EC - Audiovisual Service Cooperators Photographer : José-Joaquín Blasco Muñoz Luca Cabrini Copyright European Union , 2018

The New National Security Risk: Biotech

Both the US and Europe are embedding biotech data into national security policy.

April 13, 2026

In December 2025, the US Congress passed the BIOSECURE Act, reclassifying human biological data as a strategic asset and a national security priority. That same month, the European Commission proposed the EU Biotech Act, framing biotech in terms of strategic autonomy and economic security.

Most people didn’t notice.

They should have. Washington and Brussels are signaling that human biological data is like advanced semiconductors or AI models. Control matters. Although the allies’ approaches are similar, they are not identical; Europe remains more concerned about biotech competitiveness than security.

The data in question — often called “multiomic” data — spans the full spectrum of biological information: DNA, RNA, proteins, metabolic markers, and more. Taken together, these datasets provide a comprehensive picture of human biology. They are foundational to drug development, personalized medicine, and disease surveillance. Aggregated at scale, they can reveal population-level vulnerabilities and confer economic advantage in the race to develop next-generation pharmaceuticals.

The BIOSECURE Act restricts federal agencies from procuring biotech equipment or services from firms with military or intelligence ties to foreign adversaries. Entities are also prohibited from transferring biological data to foreign governments or obtaining human genomic data without informed consent. The act targets Chinese entities such as BGI, MGI, Complete Genomics, Wuxi AppTec, and Wuxi Biologics.

Congress is sending a clear message: data governance determines geopolitical trustworthiness. Lawmakers have expressed concern that foreign entities may collect human genomic data without adequate transparency or safeguards. By conditioning federal funding and procurement eligibility on how biological data is handled, the act embeds privacy protection into national security screening.

Under BIOSECURE, companies must evaluate not only a supplier’s ties to a foreign adversary’s military or intelligence apparatus, but also how it stores, transmits, and governs biological data. Cloud platforms, analytics services, and even sequencing equipment with embedded software may all fall within the law’s scope. In effect, Washington has woven data provenance into national security vetting.

Consider what this means in practice. A foreign biotechnology firm develops a breakthrough therapy for a debilitating disease — one that depends on the sharing of biological data to deliver individualized treatment through precision medicine. Should American patients be permitted to share their data with that firm? On what terms? Who decides: the patient, the state, or the company?

The BIOSECURE Act offers no clear answers. It also does not define nor establish personal ownership of genetic data. That omission may not seem pressing today. But as biotech accelerates, it will become one of the most significant points of contention.

Get the Latest

Like BIOSECURE, Europe’s new proposal treats biotechnology supply chains as geopolitical infrastructure. Like BIOSECURE, it is concerned with reducing dependence on Chinese suppliers. And like BIOSECURE, it embeds biosecurity considerations into frameworks that were previously governed by commercial and scientific logic.

But there are important differences, Where Washington’s approach is prohibitive — banning procurement from designated firms — Brussels leans toward competitiveness and capacity-building: streamlining regulation, mobilizing investment through a €10 billion partnership with the European Investment Bank, and creating regulatory sandboxes.

The EU also focuses on supply chain security. It’s proposed Critical Medicines Act seeks to reduce dependence on non-EU, mostly Asian, suppliers of Active Pharmaceutical Ingredients.More than 80% of imported pharmaceutical ingredients entering the EU come from just five countries: China (45%), India, Indonesia, the US, and the UK.

Taken together, these initiatives represent a transatlantic convergence. Washington and Brussels are reaching the same conclusion through different regulatory traditions: biological data, pharmaceutical supply chains, and biotech infrastructure are no longer purely commercial domains. They are strategic assets.

Scientific innovation has historically flourished through openness. International genomic consortia have mapped diseases, tracked viral mutations, and accelerated drug development. If data ecosystems fragment along geopolitical lines, the result will slow progress and duplicate efforts.

By treating biological data as strategic property, Washington and Brussels may trigger a chain reaction. Data localization requirements, cross-border transfer restrictions, and competing standards could proliferate. What began as targeted security measures on both sides of the Atlantic might harden into a balkanization of life sciences.

Whether this approach proves stabilizing or disruptive will depend on implementation. In the US, BIOSECURE grants significant discretion to the Office of Management and Budget to designate biotech companies “of concern.” Expansive designations could chill legitimate collaboration and raise costs for American researchers.

In Europe, the Biotech Act’s success will depend on whether the Commission can streamline regulation without sacrificing safety and ethical standards. On both sides of the Atlantic, narrow and carefully justified applications may strike a balance between vigilance and openness. Broad and politically driven ones will not.

Neither the US nor Europe has answered the question that will matter most as these frameworks take hold: who owns the data at the center of it all? The state that classifies it as sovereign? The company that sequences it? Or the person whose body produced it?

Elly Rostoum is a Senior Resident Fellow with the Center for European Policy Analysis (CEPA).

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis.CEPA maintains a strict intellectual independence policy across all its projects and publications

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.