NDAA for FY 2026 and the impending changes to the US Outbound Investment Security Program
8 min read
On December 18, 2025, President Trump signed the National Defense Authorization Act for Fiscal Year 2026 (“NDAA FY2026”) into law. As we outlined in a previous post, the NDAA FY2026 does not solely fund defense programs or refine acquisition processes – it is also a tool used by Congress to enact broader policy objectives. To that end, the NDAA FY2026 included changes to the United States’ regulatory regime governing American investment in sensitive technologies in “countries of concern.” The Comprehensive Outbound Investment National Security Act of 2025 (“COINS Act”), included in the NDAA FY2026, broadens and refines the existing Outbound Investment Security Program (“OISP”), which is outlined under 31 C.F.R. Part 850 and detailed in our previous posts, here and here. While the Department of Treasury (“Treasury”) has 450 days to issue regulations implementing the COINS Act—and thus these changes are not immediately in effect—the associated modifications signal bipartisan and continued support of limitations on outbound investment from the United States.
The OISP regulations currently in effect prohibit or require notification of certain outbound US investments to countries of concern (the only such country being China, including Hong Kong and Macau) in several technology sectors relevant to military, intelligence, surveillance, or cyber-enabled capabilities, specifically semiconductors and microelectronics, quantum information technologies, and certain artificial intelligence systems. The basic framework of the OISP and the COINS Act are the same as both regimes prohibit or require notification of specific investments in certain technologies into countries of concern.
At a high-level, the COINS Act, upon Treasury’s issuance of the implementing regulations, will amend the scope of the OISP in the following ways:
- Hypersonic systems and high-performance and supercomputing are likely to be added as national security relevant sensitive technologies. Specified activities (“covered activities”) involving hypersonic systems and high-performance and supercomputing technologies will be regulated alongside the pre-existing semiconductor and microelectronics, quantum information technology, and artificial intelligence sectors covered by the existing OISP regulations. While the current OISP regulations do cover supercomputing under its coverage of semiconductors and microelectronics, it is likely that the explicit mention of high-performance and supercomputing in the COINS Act signals that Treasury will look to expand coverage in this area. The scope of coverage around the new sensitive technologies will be determined by Treasury’s implementing regulations.
- “Countries of concern” will include Cuba, Iran, North Korea, Russia, and Venezuela (under the Nicolas Maduro regime). As noted, coverage is currently limited to China, including Macau and Hong Kong. Under the COINS Act, the definition of “country of concern” will expand to include the aforementioned countries. While this is an increase in the scope of the OISP, there likely will not be a significant practical effect given existing US sanctions. We expect Treasury’s implementing regulations to clarify the application of the definition to Venezuela given President Maduro’s capture and extradition to the United States on January 3, 2026.
-
The COINS Act includes certain additional exceptions to coverage. Most exceptions outlined under the COINS Act track the existing regulations or state more clearly what types of transactions aren’t covered. Several notable COINS Act exceptions include:
1. Transactions considered to be de minimis, as determined by the Secretary of the Treasury. This is a new exception to the OISP under the COINS Act.
2. Ancillary transactions undertaken by a financial institution, including, e.g., processing, settling, clearing, or sending of payments, and credit rating services. While these services are not currently covered under the OISP, the COINS Act makes the exception more explicit.
3. A transaction secondary to a covered national security transaction, including (i) contractual arrangements (not including those for technology transfer or technical knowledge transfer) or the procurement of material inputs for any covered national security transaction (e.g., raw materials), (ii) bank lending, (iii) processing, clearing or sending of payments via a bank, (iv) underwriting services including, but not limited to, the temporary acquisition of an equity interest for the sole purpose of facilitating underwriting services, (v) debt rating services, (vi) prime brokerage, (vii) global custody, (viii) equity research or analysis, or (ix) other similar services. As above, most of these services are not currently covered under the OISP, and the COINS Act makes this more explicit. However, prong (iv) above is a new exception as the Preamble to the current OIP regulations states that the temporary acquisition of securities for the purpose of underwriting would be a covered transaction.
