What is AI regulation in Bosnia and Herzegovina?
AI regulation: countries and regions
Bosnia and Herzegovina does not yet have a dedicated AI law. Today, AI governance is shaped mainly by the 2025 Law on Protection of Personal Data, supervised by the Agency for Personal Data Protection, plus broader human rights, administrative and sector rules. EU accession is the main driver of future alignment: the European Commission is urging Bosnia and Herzegovina to align with the EU AI Act, but that is not yet domestic BiH law.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
If an AI system in Bosnia and Herzegovina uses personal data, the main legal questions usually come from privacy law, not from a Bosnia specific AI statute, because no dedicated AI act has been verified in the official material reviewed for this article. The practical issues are lawful processing, transparency, minimisation, security, profiling, automated decision making, data transfers, and whether a data protection impact assessment is required.
That means AI compliance in Bosnia and Herzegovina is mostly data governance work first. Organisations need to map what data the system uses, who acts as controller or processor, whether the system makes or supports significant decisions about people, and what safeguards are in place. The Agency for Personal Data Protection has inspection, corrective and fining powers under the 2025 law.
The direction of travel is still European. Bosnia and Herzegovina is moving through a complex EU accession process, and the European Commission is already telling it to align with the EU AI Act and related digital rules. In parallel, the country signed the Council of Europe AI Framework Convention in late 2025, although the latest official material reviewed still showed the domestic ratification path moving forward in May 2026.
Why it matters
Organisations sometimes assume that if there is no AI act, there is little real legal risk. In Bosnia and Herzegovina that is the wrong reading. If your system handles personal data, profiles people, monitors behaviour, supports hiring, lending, insurance, education, healthcare, policing or public service delivery, the 2025 data protection law can already trigger documentation duties, data protection officer requirements, impact assessments, prior consultation, complaints, inspections and significant fines.
There is also a strategic reason to care now. Bosnia and Herzegovina is aligning with the EU acquis through accession, but it does so in a fragmented, multi level system of government. That means AI controls, procurement language, accountability structures and legal reforms can move unevenly, then tighten quickly once a coordinated accession step lands. For founders, buyers, advisers and public sector leaders, waiting for a single future AI law is not a safe plan.
How it works
No dedicated AI act has been verified yet
No state level, sector neutral AI act was identified in the official sources reviewed for this article. The clearest verified hard law for mainstream AI use is the new personal data regime, together with existing constitutional, human rights, administrative, procurement and sector rules. The European Commission still describes Bosnia and Herzegovina as being at an early stage on digital transformation and media, with no progress in 2025, and explicitly invites the country to align with the EU AI Act. That shows the AI specific framework is still being built rather than already enacted.
The 2025 personal data law is the main enforceable layer
The Law on Protection of Personal Data was adopted in January 2025, published in Official Gazette No. 12/25 in July 2025, entered into force eight days later, and became applicable after a 210 day delay. It is expressly framed as aligning Bosnia and Herzegovina with the GDPR and Directive (EU) 2016/680. It applies to automated processing of personal data and to certain non automated processing as well.
For AI governance, the most important parts are familiar to anyone who works with GDPR style regimes. The law covers lawful bases, transparency, purpose limitation, data minimisation, accuracy, storage limits, security, controller and processor duties, data protection by design and by default, records of processing, data protection officers, impact assessments, prior consultation, international transfers and enforcement. It also reaches some foreign actors: a controller or processor outside Bosnia and Herzegovina can still fall within scope if it offers goods or services to people in Bosnia and Herzegovina or monitors their behaviour there.
The law is directly relevant to AI because it defines profiling, regulates automated decision making, and gives people a right not to be subject to decisions based solely on automated processing, including profiling, where those decisions have legal effects or similarly significant effects. For competent authorities in criminal justice and public security settings, solely automated adverse decisions are prohibited unless a specific law authorises them and includes safeguards.
The Agency is the key supervisor where personal data is involved
The Agency for Personal Data Protection in Bosnia and Herzegovina is the independent supervisory body under the 2025 law. It is not a general AI office, but it is the most important verified regulator for AI systems that process personal data. The law gives it inspection and audit powers, access powers over premises and equipment, corrective powers such as warnings, rectification, erasure and restriction orders, powers to suspend international data transfers, and powers to initiate misdemeanour proceedings.
The law also gives data subjects a practical route to challenge AI related processing. A person can complain to the Agency, go to court against the Agency in an administrative dispute, and seek judicial redress and compensation against controllers or processors. Fines can be severe, including turnover based penalties for some infringements. Public bodies are treated differently on fines, but responsible persons and employees can still face penalties.
Multi level government shapes how AI governance actually moves
Bosnia and Herzegovina does not regulate digital issues through a simple one ministry, one statute model. The Directorate for European Integration explains that EU accession coordination is built around safeguarding the competences of all levels of government and their institutions. In practice, that means countrywide digital and AI alignment has to work through a layered constitutional structure rather than a single central AI authority.
This matters for real deployment. Public sector AI projects may involve state institutions, entity institutions, Brcko District authorities and, depending on the field, cantonal responsibilities as well. The 2025 personal data law itself defines a public body broadly as a legislative, executive or judicial body at all levels of government. So for public procurement, public administration, policing, health or education use cases, governance questions are often as important as the technology itself.
