New Guidance Issued and Changes Underway for U.S. Outbound Investment Regime as 2026 NDAA Defense Bill Introduces Outbound Investment, Sanctions, and Biotech Updates

January 16, 2026

For more insights and analysis from Cleary lawyers on policy and regulatory developments from a legal perspective, visit What to Expect From a Second Trump Administration.

On December 18, 2025, President Trump signed the 2026 National Defense Authorization Act (“NDAA”), a sweeping defense spending bill that brings a number of changes to the U.S. outbound investment security program, U.S. economic sanctions, and biotechnology restrictions relating to federal procurement. 

First, the NDAA includes the Comprehensive Outbound Investment National Security (“COINS”) Act, which provides a statutory basis for the U.S. Outbound Investment Security Program (“OISP”) and directs the U.S. Department of the Treasury (“Treasury”) to issue new regulations that expand the relevant “countries of concern” and covered sectors, as well as certain exceptions. On December 23, 2025, Treasury also issued new FAQs clarifying the scope of the publicly traded securities exception and confirming that the current OISP rules will remain in effect until Treasury issues regulations to implement the COINS Act.

The NDAA also includes a number of sanctions provisions, including those relating to so-called Chinese military-industrial complex companies, fentanyl-related sanctions, as well as a repeal of remaining secondary sanctions relating to Syria. In addition, the NDAA includes a revised version of the BIOSECURE Act prohibiting U.S. federal agencies from contracting with entities using biotechnology products or services from a to-be-determined list of companies linked to China, Iran, North Korea, and Russia.

I. Outbound Investment Regime – NDAA

The OISP, which entered into effect on January 2, 2025, prohibits or requires U.S. persons to submit notifications for certain investments in companies related to “countries of concern” (China, Hong Kong, and Macau) that are engaged in activities in certain sensitive sectors (semiconductors and microelectronics, artificial intelligence, and quantum information technologies). For an overview of the existing OISP, see our alert memorandum of November 2024, linked here.[1] Whereas the OISP was implemented by agency rulemaking pursuant to a 2023 executive order, the COINS Act directs Treasury, in consultation with the U.S. Departments of Commerce, State, and other relevant federal agencies, to issue new regulations to amend or supersede the OISP. Thus, the substantive COINS Act provisions will not enter into effect until such regulations are implemented.[2]

Although the structure of the OISP will remain essentially the same, the COINS Act provides a more permanent statutory basis for the regime (i.e., any future revocation of the regime would effectively require congressional approval), authorizes funding to hire staff and conduct industry outreach, and instructs Treasury to implement processes found in other economic national security regimes, such as self-disclosures, identification of non-notified transactions, and formal guidance requests. The new regulations – to include relevant stakeholders in the rulemaking process for “low-burden regulations” – are to be issued no later than 450 days after enactment of the COINS Act, subject to public notice and comment. 

A. Covered Foreign Persons

In substantive terms, the COINS Act largely will maintain the existing OISP, subject to modifications of scope. The OISP will continue to apply to U.S. persons and their controlled foreign entities, placing notification requirements or prohibitions on “covered national security transactions,” defined as engaging in certain transactions with or relating to “covered foreign persons,” which are linked to a “country of concern” and engaged in or develop certain prohibited or notifiable activities or technologies. 

The COINS Act expands the scope of the OISP in two key ways:

  • The list of “countries of concern” will not only include China, Hong Kong, and Macau, but also Cuba, Iran, North Korea, Russia, and Venezuela “under the regime of Nicolas Maduro Moros” (it remains to be seen how this provision will be implemented following the arrest of Mr. Maduro). Given comprehensive sanctions in place that already prohibit U.S. persons from investing in Cuba, Iran, North Korea, and Russia, the primary significance of the OISP will remain on China. 
  • The OISP’s list of “covered activities” (i.e., defined activities that would trigger a notification or prohibition for U.S. persons investing in companies engaged in such activities) will be expanded from activities in the semiconductors and microelectronics, artificial intelligence (“AI”), and quantum information technologies sectors, to also include high-performance computing and supercomputing and hypersonic systems.[3] The specific technical parameters of the covered activities, as well as the future designation of additional sectors, will be subject to notice-and-comment rulemaking in consultation with Congress.

