The Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina (IDDEEA) wants to inform citizens of Bosnia and Herzegovina and the public about incorrect allegations presented by the Ministry of the Interior of Republika Srpska (MUP RS) concerning the authorities of IDDEEA.
The Ministry of the Interior of Republika Srpska (MUP RS) stated in its press release: “Accordingly, the Agency has no authority to receive requests of the citizens in person and offer services to citizens in that way. By abusing its legal authority to assist the ministries of the interior in Bosnia and Herzegovina with technical support, it also jeopardises the protection of citizens’ personal information.”
The Law on the Agency for Identification Documents, Registers, and Data Exchange of Bosnia and Herzegovina precisely specifies the authorities of the IDDEEA and prohibits the possibility of subjective interpretation.
When it comes to the issuance of personal documents in Bosnia and Herzegovina, IDDEEA respects an obvious boundary and distinguishes authorities for the issuance of personal documents in Bosnia and Herzegovina; thus, neither of its procedures strays beyond the boundaries of the authorities assigned to it by the law. Furthermore, IDDEEA embraces no authority, not even those oriented towards offering services to physical entities.
Unclear and imprecise statements are made regarding the performance of work and services for physical entities, but if the allegations refer to the issuing of qualified electronic certificates for remote signing, we must also remind you of the official response and clarification of the competent Ministry of Communications and Transport of Bosnia and Herzegovina, available on the website:
In particular, we must point out the provisions of the current Law on Electronic Signatures of BiH, which stipulate that a qualified certificate is a certificate that contains information referred to in Article 6 of this Law and which was issued by a certification authority that meets the provisions of Article 8 of this Law. The certification authority is a physical or legal entity that issues certificates or time stamps or performs other services related to electronic signatures and authentication. A very important procedure in issuing qualified certificates is the identification of the person requesting the certificate. Based on this, the certification authority issuing qualified certificates is obliged to reliably verify the identity and, where applicable, any other significant legal characteristics of the person requesting the certificate. The provisions of Articles 15 and 16 of the Rulebook on detailed requirements for issuing certificates (Official Gazette of Bosnia and Herzegovina, 14/17) stipulate that the certification authority performs reliable identification and authentication of users for the issuance of a qualified certificate and maintains a register of certificates. An authorised officer of the certification authority carries out registration procedures. In the user registration process, the certification authority is obliged to ensure that:
- the user is identified as a physical entity with specific attributes that may indicate the organisational unit or role in the organisation where he is employed.
- the user is publicly informed in a clear and unambiguous manner about all relevant conditions for the use of qualified certificates before establishing a contractual relationship with the user;
- the identity of the physical entity in the registration procedure is verified by direct inspection of a valid identification document in the presence of the applicant.
Pursuant to Article 9 of the Law on Electronic Signature, the certification authority must accurately establish the identity and other necessary data of the physical entity requesting a qualified certificate, either by using an official identification document with a photo for a physical entity or properly certified documents for a legal entity. A request for a qualifying certificate can be made to a legal entity designated by the certification authority. This legal entity is required to authenticate the identity of the individual requesting a qualifying certificate.
IDDEEA is a certification authority registered in the register of certification authorities maintained by the Ministry of Communications and Transport of Bosnia and Herzegovina. Taking into account the above provisions of laws and regulations, verification of the identity of the applicant is carried out by an authorised officer of the certification authority or a legal entity authorised by the certification authority. Pursuant to the law, each certification authority is also required to develop General Terms and Conditions for Certification Services, which must necessarily have certain rules for the work of registration authorities/offices. Among other things, subject to the General Terms and Conditions for Certification Services of IDDEEA CA, which have been confirmed to be in compliance with the law by the Ministry of Communications and Transport of Bosnia and Herzegovina, the competent supervisory authority for implementation of the law, it is prescribed that the Registration Authority (RA) perform the following tasks for the IDDEEA CA:
- Verifying the identity of physical entities and other relevant data required for certificate management;
- Receiving application forms for issuing certificates,
- Issuing necessary documentation for users or future users,
- Delivery of request forms, requests, and other information in a secure manner to the IDDEEA CA.
The TSP of the IDDEEA CA can authorise other institutions as well as organisations from the business and public sectors, in addition to their RAs, to perform tasks that belong to the RA or other activities for which the TSP of the IDDEEA CA authorises them. The IDDEEA CA contractually obliges these institutions or organisations to meet strict security requirements in line with the applicable legislation, European regulations and international, European, and domestic standards, recommendations and rules, CPS, and internal rules of the IDDEEA CA.
IDDEEA CA has RAs geographically located throughout the country, which enables future physical entities to register easily. Information on RA locations is available on the website of the Trust Service Provider of IDDEEA CA.
centresConsequently, Registration authorities/offices where requests can be submitted were formed, and they are located at the headquarters of IDDEEA BiH in Banja Luka, then in the regional centers in Sarajevo, Bihać, Mostar, and Bijeljina.
Considering the above, we have already invited all interested competent authorities – MUPs, to express their interest and submit their requests to the IDDEEA regarding the opening of Registration authorities/offices in their organisational units, exclusively according to the rules listed above.
Finally, we emphasise that everyone knows that the competent supervisory authority for implementation of the Law on the Identity Card of Citizens of Bosnia and Herzegovina is the Ministry of Civil Affairs of Bosnia and Herzegovina, and the Ministry of Transport and Communications of Bosnia and Herzegovina for the Law on Electronic Signatures of Bosnia and Herzegovina. The IDDEEA is obliged to implement and enforce the applicable legislation until the contrary is foreseen or proven in any of the legal procedures.
IDDEEA BIH