Data protection and cybersecurity laws in Bosnia and Herzegovina

Law on Protection of Personal Data BiH (Official Gazette of BiH No. 49/06, 76/11 and 89/11) and connected by-laws – especially the Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of BiH, No. 67/09).

Unofficial English text of the Law on Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 49/06) can be found here and Amendments to the Law on the Protection of Personal Data (Official Gazette of Bosnia and Herzegovina No. 76/11) can be found here.

The Law on Protection of Personal Data covers the protection of personal data on the territory of BiH processed by all public institutions, as well as natural and legal persons, unless otherwise specified.

The scope explicitly excludes personal data processed by natural persons for private purposes. 

Personal Data Protection Agency (PDPA): www.azlp.ba

As part of its effort to join the EU, BiH is obliged to harmonise its legislation with EU legislation. This includes the GDPR.

Important disclaimer: Please note that the new Law on Protection of Personal Data was adopted in early 2025, whereas its actual application begins only in October 2025, thus, please note that the information provided herein reflects and is prepared pursuant to the Law on Protection of Personal Data from 2006 outlined above as the currently in effect and applicable law.

The PDPA is authorised to supervise the enforcement of the Law on Protection of Personal Data. Breach of the Law on Data Protection is a misdemeanour and the PDPA can also impose fines of up to BAM 100,000 (around EUR 50,000) for non-compliance with the Law.

The Law on Protection of Personal Data sets out separate fines for: the legal entity acting as the data controller; its legal representative (e.g., management); and its employees.

Possible as unauthorised collection processing and sharing of personal data can be subject of criminal prosecution and result in criminal fines or imprisonment.

N/A

The data controller must submit its personal data registries to the PDPA. The PDPA compiles all personal data registries in the PDPA General Registry. In cases of automated personal data processing, further requirements may apply, such as prior notification to the PDPA and additional organisational and technical security requirements.

PDPA approval may be necessary in certain instances, for example, in cases of transfers of personal data to countries which do not provide adequate measures of personal data protection and where the regulated exemptions are not met.  

Although not an exhaustive list, controllers must generally ensure that:

• their personal data registries are adequately created and registered,
• data processing agreements are concluded with data processors in accordance with the applicable rules,
• data subject’s consent is obtained in form and contents as and when required under the Law;
• data subjects’ rights are complied with (e.g., right to be informed);
• technical and organisational security measures are in place.

Under the PDPA, the following rights are provided to individuals, however, subject to certain exemptions:

• Right to be informed regarding collection of data prior to starting such collection and the source (unless collected from the data subject), i.e., the third party providing the information,
• Right to access to personal data,
• Right to objection in general,
• Right to objection to direct marketing, and
• Right to request correction, deletion or blocking of data.

Other rights are also envisaged, such as the right to withdraw consent for data collection and processing, file a complaint to the PDPA, object to transfer of data, request compensation etc.

A data processing agreement must be concluded. Mandatory form and contents of such agreements are regulated under the Law on Protection of Personal Data.

Personal data can be transferred out of BiH to a country that applies adequate security measures as prescribed by the Law on Protection of Personal Data.

The transfer of personal data outside BiH to a country that does not provides adequate security measures is permissible only in specifically prescribed instances. 

Not expressly provided under primary legislation, however under secondary legislation an administrator of personal data registries is envisaged.

The administrator is, inter alia, responsible for the due performance of security measures, registration, and protection of personal data.

In addition, a controller with a seat outside of the territory of Bosnia and Herzegovina and uses automated or other equipment located on the territory of Bosnia and Herzegovina for the data processing shall determine a representative for such processing, unless the equipment is used only for the purpose of transit of data over Bosnia and Herzegovina. As of late, the PDPA has taken a more expansive stance regarding the application of this requirement indicating that it may apply to any foreign controller doing business at the territory of Bosnia and Herzegovina and thereby collecting and/or processing personal data.   

Both the data controller and data processor must take appropriate technical and organisational security measures to protect personal data, especially in cases of automated personal data processing. Specific requirements are provided for under secondary legislation, namely “Rulebook on the maintenance and special technical security measures for personal data”. 

No explicit obligations to notify data subjects and the PDPA for private legal entities acting as data controllers and data processors.

Secondary legislation however requires that the data processor, the administrator of personal data registries, and the natural person employed or engaged by the data controller to perform activities related to personal data processing, notify the data controller’s responsible person of an attempt to gain unauthorised access to the data protection security system.

It is to be, however, noted that according to the recent stances taken by the PDPA, breach notifications performed in accordance with the provisions of the EU GDPR are welcomed. 

The Law on Protection of Personal Data specifies a general opt-out regime for direct marketing. It makes no differentiation between different forms of direct marketing (e-mail, regular mail, and phone).

Data subjects have the right to:

• oppose to the data controller’s future use or transfer of their personal data for the purpose of direct marketing;
• to be notified before their personal data is transferred for the first time to a third party for direct marketing purposes.

