the adoption of revised OISP regulations, remains unclear.

BIOSECURE Act

Section 851 of the NDAA implements the latest version of the BIOSECURE Act, which has been proposed in various forms since early 2024. The law effectively prohibits federal contractors from procuring goods and services from specified Chinese companies for use in federally-funded contracts.

The BIOSECURE Act prohibits U.S. federal executive agencies from:

(1) procuring, obtaining or using biotechnology services or equipment [14] from a biotechnology company of concern (BCOC);

(2) contracting with any entity that uses biotechnology services or equipment acquired from a BCOC following the effective date of the act to perform the contract; or

(3) entering into a contract with any entity if the entity knows BCOC biotechnology equipment or services will be required for performance and such equipment or services are provided after the effective date.

The prohibitions on contracting cover only contracts subject to the Federal Acquisition Regulation (FAR) and certain Department of Defense (DoD) research contracts.[15] Federal contracts not within those categories, such as agreements to furnish services to Medicare beneficiaries,[16] are outside the scope of the act.[17]

Unlike prior versions of the BIOSECURE Act, no companies are specifically named in the statute. BCOCs are to be identified on a list issued and updated annually by the White House Office of Management and Budget (OMB). Entities identified on the Chinese Military Company List published annually by the Pentagon under Section 1260H of the 2021 NDAA (not to be confused with OFAC’s CMIC List) that are active in biotechnology are to be included in the OMB list; previously, the Section 1260H list had very limited consequences (exclusion from defense contracts, which were unlikely to be awarded to the Chinese entities in question in any event), but the secondary impact of being labeled a BCOC could have a greater effect on listed companies active in life sciences. Other entities can be added to the list via an interagency process if they are found to be (1) subject to the direction or control of a foreign adversary country (currently defined as China, Iran, North Korea, and Russia), (2) engaged to any extent in manufacturing, distributing, providing, or procuring biotechnology equipment or services, and (3) a risk to U.S. national security, based on connections to military, internal security, or intelligence agencies or on obtaining human genetic and related data without consent or providing it to foreign adversary governments, or if they are a subsidiary or parent of another designated entity. (This appears to imply that subsidiaries of BCOCs not specifically designated are not automatically covered, although implementing regulations may clarify.)

The Act requires that companies designated as BCOCs be given notice of that designation and a non-classified statement of reasons for the designation, together with, “where practicable,” mitigation steps that could be taken that might result in the removal of the designation. The company named will then have 90 days to submit information and arguments in opposition to OMB. The designation is not to be made public until after the company’s response is reviewed and OMB makes a final determination.

The effective date of the BIOSECURE Act is complex. OMB has up to one year to publish the initial list of BCOCs. After that (or after any amendment to the list of BCOCs), OMB has up to 180 days to issue guidance on implementation, then the Federal Acquisition Regulatory Council has up to one year to revise the Federal Acquisition Regulation (FAR) as required to implement the prohibition. Following the revision of the FAR, prohibitions with respect to BCOCs on the 1260H list will go into effect 60 days after publication and with respect to others 90 days after publication.  Even then, there is a five-year grandfathering period with respect to biotechnology equipment and services produced or provided by a BCOC pursuant to contracts entered into prior to the relevant effective date before the ban on federal contracting applies to entities using such equipment or services. It therefore appears that customers of Chinese and other potentially affected biotechnology companies will have substantial advance notice of any ban.

Sanctions updates

The NDAA contains two relatively minor updates to OFAC’s sanctions programs, affecting the Chinese Military Companies Sanctions program and the former Syrian Sanctions Program.

The CMIC List implements limited OFAC sanctions prohibiting U.S. persons from purchasing publicly traded securities of companies designated as part of the Chinese military-industrial complex. The Chinese Military Company Sanctions Program was created pursuant to Executive Order 13959 of November 12, 2020, and substantially amended by Executive Order 14032 of June 3, 2021 (see our previous update here).[18] The NDAA does not directly amend or require the amendment of the CMIC List. However, it does require that, every two years, the President must submit to Congress a report evaluating companies contained on a wide range of China-related lists maintained by U.S. government agencies[19] and report to Congress on whether those entities meet the criteria for inclusion on OFAC’s CMIC List. As a practical matter, this may create pressure for additional designations.

The NDAA also formally repeals the Caesar Syria Civilian Protection Act of 2019 (CAESAR Act), which required the President to impose secondary sanctions on non-U.S. persons that knowingly transact in certain goods or services related to Syria. The CAESAR Act was one of the remaining statutory elements of Syrian sanctions in place but has been suspended for several months in connection with President Trump’s decision to roll back comprehensive Syrian sanctions.