The COINS Act otherwise generally is consistent with the current definition of “covered foreign person,” including entities that are incorporated in, have a principal place of business in, are organized under the laws of, or the government (including any political subdivision, agency, or instrumentality) of, a country of concern, or owned in the aggregate, directly or indirectly, 50 percent or more by such entities. However, the COINS Act narrows the inclusion of individual citizens or permanent residents of a country of concern to only members of the Central Committee of the Chinese Communist Party or other political leadership of a country of concern (in each case, that are not also U.S. citizens or permanent residents) and also sets forth a more general standard for persons “subject to the direction or control of a country of concern,” to be defined further by regulation.[4] 

Notably, the COINS Act is silent on whether parties of any nationality also may be deemed to be covered foreign persons if they derive 50 percent or greater of certain financial metrics from covered foreign persons (including revenue, net income, capital expenditure, or operating expenditure) – as is presently the case under the OISP and has resulted in uncertainty among companies with Chinese investments or subsidiaries, ranging from offshore holding companies to publicly listed multinationals.

B. Covered, Excepted, and Exempt Transactions

Under the COINS Act, “covered national security transactions” include the following types of transactions by U.S. persons (or their controlled foreign subsidiaries) with respect to covered foreign persons:

  • acquisition of equity interests or contingent equity interests;
  • provision of a loan or similar financing arrangement, where such debt financing affords or will afford a U.S. person an interest in profits, the right to appoint members of the board of directors (or equivalent), or other comparable financial or governance rights characteristic of an equity investment but not typical of a loan;
  • entrance into a joint venture with a covered foreign person, wherever that joint venture is located, that will engage, or plans to engage, in a prohibited technology or notifiable technology;
  • conversion of a contingent equity interest (or interest equivalent to a contingent equity interest) or conversion of debt to an equity interest;
  • acquisition, leasing, or other development of operations, land, property, or other assets in a country of concern where such acquisition, leasing, or other development will result in, or is planned to result in: (I) the establishment of a covered foreign person; or (II) the engagement of a person of a country of concern in activities relating to a prohibited technology or notifiable technology;
  • knowingly directing prohibited transactions or notifiable transactions by foreign persons that the U.S. person has knowledge at the time of the transaction would constitute one of the above transactions, if engaged in by a U.S. person (the OISP currently restricts knowingly directing prohibited transactions but not notifiable transactions);
  • acquisition of a limited partner or equivalent interest in a venture capital fund, private equity fund, fund of funds, or other pooled investment fund (in each case where the fund is not a U.S. person) that the U.S. person has knowledge at the time of the acquisition likely will invest in a person of a country of concern that engages in activities involving one of the notifiable technology or prohibited technology sectors, and such fund undertakes a transaction that would be a covered national security transaction if undertaken by a U.S. person; or
  • any other transaction identified by the Secretary, in consultation with the appropriate congressional committees and subject to public notice and comment, that is contributing to the military, intelligence, surveillance, or cyber-enabled capabilities of a country of concern.

The COINS Act also lays out a largely similar set of excepted transactions compared to the current OISP, with a few notable additions explicitly carving out certain “ancillary transactions” and “secondary” financial services transactions, some of which have been subject to uncertainty under the existing regulations. They include the following categories:

