JPM 2026: AI compliance and BIOSECURE top list of device supply chain concerns

BIOSECURE and US-China Relations

On December 18, 2025, U.S. President Trump signed into law S. 1071, the “National Defense Authorization Act for Fiscal Year 2026,” which authorizes $901 billion in FY-2026 appropriations, principally for U.S. Department of War programs. The law includes the “BIOSECURE Act,” which bars U.S. executive agencies from procuring biotechnology equipment or services from “biotechnology companies of concern,” and from entering into contracts or grants that involve the provision of such equipment or services.

The BIOSECURE Act came about as a result of concerns that U.S. genomic data obtained by non-U.S. CDMOs supporting biotechnology research and development could be accessed by foreign adversary governments, including China.  We recently explained online here how the new law defines a “biotechnology company of concern” to include companies included on the “Section 1260H” list of companies with ties to the Chinese military as well as biotechnology companies determined to present a national security risk as a result of ties to foreign adversary governments.

Under BIOSECURE, biotechnology companies of concern likely will include Chinese CDMOs that are embedded in the supply chains of biopharmaceutical companies that market their products in the U.S. Biopharmaceutical and biotechnology firms will need to assess whether the potential loss of Federal contracts and grants as a result of these CDMO relationships will be significant enough to prompt action to secure alternative CDMO arrangements.

Our panelists on the J.P. Morgan Fireside Chat on regulatory readiness will discuss how companies can assess the potential impact of BIOSECURE and ultimately mitigate risk associated with this new law.

Medical Device Compliance

Given the recent geopolitical uncertainty, companies with global manufacturing operations must reassess how their footprints and processes meet evolving compliance obligations in the US and around the world. This may require strategic adjustments to quality systems, contracts, and inspection readiness. In the U.S., the Food and Drug Administration (FDA) has modernized its Quality Management System Regulation (QMSR), harmonizing U.S. medical device current good manufacturing practices (CGMP) with global standards by incorporating ISO 13485:2016.Effective February 2, 2026, the new framework emphasizes management‑driven quality, risk‑based decision‑making, and continuous improvement. For Class III PMA devices, changes to manufacturing facilities may require new FDA submissions, making operational changes potentially complex and time‑consuming.

Meanwhile in China, moving production can trigger complex re-registration and compliance challenges with local authorities. Our J.P. Morgan Fireside Chat panelists will advise on how to best navigate these complexities, recommending that manufacturers conduct regulatory gap analyses, update QMS documentation, assemble multidisciplinary transition teams, and plan for post-market surveillance. In addition, mock inspections and audit simulations may be beneficial to ensure readiness.

Global supply chains for medical devices have become increasingly complex, driven by geopolitical tensions, evolving regulatory requirements, and growing expectations around transparency and traceability. Manufacturers must navigate differing regional standards, shifting trade policies, and heightened scrutiny of sourcing and data‑handling practices. These pressures require companies to map dependencies across multiple tiers, strengthen supplier qualification and monitoring, and build redundancy to reduce vulnerability to disruption. As regulatory frameworks converge and expand, effective supply chain management now demands coordinated cross‑functional oversight and flexible operational strategies to ensure continued market access and resilience.

AI & Digital Health Oversight

Explaining its plans for regulatory oversight of digital health products in particular, the U.S. FDA has announced plans for eight guidance documents to be released in 2026, pledging to issue guidance on topics including AI, patient preference information, and digital health devices that aim to assist with weight loss, surgery, and mental health.

This week, FDA issued two significant updates affecting digital health and device software functions. First, FDA released a revised General Wellness: Policy for Low Risk Devices, expanding the scope of products that may qualify as non‑device “general wellness” tools—particularly those using non‑invasive sensors to output physiological parameters when used solely for wellness purposes. Second, FDA published an updated Clinical Decision Support (CDS) Software guidance, which relaxes several constraints from its 2022 version and clarifies which CDS functions fall outside the definition of a medical device. Notably, FDA signaled enforcement discretion for certain CDS tools that meet statutory exclusion criteria even when they generate a single clinically appropriate recommendation. Collectively, the updates aim to reduce regulatory burden, improve clarity for developers, and reflect FDA's evolving, more flexible posture toward low‑risk digital health technologies and software‑driven clinical support functions.

One new FDA guidance document that we are anticipating will clarify the types of information that should be included in a Predetermined Change Control Plan (PCCP) as part of a marketing submission for an artificial intelligence-enabled device software function (AI-DSF). A PCCP is critical to enable a device sponsor to obtain FDA pre-approval for intended modifications (and their method of implementation) to an AI-DSF without the need for additional marketing submissions for each modification delineated and implemented in accordance with the PCCP.

FDA also promised new guidance in 2026 on its “Policy for Device Software Functions and Mobile Medical Applications,” which is expected to clarify the U.S. agency's thinking regarding the regulation of applications that are meant to run on a mobile platform or on a browser tailored for use on a mobile platform. We see these guidance documents as the heart of regulatory innovation for adaptive technologies, and look forward to reading about how FDA aims to balance flexibility with safety as medical devices become increasingly autonomous.

In addition to its plans to issue new guidance, FDA announced a Request for Public Comment on the evaluation of devices that integrate generative AI (GenAI)-enabled technology. FDA's request emphasizes the need for robust, real-world monitoring to ensure safe & effective AI use in clinical settings, saying it is investigating practical approaches to measuring and evaluating the performance of AI-enabled medical devices in the field. Specifically, FDA has expressed concern over “data drift”: that AI system performance can be influenced by changes in clinical practice, patient demographics, data inputs, health care infrastructure, user behavior, workflow integration, or changes to clinical guidelines. In China, the National Medical Products Administration (NMPA) and National Health Commission (NHC) have similarly promulgated evolving guidelines for AI and digital health products, emphasizing data security, algorithm transparency, and a rigorous approval process that is often aligned with China's Data Security Law and Personal Information Protection Law.

Authored by Jodi Scott, Joy Sturm, and Lu Zhou