No explicit provision, but if any personal data collected/processed, any policies or procedures regulating cookies and similar technologies to be reviewed against the Law on protection of Personal Data. 

In relation to regulatory obligations and severity of enforcement, please rank your country one of the following:

Medium (moderate)

• http://www.azlp.ba

Bosnia and Herzegovina (“BiH”) is composed of two distinct administrative entities, the Federation of BiH (“FBiH”) and Republika Srpska (“RS”), as well as condominium District Brčko (“DB”) as a separate administrative unit. Legislation applicable to this overview has been introduced at different administrative levels, as follows:

State level (Bosnia and Herzegovina):

• Criminal Law of BiH (Official Gazette of BiH, No. 3/03, 32/03, 37/03, 54/04, 61/04, 30/05, 53/06, 55/06, 32/07, 8/10, 47/14, 22/15, 40/15, 35/18, 46/21, 31/23 and 47/23)
• Law on Criminal Procedure (Official Gazette of BiH No. 3/03, 32/03, 36/03, 26/04, 63/04, 13/05, 48/05, 46/06, 76/06, 29/07, 32/07, 53/07, 76/07, 15/08, 58/08, 12/09, 16/09, 93/09, 72/13, 65/18)
• Law on the Protection of Personal Data (Official Gazette of BiH No. 49/06, 76/11, 89/11)
• Law on the Protection of Classified Data (Official Gazette of BiH, No. 54/05, 12/09)
• Law on Communication of BiH (Official Gazette of BiH, No. 33/02, 31/03, 75/06, 32/10, 98/12)
• Law on Electronic Signature (Official Gazette of BiH, No. 91/06)
• Law on Electronic Document BiH (Official Gazette of BiH, No. 58/14)
• Law on Prevention of Money Laundering and Financing of Terrorism (Official Gazette of BiH, No. 13/2024)
• Rulebook on the maintenance and special technical security measures for personal data (Official Gazette of BiH, No. 67/09)

Federation of Bosnia and Herzegovina:

• Criminal Law of FBiH (Official Gazette of FBiH No. 36/03, 37/03, 21/04, 69/04, 18/05, 42/10, 59/14, 76/14, 46/16, 75/17, 31/23)
• Law on Criminal Procedure FBiH (Official Gazette of FBiH No. 35/03, 37/03, 56/03, 78/04, 28/05, 55/06, 27/07, 53/07, 9/09, 12/10, 8/13, 59/14, 74/20)
• Law on Electronic Document of FBiH (Official Gazette of FBiH No. 55/13)

Republika Srpska:

• Criminal Law of RS (Official Gazette of RS No. 64/17, 104/18, 15/21, 89/21, 73/23 and Official Gazette of BiH, No. 9/24 – BiH Constitutional Court Decision, 31/25)
• Law on Criminal Procedure of RS (Official Gazette of RS No. 53/12, 91/17, 66/18, 15/21)
• Law on Electronic Signature of RS (Official Gazette of RS No. 106/15, 83/19)
• Law on Electronic Document of RS (Official Gazette of RS No. 106/15)
• Law on Electronic Business Activities of RS (Official Gazette of RS No. 59/09, 33/16
• Law on Electronic Money of RS (Official Gazette of RS No. 01/24)
• Law on Information Security of RS (Official Gazette of RS No. 70/11)

District Brčko:

• Criminal Law of DB (Official Gazette of RS, No. 10/03, 45/04, 6/05, 21/10, 47/11, 9/13, 33/13, 47/14, 26/16, 13/17, 19/20-consolidated text, 03/24, 3/24)
• Law on Criminal Procedure (Official Gazette of RS, No. 44/10, 9/13, 34/13, 27/14, 3/19, 16/20)
• Instruction on mode of execution of protection of classified data on computers (Official Gazette of DB, No. 29/06)

After the First Cyber Security Threat Assessment was published in March 2023, first steps towards establishment of CERT team have been made. The Council of Ministers in May granted its approval 2023 the amendments to the Rulebook on the Internal Organization of the Ministry of Security of BiH, which will allow the establishment of a CERT within the Ministry of Security. The adoption of the Rulebook is expected soon. The next step, as reported by the Council of Ministers, is admitting staff into the CERT. Additionally, draft legislation governing e-signatures has also been prepared and is likely to undergo the parliamentary consideration processes.

As a general note, considering its EU Member State accession path, BiH is taking action towards harmonising its laws to those of the EU. This is likely to mean harmonisation with EU legislation in the field of cybersecurity.

The laws and regulations cover BiH’s obligations arising from the Convention on Cybercrime (Budapest, 23 November 2001), ratified by the Presidency of BiH on 25 March 2006.

