Why 2025 Is a Turning Point for Public Institutions in BiH

Bosnia and Herzegovina is at a decisive crossroads in its digital journey. Government institutions from municipal administrations and cantonal ministries to state-level agencies and public enterprises face a convergence of pressures that makes digital transformation no longer optional.

On one side, the European Commission’s 2024 Progress Report noted that BiH remains at an early stage of digital transformation, with limited tangible progress and no coherent legislative framework fully aligned with EU requirements. On the other, a new Law on Personal Data Protection, adopted by the Parliamentary Assembly on 30 January 2025 and in force since October 2025, imposes GDPR-equivalent obligations on every public body that processes citizen data, which is all of them.

The institutions that move decisively now will build the infrastructure, workflows, and compliance posture that the EU integration process demands. Those that do not will find themselves exposed to enforcement action, operational fragility, and the kind of public scrutiny that follows a data breach involving citizens’ personal records.

This article lays out what digital transformation means for government institutions in BiH, what the new data protection law requires, and what a structured implementation approach looks like in practice.

The Current State: Heavy Bureaucracy, Paper Dependency, and Fragmented Systems

The challenge facing public institutions in BiH has been well-documented. The government of the Federation of BiH itself requested expert guidance from Interreg Europe in 2024 specifically on the challenge of digital transformation in a country with heavy bureaucracy. The core obstacles identified were consistent: an absence of streamlined processes, comprehensive databases, and centralised information systems.

Most government institutions in BiH still operate with significant paper-based document workflows. Physical files move between departments. Approvals require physical signatures. Records are stored in formats (and sometimes locations) that make retrieval slow, audit trails incomplete, and disaster recovery nearly impossible. When a physical document is lost, it is lost.

Meanwhile, the IT infrastructure that does exist has often grown organically rather than by design: disconnected systems, no shared document standards, and limited interoperability between departments or between levels of government. A staff member in a cantonal ministry cannot easily access a document that sits in a different department’s shared drive, let alone in a different institution.

This is the environment into which the new data protection obligations now arrive.

What the New Law on Personal Data Protection Requires

GDPR Alignment and What That Means in Practice

BiH’s new Data Protection Law (DPL) structurally mirrors the GDPR. It introduces the same framework of data controllers and data processors, the same categories of data subject rights, the same requirement to establish lawful bases for every processing activity, and critically – the same penalty structures.

For public institutions, this is not an abstract compliance exercise. Every government body processes personal data constantly: citizen applications, employee records, social service files, health data, court records, tax information, surveillance footage, identity documents. Under the DPL, each of these processing activities must now be:

  • Documented in a record of processing activities (RoPA)
  • Grounded in a lawful basis — typically legal obligation, public task, or explicit consent where applicable
  • Subject to defined retention limits — data cannot be held indefinitely
  • Technically protected through appropriate security measures
  • Covered by breach notification procedures — incidents must be reported to the supervisory authority (AZLP BiH) within 72 hours

Data Protection Officers (DPOs) in Public Institutions

The DPL requires most public institutions to appoint a Data Protection Officer. This is not a nominal role – the DPO must have real expertise in data protection law and practice, genuine independence within the institution, and the authority to advise on compliance matters without interference.

For many institutions, this requirement alone represents a significant organisational change: either identifying an existing staff member with the necessary profile and providing them with appropriate training, or engaging an external DPO service.

Data Protection Impact Assessments (DPIAs)

Where an institution engages in processing that is likely to result in high risk to individuals (large-scale processing of sensitive categories of data, systematic monitoring of public spaces via CCTV, use of automated decision-making, etc.), a Data Protection Impact Assessment must be conducted before the processing begins. This is not a one-time exercise but an ongoing requirement whenever processing changes materially.

Penalties

Administrative fines under the DPL mirror GDPR structures: up to 4% of annual global turnover or €20 million, whichever is higher. For government institutions, this creates budgetary and reputational exposure that administrations and elected officials have every reason to take seriously.

