Cybersecurity regulation in Bosnia & Herzegovina (2026)

Bosnia & Herzegovina has no standalone national cybersecurity act. OSCE, EU Cyber Direct, and the CESS think-tank all identify this as a critical gap, noting the country is unique in South-East Europe for lacking both a cybersecurity law and a national cybersecurity strategy.

The Law on Personal Data Protection, adopted 30 January 2025 and applicable from 4 October 2025, introduces GDPR-aligned 72-hour mandatory data breach notification to the Personal Data Protection Agency and requires appointment of Data Protection Officers for certain controllers — the closest current analogue to an incident-reporting obligation.

Cybercrime is addressed through the Criminal Code of BiH, which criminalises unauthorised access to information systems and treats attacks on critical information infrastructure (including energy and transport systems) as acts of terrorism. There is no separate cybercrime act.

No state-level national CERT exists. Republika Srpska established an entity-level CERT in 2015 under its Ministry for Scientific and Technological Development. A civil-society initiative (CSEC) informally fills some response functions for NGOs and critical-infrastructure operators at the state level, but has no formal mandate.

As an EU candidate country, BiH is expected to transpose NIS2-equivalent rules as part of accession. The OSCE published strategic framework guidelines urging a national cybersecurity law harmonised with NIS2. The European Commission's 2024 Digital Public Administration Factsheet for BiH confirms the absence of a national network-and-information-security framework.

The OSCE Mission to BiH held multiple cybersecurity conferences in 2025–2026, convening government, private sector, and academia to promote public-private partnership models and push for a state-level CERT and dedicated legislation, but no law has resulted yet.