  • any transaction of a de minimis value to be determined by Treasury;
  • any category of transactions determined by Treasury to be in the national interest of the United States;
  • an investment:
    • in publicly traded securities;
    • in a security issued by an investment company that is registered with the Securities and Exchange Commission (“SEC”), or, if the Secretary chooses to include it as an exception from a covered national security transaction, in a security issued by a non-U.S. investment company that is registered with a foreign regulator with comparable oversight standards and regulatory jurisdiction to the SEC as determined by Treasury through the rulemaking process;
    • made as a limited partner or equivalent in a venture capital fund, private equity fund, fund of funds, or other pooled investment fund (other than as described in (b) above) where: (i) the limited partner or equivalent’s committed capital is not more than a de minimis amount, as determined by the Secretary, aggregated across any investment and co-investment vehicles of the fund; or (ii) the limited partner or equivalent has secured a binding contractual assurance that its capital in the fund will not be used to engage in a transaction that would be a covered national security transaction if engaged in by a U.S. person; or
    • in a derivative of a security described under (a), (b), or (c) above;
  • any ancillary transaction undertaken by a financial institution, where “ancillary transaction” means (1) the processing, settling, clearing, or sending of payments and cash transactions; (2) underwriting services, including the temporary acquisition of an equity interest for the sole purpose of facilitating underwriting services; (3) credit rating services; and (4) other services ordinarily incident to and part of the provision of financial services, such as opening deposit accounts, direct custody services, foreign exchange services, remittances services, and safe deposit services;
  • a buyout of a covered foreign person – i.e., the acquisition by a U.S. person of the equity or other interest owned or held by a covered foreign person in an entity or assets located outside of a country of concern in which the United States person is acquiring the totality of the interest in the entity held by the covered foreign person;
  • an intracompany transfer of funds from a U.S. parent company to a subsidiary located in a country of concern or a transaction that would otherwise be a covered national security transaction that (1) supports operations that are not covered national security transactions or (2) maintains covered national security transactions that the controlled foreign person was engaged in prior to the effective date of the regulations;
  • a transaction secondary to a covered national security transaction, including: (1) contractual arrangements (not including contractual arrangements for technology transfer or technical knowledge transfer) or the procurement of material inputs for any covered national security transaction (such as raw materials); (2) bank lending; (3) the processing, clearing, or sending of payments by a bank; (4) underwriting services including, but not limited to, the temporary acquisition of an equity interest for the sole purpose of facilitating underwriting services; (5) debt rating services; (6) prime brokerage; (7) global custody; (8I) equity research or analysis; or (9) other similar services;
  • any ordinary or administrative business transaction as may be defined in such regulations; or
  • any transaction completed before December 18, 2025.

As with the OISP, the COINS Act also authorizes specific “national interest” exemptions to otherwise prohibited transactions, which will be assessed on a case-by-case basis. 

C. Violations and Remedies

Under the COINS Act, Treasury may compel divestment of closed prohibited transactions, consistent with the current OISP. Additionally, Treasury is authorized to establish a process for identifying non-notified covered national security transactions, and to establish a process for voluntary self-disclosures. The enforcement mechanisms described under the COINS Act largely parallel those already in use by Treasury for CFIUS, OFAC, and OISP purposes.

D. Public Guidance and Multilateralism

A key addition in the COINS Act is the expanded role for Treasury in offering public and private guidance to parties. Specifically, Treasury and the Commerce Department may establish a public database of “covered foreign persons” (which Treasury has previously declined to do) and are directed to establish a formal process whereby U.S. persons may request non-binding feedback on a confidential basis or as anonymized guidance to the public as to whether a transaction would qualify as a “covered national security transaction.”

Lastly, the COINS Act calls for bilateral and multilateral engagement with U.S. allies and partners to promote coordination on outbound investment regulations and to establish protocols and procedures for sharing information. In January 2025, the European Commission published a recommendation calling on EU member states to review outbound investments of domestic companies into non-EU countries.[5] The EC called for an assessment of outbound investments in three sectors deemed to have a high level of potential risk (semiconductors, artificial intelligence and quantum technologies – paralleling the OISP). EU member states were directed to provide interim progress reports in July 2025 (to the extent such reports have been delivered, they are not publicly available), and were directed to provide final reports on the EC’s recommendation by June 2026.

II. Outbound Investment Regime – New Treasury FAQs

On December 23, 2025, Treasury issued five new FAQs, clarifying the application of the OISP to certain financial services activities.[6] Those FAQs lay out the following clarifications regarding the OISP:

  • The acquisition in a follow-on offering of securities that are fungible with existing publicly traded securities (such as the same identification number, material rights, and privileges) qualify for the publicly traded securities exemption (as would acquisitions in connection with underwriting such an offering), and the acquisition of such securities qualify as an excepted transaction so long as the securities do not provide rights beyond standard minority shareholder protections.
  • The acquisition of a contingent equity interest convertible into or providing the right to acquire publicly traded securities are excepted transactions, so long as such a convertible equity interest does not provide rights beyond standard minority shareholder protections.
  • Financial institutions’ assistance with an initial public offering (IPO) for a covered foreign person, where such assistance does not include the financial institution’s acquisition of any non-publicly traded securities, is outside the scope of the OISP.
  • The acquisition of shares after a public listing, pursuant to a subscription agreement (or other similar agreement) entered into in advance of an IPO, may still qualify for the publicly traded securities exception so long as the shares are publicly traded at the time of acquisition.
  • Holding the right to make shareholder proposals (including nominating, but not appointing, a director) is a governance right consistent with passive investment. This FAQ revises earlier guidance that effectively imposed a cap on holding certain publicly traded securities of certain jurisdictions in which such rights are granted at 3% or lower shareholding thresholds.