Document Management Systems (DMS): The Infrastructure Foundation of Compliance

Why Paper-Based Workflows Are Not Compliance-Compatible

A government institution cannot demonstrate compliance with the DPL while operating on paper. The obligations are simply incompatible with paper-based processes:

  • You cannot produce a record of processing activities without knowing where your data is stored
  • You cannot honour a citizen’s right of access to their data within the legally required timeframe if you have to search physical files
  • You cannot implement retention limits and automated deletion schedules for paper documents
  • You cannot audit who accessed a document and when
  • You cannot guarantee data security when documents are in filing cabinets or on unstructured shared drives

A Document Management System is not only an efficiency tool, but also a compliance prerequisite.

What a DMS Provides for Government Institutions

An enterprise-grade DMS implemented in a government context delivers several interconnected capabilities:

Centralised document repository. All institutional documents (incoming, outgoing, internal, classified) are held in a structured, searchable repository. Version control ensures that the current document is always identifiable. Access controls ensure that only authorised personnel can view, edit, or delete specific documents.

Audit trails. Every interaction with a document is logged: who created it, who modified it, who viewed it, when, and from where. This is essential for both internal governance and DPL compliance, where demonstrating accountability is a core obligation.

Retention management. Documents can be assigned retention categories with automated archiving or deletion at the end of their defined retention period. This is directly required by the DPL’s data minimisation principle.

Classification and sensitivity tagging. Documents containing personal data can be tagged and treated according to their sensitivity level. This makes it possible to respond to data subject requests efficiently, identifying all records relating to a specific individual across the institution’s document corpus.

Workflow automation. Approval processes, review cycles, and sign-offs can be managed within the system rather than by physical routing. This reduces processing time, eliminates lost documents, and creates a clear record of decision-making.

Disaster recovery. Digital document stores with proper backup and replication are recoverable. Physical filing cabinets in a flooded basement are not.

Integration with Existing Infrastructure

A DMS does not exist in isolation. Effective implementation requires integration with:

  • Active Directory / identity management (for access controls tied to organisational roles)
  • Email systems (for capturing inbound and outbound correspondence)
  • Electronic signature platforms (eIDAS-compliant qualified electronic signatures, such as those launched by IDDEEA in 2024)
  • Backup and disaster recovery infrastructure
  • Network infrastructure with appropriate segmentation and security controls

This is where the infrastructure partner relationship matters. A DMS vendor who delivers software but leaves network integration, server infrastructure, backup configuration, and access control architecture to someone else, or to no one, creates fragmented accountability. The document system works, but the environment around it is insecure, unmonitored, or unrecoverable.

Cybersecurity: The Non-Negotiable Prerequisite

The DPL’s requirement for “appropriate technical and organisational measures” to protect personal data is not satisfied by having a policy document. It requires working infrastructure.

BiH government institutions have faced real consequences from cybersecurity weaknesses. After a series of cyberattacks on state-level institutions in 2023, the Ministry of Security accelerated work on establishing a CERT (Computer Emergency Response Team) for BiH government institutions. This context matters: the threat environment for public sector IT is active.

For institutions undergoing digital transformation, the shift from paper to digital processes increases the attack surface. Every server that holds citizen data, every workstation connected to a document management system, every network link between departments, and every remote access pathway is a potential entry point.

A credible cybersecurity posture for a government institution in BiH in 2025 requires:

  • Network segmentation — systems holding sensitive data should not be on the same network segment as public-facing services or unmanaged devices
  • Endpoint protection — every device connecting to institutional systems should be managed, patched, and monitored
  • Access control — role-based access, multi-factor authentication, and the principle of least privilege applied throughout
  • Backup and disaster recovery — tested recovery procedures, offsite or cloud-backed copies of critical data, defined recovery time objectives
  • Incident response plans — procedures for identifying, containing, and reporting a breach, including the 72-hour notification requirement to AZLP BiH
  • Physical security — server rooms with appropriate access controls, power protection, and environmental monitoring

The EU Integration Dimension

BiH’s digital transformation agenda does not exist in isolation from the EU accession process. Data protection alignment is an explicit condition of accession. The eIDAS regulation framework, which governs electronic identification and signatures, is being progressively implemented, with IDDEEA’s qualified electronic signature service representing a significant step forward.