European and regional alignment are moving faster than a domestic AI code
Bosnia and Herzegovina is being pulled into the European digital framework from several directions. In 2024 it ratified accession to the Digital Europe Programme, which opens participation in areas such as artificial intelligence, cyber security and digital skills. That does not regulate AI by itself, but it increases policy exposure, skills development and practical alignment with EU digital priorities.
The country also signed the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law on 9 December 2025. That is important because it frames AI through rights, democracy and rule of law, not only innovation or industrial policy. But it is not the same thing as a finished domestic AI code. The latest official material located for this article shows that, in May 2026, the Council of Ministers was still advancing a proposal decision on ratification.
Examples
A bank, insurer or employer uses an AI scoring tool to rank people, predict reliability or reject applications. In Bosnia and Herzegovina, that should be treated as a data protection issue immediately if personal data is involved. The 2025 law regulates profiling and restricts decisions based solely on automated processing where they have legal or similarly significant effects. If the tool systematically and extensively evaluates personal aspects of people, that is also the kind of processing that can trigger a data protection impact assessment.
A ministry, municipality or police related body considers camera analytics or facial recognition. The Agency has already published implementation guidance that treats new technologies such as biometric readers, facial recognition and IT services processing personal data as examples of processing that can create high risk and therefore strengthen record keeping and risk assessment duties. For competent authorities, solely automated adverse decisions also need a specific legal basis and safeguards.
An overseas AI vendor offers a model based service into Bosnia and Herzegovina and tracks user behaviour for optimisation or fraud detection. The vendor cannot assume Bosnia and Herzegovina is legally irrelevant merely because the company is abroad. The 2025 law applies extraterritorially where processing is tied to offering goods or services to people in Bosnia and Herzegovina, or monitoring their behaviour there.
Common misunderstandings
"Bosnia and Herzegovina already has an AI Act." No. No dedicated, sector neutral AI law was verified in the official sources reviewed for this article.
"If there is no AI Act, AI is basically unregulated." False. Personal data protection law, human rights law, administrative law, procurement rules and sector rules can already govern AI use.
"The EU AI Act is already Bosnia and Herzegovina law." No. It is an alignment target through accession, not an automatically applicable domestic statute.
"Only large technology firms need to worry." No. Any controller or processor using personal data, including SMEs, public bodies and buyers of third party AI tools, can trigger obligations.
"Public interest is enough to justify fully automated public sector decisions." No. For competent authorities, solely automated adverse decisions need a specific legal basis and safeguards.
Risks and boundaries
Several limits need to be stated plainly.
First, this is not a full AI rulebook. The strongest verified hard law is still the personal data regime. So AI systems that do not process personal data may be governed more by sector law, procurement rules, discrimination principles, consumer protection or constitutional rights than by any AI specific statute.
Second, the 2025 personal data law is still being operationalised. It contains transitional measures, including a two year period for bringing other laws and existing processing into line, and it expects subordinate legislation and Agency practice to fill in parts of the system. That means some implementation detail can still mature through by laws, guidance and enforcement practice.
Third, Bosnia and Herzegovina has a layered constitutional structure. AI governance can therefore move unevenly across state, entity, district and cantonal levels. A state level AI strategy was not verified in the official sources used for this article.
Finally, the Council of Europe AI Convention matters, but signing or even ratifying it is not the same as having a detailed domestic AI compliance code. As of the latest official material located for this article, the ratification path was still moving in May 2026.
What to do next
Start with an AI and data map, not with branding. Identify where personal data enters the system, who is the controller and who is the processor, whether the system profiles people, whether any decision is solely automated, and whether public authority or criminal justice rules are engaged. Build a written risk review, decide whether a data protection officer is required, and run a data protection impact assessment where new technologies or high risk processing are involved. Put human review, challenge routes, vendor clauses, transfer controls and audit rights into the operating model. Then watch two moving tracks at the same time: Agency guidance under the 2025 personal data law, and EU accession driven alignment with the AI Act and wider digital acquis.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Bosnia and Herzegovina have a dedicated AI law?
No dedicated, sector neutral AI law was verified in the official sources reviewed for this article.
What is the main law affecting AI today?
The main verified hard law is the 2025 Law on Protection of Personal Data, especially where AI systems process personal data.
Who is the main regulator for AI issues?
There is no standalone AI regulator verified in the official material reviewed here. Where personal data is involved, the key supervisor is the Agency for Personal Data Protection.
Does the EU AI Act apply automatically in Bosnia and Herzegovina?
Not as domestic Bosnia and Herzegovina law. It is, however, a clear alignment target in the EU accession process.
What if an AI system makes decisions about people?
The 2025 law gives people a right not to be subject to decisions based solely on automated processing, including profiling, where the decision has legal or similarly significant effects, subject to limited exceptions and safeguards.
When is a data protection impact assessment likely to matter?
It matters where processing, especially using new technologies, is likely to create a high risk to rights and freedoms. Systematic and extensive automated evaluation is a clear example.
Do foreign AI vendors fall outside the law?
No. The law can apply to controllers or processors outside Bosnia and Herzegovina if they offer goods or services to people in the country or monitor their behaviour there.
Has Bosnia and Herzegovina joined any international AI instrument?
Yes. It signed the Council of Europe AI Framework Convention in December 2025, but the latest official material reviewed still showed the domestic ratification path moving forward in May 2026.