4. Administrative or ordinary business transactions, to be defined by the implementing regulations. This is a new exception to the OISP under the COINS Act.
To note, Treasury issued new FAQ guidance on December 23, 2025, following enactment of the COINS Act, wherein the agency indicated, among other points, that the exception for investments in publicly traded securities would apply to the following types of transactions, provided that the relevant US person does not receive rights beyond certain minority protections: (i) the temporary acquisition of securities as part of underwriting services for a follow-on offering for an existing class of publicly traded securities and (ii) the acquisition of a contingent equity interest (including convertible debt) that is convertible into, or provides the right to acquire, only publicly traded shares.
-
The definition of “covered foreign person” may change, potentially broadening in some respects and narrowing in another. The definition of “covered foreign person” under the COINS Acts includes a foreign person that is:
1. Incorporated in, has a principal place of business in, or is organized under the laws of a country of concern;
2. A member of the Chinese Communist Party or in the political leadership of a country of concern;
3. The state, government, political subdivision, agency, political subdivision or instrumentality thereof of a country of concern;
4. Subject to the direction or control of the above-described covered foreign persons;
5. Owned in the aggregate, directly or indirectly, 50% or more by any entity falling under the above definitions that knowingly engage in significant defense or related material operations or surveillance technology sector of a country of concern.
While there is overlap with the definition of “covered foreign person” under the current OISP regulations, the current definition is broader in that it includes any person that receives or expends more than 50% of its revenue, net income, capital expenditure, or operating expenses from or on a person of a country of concern that engages in covered activities, On the other hand, the COINS Act more broadly covers any person “subject to the direction or control” of a covered person.. The COINS Act defers to Treasury on the definitions of “direction” and “control.” - Treasury will be required to create a non-exhaustive public database of covered foreign persons that engage in prohibited or notifiable technologies. In some instances, this database could reduce or eliminate the need for due diligence, depending on how robust the list is.
- Treasury will be required to establish a formal non-notified process for “covered national security transactions” involving prohibited and notifiable technologies. We understand that Treasury currently has such a process to execute the OISP, but the COINS Act formally requires it. We anticipate this structured outbound non-notified process will function similarly to the non-notified process within the Committee on Foreign Investment in the United States (“CFIUS”) whereby dedicated staff examine public sources and transactional databases for investments that would fall under act coverage and were otherwise not notified or made in violation of the act’s prohibitions. In any event, the explicit creation of such a body demonstrates the focus on enforcement and should signal to investors to employ additional caution to ensure compliance with the applicable regulations.
- Treasury will be required to outline a process for providing non-binding feedback on whether a transaction would be prohibited. Individuals will be able to request confidential feedback or request anonymized guidance to the public as to whether or not a transaction constitutes an investment in a prohibited technology. The COINS Act does not, however, outline a similar mechanism with respect to assessing whether a transaction is subject to notification requirements.
- The process for US person self-disclosure of transactions in violation of the OISP prohibitions will be further outlined and clarity provided. The COINS Act charges Treasury with outlining the form and content of self-disclosure of transactions in violation of the act’s restrictions on investments in prohibited technology, though the disclosure must include the relevant facts, an explanation of why the US person believes a violation occurred, and a proposal to mitigate harm. The extent to which self-disclosure will reduce the likelihood of imposed penalties is, however, not explicitly specified. Notably, the COINS Act does not mention self-disclosure for violations of the OISP’s notification provisions.
In addition, Treasury must submit an annual report to Congress. This report must include an accounting of enforcement actions taken and notifications received, identification of any potential additions to the list of covered technologies, an overview of current trends in prohibited and notifiable technology, and an impact assessment related to the OISP’s notification regime, among other requirements. Importantly, the report will be subject to appropriate confidentiality and classification requirements.
Businesses and US persons should closely monitor Treasury’s rulemaking process to assess the impending impact of the COINS Act and its implementing regulations on existing or contemplated investments in sensitive technologies located in the expanded list of “countries of concern.”
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2026 White & Case LLP