The EU has supported digital transformation in BiH’s public administration through direct programme funding, including a dedicated Twinning project aimed at strengthening technical and institutional capacities, improving e-services, data security, and compliance with EU standards. The Digital Europe Programme, which BiH joined in June 2024, opens access to further structural support once the parliamentary ratification process is complete.

For government institutions, this means that investment in digital infrastructure and compliance now is investment that aligns with the direction of travel for the country as a whole and that positions institutions to benefit from EU instruments as they become available.

A Structured Approach to Implementation

Zerick’s approach to digital transformation for government institutions is built around the reality that these are complex, multi-stakeholder environments with procurement requirements, political accountability, and limited tolerance for disruption to live public services.

The implementation framework we recommend follows five phases:

Phase 1: Infrastructure and Security Audit

Before deploying any new system, understand what is running in the environment today. This means a full audit of the existing network architecture, server infrastructure, endpoint estate, and current document handling practices. Security vulnerabilities that exist today will not disappear when a new document management system is added on top, they will become attack vectors into a more valuable target.

Phase 2: Infrastructure Remediation

Address the gaps identified in the audit. This typically involves network redesign to introduce appropriate segmentation, server room improvements or virtualisation where appropriate, backup and disaster recovery configuration using enterprise platforms such as Veeam, and structured cabling and connectivity upgrades where required. The foundation must be solid before the application layer is built on it.

Phase 3: DMS Selection and Deployment

Select and deploy a document management system appropriate to the institution’s size, existing systems, and specific regulatory requirements. This is not a one-size-fits-all decision: a municipal administration has different requirements from a cantonal ministry or a state-level agency. Configuration, user role mapping, and integration with identity management and email systems are all part of this phase.

Phase 4: Data Privacy Compliance Implementation

Working alongside the institution’s legal and data protection function:

  • Develop the record of processing activities
  • Implement retention schedules and classification policies within the DMS
  • Configure audit logging and access controls to meet DPL requirements
  • Support the DPO appointment or engagement process
  • Develop breach response procedures aligned with the 72-hour notification requirement
  • Conduct DPIAs for high-risk processing activities

Phase 5: Training and Managed Ongoing Support

Digital transformation fails when technology is deployed but people do not change how they work. Staff training, covering both how to use the new systems and why the compliance obligations exist, is essential. And the infrastructure must be actively maintained: patched, monitored, backed up, and supported by a team that is accountable when something needs attention.

Why the Right Partner Matters

Government digital transformation projects have a long history of delivering platforms that no one maintains, integrations that break when a vendor updates their system, and compliance documentation that bears no relationship to how the institution actually operates.

The core requirement is not a software licence or a server. It is a partner who understands the full environment including infrastructure, network, security, systems integration, and the regulatory context, and a partner who remains accountable after the project closes.

Zerick has been working with government institutions, municipalities, and public bodies across Bosnia and Herzegovina and the wider Western Balkans for years. Our client base includes municipal administrations, parliamentary bodies, public health institutions, and state-level agencies. We have designed and deployed server room infrastructure, structured cabling, network architecture, surveillance systems, parliamentary AV and voting systems, and managed services for environments where downtime is not acceptable.

We are not a consultancy that advises and moves on. We are the team that assesses, designs, deploys, integrates, and supports under one point of accountability, with the same engineers throughout.

Getting Started

If your institution is facing the combined challenge of digital modernisation and data protection compliance, whether you are starting from scratch or trying to bring fragmented existing systems into coherence, the right starting point is a direct conversation.

We will ask the right questions, give you an honest assessment of where you stand, and outline what a practical implementation pathway looks like for your specific environment.

Zerick d.o.o
Mustafe Kamerica 7, 71000 Sarajevo
T: +387 33 877 381
E: info@zerick.ba

Zerick d.o.o is a Sarajevo-based technology infrastructure partner serving government institutions, banking sector organisations, municipalities, and private businesses across Bosnia and Herzegovina and the Western Balkans region. Services span IT infrastructure, network solutions, data centres, system integration, managed services, advanced AV, smart city systems, security and surveillance, and IT consultation.