The Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina (IDDEEA) would like to inform people and the general public about false claims concerning our digital identification and electronic signature services.
The Minister of Interior of Republika Srpska, Mr. Siniša Karan, indicated that the IDDEEA does not have the jurisdiction to develop a service for direct communication with citizens and that the introduction of digital signatures poses a potential risk to individuals.
These claims are false and unsubstantiated.
Article 8, paragraph 6 of the Law on the Agency for Identification Documents, Registers, and Data Exchange of BiH, as well as the Law on Electronic Signatures, provide the legal foundation for issuing electronic certificates and electronic signatures relating to identification documents. IDDEEA has the legal basis and authority to provide these services, which is confirmed by the current legislation, as well as the recertification and proof of compliance with eIDAS standards and laws, which were submitted to the Ministry of Communications and Transport of Bosnia and Herzegovina.
First and foremost, the provisions of the Law on the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina (Official Gazette of Bosnia and Herzegovina, 56/08) govern the responsibilities of the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina (IDDEEA). Regarding the issuance of electronic certificates and electronic signatures, Article 8, paragraph 6 of the Law on the Agency states that IDDEEA is responsible for digital signing in the field of identification documents, i.e. it is responsible for electronic certificates and electronic signatures related to identification documents, which are governed by the law.
We would like to remind you that, in compliance with the provisions of the Law on Electronic Signatures in BiH and associated regulations, IDDEEA is registered in the register of certification authorities maintained by the Ministry of Communications and Transport of Bosnia and Herzegovina, beginning April 15, 2022, under serial number 3. According to European Regulation EU No. 910/2014 eIDAS and the audit conducted on September 30, 2021, as well as the recertification performed in November 2023, it was confirmed that all equipment, services, and processes in the Agency intended for the issuance of electronic certificates, i.e. qualified certificates, fully meet the standards and measures prescribed by the stated regulation. As a result, all electronic certificates issued by the IDDEEA are legally binding and recognised. Based on the foregoing, it is clear that the IDDEEA has legal jurisdiction to issue electronic certificates and electronic qualifying certifications. All equipment, services, and processes in IDDEEA intended for the issuance of electronic certificates, i.e. qualified certificates, fully comply with international standards and prescribed measures to ensure that user identification and authentication processes are carried out properly and as prescribed. Data is processed in compliance with applicable data protection and storage legislation. All operations and data connected to data processing, collecting, and storage while issuing electronic certificates are carried out in compliance with the current Law on Electronic Signatures of BiH and associated internal regulations.
Furthermore, as an authorised body for the provision of trusted services, IDDEEA fully implements the procedures, actions, obligations, and guidelines outlined in the Rulebook on specific requirements for issuing qualified certificates (Official Gazette of BiH, 14/17). Additionally, internal regulations and documents that specify practical guidelines for issuing qualified certificates, certification and authentication policies, and electronic signature guidelines are also fully implemented by IDDEEA. The protection of personal data and other data produced during operations is a top priority for IDDEEA. The Law on the Agency and the Rulebook on the method and contents of the registers (Official Gazette of BiH, 55/15) specify the content of the registers maintained by the IDDEEA and based on its content; the data is only stored in the registers specified by this rulebook. As a result, we repeat that IDDEEA is legally authorised to produce electronic signatures and is listed as a certification authority (CA) in the register of certification authorities.
Moreover, subject to amendments to the Law on the Identity Card of Citizens of Bosnia and Herzegovina from 2012, the Rulebook on Amendments to the Rulebook on the application form for the issuance and replacement of an identity card, the procedure for issuing and replacing an identity card and the method of keeping registers on requests (Official Gazette BiH, 102/12) was issued. The Rulebook, among other things, prescribes that the applicant, i.e. a citizen of Bosnia and Herzegovina, is issued a Certificate of identification and activation number on the form LK/OI – 2A. Along with the ID number and activation code, the Certificate of identification and activation number includes a disclaimer stating that the card cannot be used as identification or to travel state borders until the date of collection is electronically documented. Both the identity card and identification number for digital representation (E-Identity) activation instructions are included in the Certificate.
Therefore, as specified by the Rulebook on the application form for the issuance and replacement of an identity card, the procedure for issuing and replacing an identity card, the method of keeping registers on requests (Official Gazette of BiH, 102/12), and the Certificate of Identification and Activation Number on form LK/OI – 2A, which is an integral part of this Rulebook, the grounds for the digital representation of citizens of Bosnia and Herzegovina are enabled. In the Certificate of Identification number on form LK/OI – 2A, it is prescribed that the customer use the identification number for digital representation when using the e-service. The number that the customer receives represents the transport number and it must be changed immediately after recording the transport number on the Agency’s website. Instructions for changing the transport number and using the identification number can be found at the link: http://www.iddeea.gov.ba/
As a result, each specified action is carried out by the IDDEEA completely legitimately and in full compliance with the applicable regulations. One of the most important procedures for the legal issuance of qualified certificates is certainly the implementation of certification procedures associated with the issuance of qualified certificates, subject to the applicable Law on Electronic Signature and the eIDAS regulation. During November 2023, we carried out the recertification procedure and submitted all relevant documentation to the Office for the Supervision and Accreditation of Certifiers, established within the Ministry of Communication and Transport of Bosnia and Herzegovina. As a result, we were listed by the Ministry with document number 10-02-2-1194-5/23 from January 23, 2024, which informed us that, in compliance with the SIQ certificate EIDAS 009/2023, which is valid until November 3, 2025, as well as additional supporting documentation and evidence submitted in the relevant procedure, the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina maintains its accreditation status as a certifier in the Register of Certifiers in Bosnia and Herzegovina.