III. Sanctions

A. COINS Act Sanctions

The COINS Act authorizes the President to prohibit U.S. persons from investing in or “purchasing significant amounts of equity or debt instruments” of covered foreign persons, which are defined in relevant part – and distinct from the OISP definition – to include Chinese companies “knowingly engaged in significant operations” in the Chinese defense or surveillance sectors. 

The COINS Act also requires the President to submit an annual report to Congress describing whether any entities listed on the OFAC Non-SDN Chinese Military-Industrial Complex Companies List (“CMIC List”) are “covered foreign persons.” In addition, the COINS Act directs the President to determine whether additional Chinese entities should be added to the CMIC List, including those entities already listed on the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) Military End-User List, BIS’s Entity List, the U.S. Department of Defense’s 1260H List, the U.S. Federal Communication Commission’s Covered List, and the Uyghur Forced Labor Prevention Act Entity List. The COINS Act expressly excludes the authority to restrict the import of goods through its sanctions-related authorities.

B. Repeal of the Ceasar Act

The NDAA also repeals the Caesar Syria Civilian Protection Act of 2019 (Caesar Act), subject to confirmatory reports from the President to Congress within 90 days of enactment of the NDAA, and every 180 days thereafter for the following four years, that the new government of Syria is meeting certain security obligations. These obligations include showing commitment to defeat ISIS in partnership with the United States, showing progress in providing security for religious and ethnic minorities in Syria, combating money laundering and terrorist financing, and not engaging in unilateral military action against neighboring countries, including Israel. The NDAA specifies that failure by the Syrian government to meet its obligations under the NDAA will result in the reimposition of Caesar Act sanctions. Repeal of the Caesar Act sanctions is a key step in removing the remaining threat of imposition of U.S. secondary sanctions on parties engaged in dealings with Syria after the significant majority of OFAC sanctions relating to Syria were formally terminated in July.[7]

C. BUST Fentanyl Act – Expansion of Fentanyl-Related Sanctions

Further, the NDAA includes the Break Up Suspicious Transactions of Fentanyl Act (“BUST Fentanyl Act”), which includes provisions for expanding cooperation with the Chinese government in combatting fentanyl trafficking, and also includes revisions to the Fentanyl Sanctions Act, 21 U.S.C. 2302(5)), expanding the targets of fentanyl-related sanctions. The BUST Fentanyl Act authorizes the imposition of various sanctions against foreign government entities, instrumentalities (including financial institutions owned or controlled by a foreign government, which primarily targets Chinese state-owned banks), senior officials, and other persons who are determined to “knowingly” engage in, or provide significant support for, a significant activity or financial transaction that materially contributed to opioid trafficking, as well as parties owned, controlled, directed by, or acting on behalf of, such persons. 

Among other directives, the BUST Fentanyl Act also directs the President to “prioritize” the identification of Chinese persons involved in fentanyl shipment and production until the President certifies to Congress that China is “no longer the primary source of fentanyl” and its precursors and equipment.

IV. BIOSECURE Act

In addition, the NDAA includes the BIOSECURE Act, which prohibits U.S. federal contractors from procuring goods and services from certain Chinese companies for use in federally funded contracts. Specifically, the BIOSECURE Act prohibits U.S. federal agencies from (1) procuring or obtaining biotechnology equipment or services from a biotechnology company of concern (“BCC”); (2) contracting with entities that use biotechnology equipment or services from BCCs (acquired after the effective date of designation of the BCC) to perform the contract; or (3) contracting with entities knowing that a BCC’s equipment or services (acquired after the effective date of designation of the BCC) will be required for performance of the contract. These prohibitions apply to contracts subject to the Federal Acquisition Regulation (“FAR”). 