The laws and regulations have different material and geographical scopes. For example (non-exhaustive):

• the “Rulebook on the maintenance and special technical security measures for personal data” regulates technical and organisational security measure obligations for all personal data controllers and personal data processors in BiH;
• the Law on Protection of Classified Data of BiH applies to all institutions, legal entities and citizens of BiH, and to international or regional organisations (if regulated by an international agreement). It sets out obligations for: all state, RS, and FBiH administrative organs at all government levels; persons performing public duties; and all legal entities that have access to or use classified data, including their employees;
• the Law on Electronic Signature of BiH regulates: the use of electronic signatures in closed systems (regulated by contracts between a known number of contracting parties); and open electronic communication with the court and other institutions;
• the Law on Electronic Document of BiH applies to public institutions and all other legal entities, entrepreneurs, and natural persons, whenever they participate in activities before relevant institutions that include the use of equipment and programs for the production, transfer, download, and maintenance of information in electronic form; and
• the Law on Electronic Business Activities of RS applies to providers of information society services on the territory of RS.

Bosnia and Herzegovina (also applicable for FBiH)

• Department for Informatics and Telecommunication Systems (Security Ministry of Bosnia and Herzegovina): www.msb.gov.ba

FBiH

• Crime police Sector: http://www.fmup.gov.ba/

RS 

• Unit for Preventing High-tech Crime (Ministry for Internal Affairs of RS): www.mup.vladars.net
• Ministry for Scientific and Technological Development, Higher Education and Information Society: www.vladars.net

The laws and regulations cover different aspects of cyber security requirements. For example (non-exhaustive):

• the “Rulebook on the maintenance and special technical security measures for personal data” requires data controllers and data processors to: appoint an administrator of personal data registries who is responsible for the orderly performance of security measures; adopt a security measures plan, implement prescribed or other regulated organisational and technical safeguards;
• the Law on Protection of Classified Data of BiH requires data that may cause a threat to national security or the national interest of BiH to be classified. It also regulates security procedures for access to classified data;
• the Law on Electronic Signature of BiH requires special technical measures and procedures for the safe use of electric signatures;
• the Law on Electronic Document of BiH requires: maintenance of electronic documents in electronic archives that must ensure requirements stipulated in the law; special security treatment of electronic documents containing classified data; and
• the Law on Electronic Business Activities of RS requires providers of information society services to: transparently provide detailed information about the provider, the contract conditions, and service prices; immediately notify the relevant RS institution if they establish that their services are being used for illegal activities, etc.

• Law on Protection of Classified Data of BiH: fines of up to BAM 5,000 (around EUR 2,500)
• Law on Electronic Signature of BiH: fines of up to BAM 16,000 (approximately EUR 8,000)
• Law on Electronic Document of BiH: fines of up to BAM 15,000 (around EUR 7,500)
• Law on Electronic Business Activities of RS: fines of up to BAM 15,000 (around EUR 7,500)

• Criminal Law of Federation of Bosnia and Herzegovina:
  • ccriminal offences against systems of electronic data processing (six criminal offences such as computer sabotage, unauthorised access and etc.)
  • fines and/or imprisonments of up to 12 years for the most serious offences.
• Criminal Code of Republika Srpska:
  • criminal offences against the security of computer data (seven criminal offences such as computer sabotage, unauthorised access and etc.)
  • fines and/or imprisonment of up to 10 years for the most serious offences.
• Criminal Law of District Brčko:
  • criminal offences against systems of electronic data processing (six criminal offences)
  • fines and/or imprisonments of up to 12 years for the most serious offences.

N/A

• Bosnia and Herzegovina – a CERT within the Security Ministry of BiH (established March 2017) but is still not operational.
• Bosnia and Herzegovina – CSEC (within the Criminal Rolicy Research Center in Sarajevo (established in 2022) – CSEC was established with the intent of becoming part of University of Sarajevo, to strengthen cybersecurity in Bosnia and Herzegovina.
• RS – the Agency for Information Society in RS established a CERT (June 2015), which is now operating within the Ministry for Scientific and Technological Development, Higher Education and Information Society.
• FBiH – The Government of the Federation of Bosnia and Herzegovina has adopted a Decision on the appointment of a working group for responding to computer incidents (CERT) for the institutions of the Federation of Bosnia and Herzegovina in 2018 and as of July 2020, CERT establishment project for institutions of FBiH is in the final stage.

In 2017 the BiH Council of Ministers adopted the “Decision on the adoption of information systems policies management in the BiH institutions for 2017-2022”, which aims to set up an information security management system (ISMS) in accordance with relevant ISO standards.

The precondition for setting up this structure is the adoption of legislation on information security, security of networks and IT systems of BiH which is still pending. For CERT to become operational, several political decisions are still awaited.

Yes, there are several governmental authorities-led strategies focusing on cybersecurity.    

• Strategy for Establishment of CERT in BiH, July 2011 (http://www.msb.gov.ba/dokumenti/strateski/default.aspx?id=%206248&langTag=bs-BA)
• Bosnia and Herzegovina Cyber Security Threat Assessment, March 2023
  (https://bdf.ba/v2/wp-content/uploads/2023/05/Cyber-prijetnje-u-BiH-ENG-WEB.pdf )