Although we conducted actions and put in place a solution for remote digital signatures of documents at the beginning of 2024, we also took additional measures to further certify the system for issuing qualified digital certificates for remote signing. The final auditor’s report on the certification audit OSV eIDAS 580-2024 was released by certification house SIQ from Ljubljana, Republic of Slovenia, on April 30, 2024. This report certifies that the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina has put in place TSP service components that oversee remote QSCD/SCDev.
he audit report described above provides complete confirmation that the system currently in place for providing qualified digital certificates for remote signing meets all criteria set forth by relevant regulations, standards, and the eIDAS regulation. A document number 10-29-12-131-3/24, dated May 9, 2024, issued by the Ministry of Communications and Transport, verified that the IDDEEA certifier’s documentation complied with the law, referring to the audit report OSV eIDAS 580-2024, dated April 30, 2024, and the Practical Rules for the Provision of Certification Services by Certifiers of the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina (Certification Practices Statement, CPS), dated January 17, 2024. Consequently, pursuant to the law on electronic signatures in BiH, IDDEEA is the authorised certifier. The process for issuing qualifying certificates and the identification and submission of issuance requests are outlined in Article 9 of the law. The certifiers’ registration offices handle this process. Paragraph (2) of this article states that a qualified certificate request may be made to a legal body that has been given authorization by the certifier. As a result, user identity and requests will be processed in compliance with IDDEEA regulations as the authorised certifier. MUP’s offices may act as registration offices, but only as legal entities authorised by IDDEEA. They may also carry out these actions only in compliance with a signed agreement that specifies the extent of work and actions, as well as the CPS’s mandatory application, which is exclusively established by IDDEEA.
We would like to remind the public that twelve years ago, an electronic signature and digital identity system ought to have been put in place. Significant efforts and resources have been deployed in the past few months to enable the full deployment of these technologies, which will benefit the people of Bosnia and Herzegovina greatly. This is the culmination of years of wasted opportunities. We warn all MUPs that the harm citizens suffer from inaccurate information is not negligible. Our electronic signature and digital identity solution provide the best possible protection for personal information. Experts at international events like “Identity Week” have praised us for the additional security measures we have incorporated, like dynamic codes and various identity checks.
It is important to keep in mind that IDDEEA was required by applicable regulations to prove that it possesses insurance against potentially harmful situations, which further ensures user safety, to be accredited as a digital signing provider in Bosnia and Herzegovina. IDDEEA has received international certification and has been included on the list of certifiers, confirming to our adherence to all applicable regulations and standards. This fact adds even more evidence to the trustworthiness of our systems and services.
There are specific regulations governing the provision of services connected to the issuing of qualified certificates in Bosnia and Herzegovina. At least one of the certifiers listed in the records offers e-identity and cloud signature services in compliance with these rules. Furthermore, there is a corporate body that “implemented” the National Centre for Digital Identity Management; nonetheless, it is obvious that not all individuals are subject to the same regulations, as is the expression of concerns about identity theft and data protection.
The question is, why is IDDEEA a target? The reason IDDEEA is a target is the question. Perhaps because we wish to create and offer free services to the people of Bosnia and Herzegovina in compliance with the law? Perhaps these troubles are interfering with someone’s business plans. Perhaps in an effort to divert attention from other potential incidents of identity theft that we brought up and reported to the appropriate authorities, such as instances involving poor fingerprint quality and low-quality biometrics in other processes involving identification documents? Or is it because some system users object to reports of who, when, and on whose behalf the data was searched—as has been the custom up until now—because of the implemented systems for monitoring logs and searching registers to protect the personal data of citizens of Bosnia and Herzegovina? Those who read this will undoubtedly come to their own judgements regarding these issues.
In conclusion, IDDEEA has the legal right to create a digital identity service, as well as to provide electronic certificates and qualified electronic signatures that are compatible with identification documents in Bosnia and Herzegovina. These responsibilities are specifically defined in the applicable laws and regulations of Bosnia and Herzegovina. International certification and registration in the certifiers’ records attest to IDDEEA’s compliance with all requirements and standards for the provision of these services. By using multiple identity confirmation processes and cutting-edge cryptographic techniques, the IDDEEA’s digital identification and electronic signature system guarantees the highest level of safety and security for personal data. In the interest of the people of Bosnia and Herzegovina, IDDEEA continues to further develop and enhance these digital services. It also invites interested parties to collaborate constructively rather than spreading misleading data that undermines public confidence, and it offers free education in the aforementioned field to anyone who expresses interest.