Unlike in prior versions of the BIOSECURE Act, no companies are expressly identified in the statute. Rather, the Act directs the White House Office of Management and Budget (“OMB”) to issue and update a list of BCCs on an annual basis. First, OMB is directed to include on the BCC list entities that are already on the 1260H List and active in biotechnology. Second, OMB also is directed to add other entities to the list if they are determined to be (1) subject to the direction or control of a foreign adversary (currently, China, Iran, North Korea, and Russia), (2) engaged in manufacturing, distributing, providing, or procuring biotechnology equipment or services, and (3) a risk to U.S. national security, based on (a) certain connections to military, security, or intelligence agencies, (b) obtaining of human genetic and related data without consent or (c) providing such data to foreign adversary governments, or (4) a subsidiary or parent of another designated BCC.

The BIOSECURE Act requires that OMB provide entities that it plans to designate as BCCs notice of such designation and a non-classified statement of reasons for the designation, along with, where possible, an explanation of mitigation measures that could be taken to avoid designation. The entity will then have 90 days to submit information to OMB to protest the designation or demonstrate mitigation. Such designations are not public until after OMB receives the entity’s response and makes a final determination.

The NDAA provides for a relatively lengthy runway before designated parties are announced and the relevant restrictions enter into effect. Most immediately, OMB is required to publish an initial list of BCCs within one year of the BIOSECURE Act’s enactment (by December 18, 2026). OMB then has 180 days to issue guidance on implementation, and the Federal Acquisition Regulatory Council has up to one year thereafter to revise the FAR to implement the Act’s prohibitions. Following revision of the FAR, prohibitions with respect to BCCs on the 1260H List will enter into effect 60 days after publication and within 90 days of publication for all other BCCs. From there, a five-year grandfathering period will apply with respect to biotechnology equipment and services acquired from a BCC under contracts entered into prior to the relevant effective date.

**

Cleary’s National Security and International Trade team is continuing to track developments on the Trump administration’s national security and international trade policies.

[1] Our blog post is also available at https://www.clearygottlieb.com/news-and-insights/publication-listing/long-awaited-us-outbound-investment-regime-published-will-become-effective-january-2-2025. We previously discussed President Trump’s “America First Investment Policy in a February 2025 blog post, which can be read here: https://www.clearytradewatch.com/2025/02/president-trump-issues-america-first-investment-policy-confirms-u-s-openness-to-foreign-investment-from-allies-and-partners-calls-for-enhanced-restrictions-on-investments-from-and/.

[2] See also U.S. Dep’t of the Treasury, FAQ XI.2, available at https://home.treasury.gov/policy-issues/international/outbound-investment-program/frequently-asked-questions.

[3] The OISP presently includes in the “prohibited” category, the development, installation, sale, or production of any supercomputer enabled by advanced integrated circuits that can provide a theoretical computing capacity of 100 or more double-precision (64-bit) petaflops or 200 or more single-precision (32-bit) petaflops of processing power within a 41,600 cubic foot or smaller envelope. In addition, a separate bill similar to the COINS Act proposed including in the “prohibited” category the development, design, or production of (i) “materials, components, avionics, flight control, propulsion, Global Positioning System (GPS), data relay, and target detection systems designed for use in hypersonic systems or capable of sustainable operations above 1,000 degrees Celsius” or (ii) any other technologies in the covered sectors that are subject to U.S. export controls.

[4] The current OISP effectively sets a 50 percent ownership/voting threshold, or the power to direct or cause the direction of the management and policies, by a person of a country of concern.

[5] The EC’s recommendation is available here: https://ec.europa.eu/commission/presscorner/detail/en/ip_25_261.

[6] The cumulative list of all OISP FAQs is available here: https://home.treasury.gov/policy-issues/international/outbound-investment-program/frequently-asked-questions.

[7] We previously discussed the enactment of the Caesar Act in a prior blog post, available at https://www.clearytradewatch.com/2019/12/compromise-u-s-defense-bill-provides-for-new-secondary-sanctions-against-russia-syria-and-north-korea/. We discussed the U.S. Government’s termination of economic sanctions on Syria in a prior blog post, available at https://www.clearytradewatch.com/2025/07/u-s-government-formally-terminates-economic-sanctions-on-syria/.