Legal alignment with the EU AI Act in Bosnia and Herzegovina: Balancing Innovation and Human Rights

Artificial intelligence is no longer an abstract concept, a futuristic idea, or a buzzword. As it becomes embedded in everyday life, the question is no longer whether we regulate but rather how fast and how well we do it.

As the countries of the Western Balkans move closer to EU membership, aligning national legislation with the EU Artificial Intelligence Act (EU AI Act)¹ is not just one more procedural step in the accession process. It is a legal obligation, a regulatory challenge, and a unique opportunity to modernize governance and increase public trust in digital transformation. 

Like other candidate countries, Bosnia and Herzegovina (BiH) must fully align its laws, institutions, and procedures with this Regulation. However, given the complexity and significance of the EU AI Act, legal harmonization will not simply entail adopting new laws. It also requires a fundamental restructuring of how a country governs technology, protects rights, and supports innovation.

This article will therefore assess the scope and content of the EU AI Act, identify institutional challenges specific to Bosnia and Herzegovina, and propose a roadmap for aligning legislation in BiH and institutional practices with EU requirements.

Understanding the EU AI Act: Complexity, purpose, and legal implications

The EU AI Act, adopted in 2024,² is the world’s first comprehensive legislation to regulate artificial intelligence. Its goal is both ambitious and clear: to find a balance between promoting trustworthy AI and protecting fundamental rights.³

What makes the AI Act distinct is its risk-based approach, meaning that AI systems that pose a high risk to individual rights will face stricter regulation.⁴ AI systems that pose unacceptable risks are completely banned. For example, AI that public authorities can use to score people’s social behavior or biometric surveillance in public spaces.⁵ High-risk AI systems, such as those used in employment, education, migration, policing, or access to public services, must meet a strict set of obligations. These include human oversight,⁶ documentation,⁷ conformity assessment,⁸ and post-market monitoring.⁹ Limited-risk AI systems must ensure transparency by informing users when interacting with AI (e.g. chatbots)¹⁰ while minimal-risk AI (e.g. spam filters) has no additional legal requirements.¹¹

The EU AI Act also complements the GDPR¹² by reinforcing safeguards for personal data processed within AI systems. For example, any AI system handling personal data must comply with key GDPR principles, namely, lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. In the context of AI, this entails the following: AI systems must clearly inform users when and how their data is processed, ensuring that the processing is lawful and fair; data must be used strictly for clearly defined purposes; personal data processing must be limited to what is strictly necessary; AI-driven decisions should rely on accurate and up-to-date data; personal data must not be stored longer than necessary; processing must be secure and protected against unauthorized access; and providers and users must be able to demonstrate GDPR compliance through clear records and procedures.

This layered structure reflects the Act’s complexity. The AI Act regulates how AI systems work, what they do, and how they are made. It introduces an entirely new regulatory system, including conformity assessments, notified bodies, monitoring mechanisms, and new roles for market surveillance authorities. The fact that it will be enforced over a number of years reflects not only its legal and technical complexity, but also the need to allow time for institutional adaptation, capacity-building, and regulatory harmonization across diverse national contexts. This structured timeline offers candidate countries like BiH a roadmap to gradually align its systems with EU law, while also highlighting the scale and urgency of the task, one that demands sustained commitment and strategic planning.

Its significance, however, does not stop at the EU’s borders. Like the GDPR, the AI Act has an extraterritorial reach: under Article 2 it applies to providers and deployers outside the Union whenever the output of their AI systems is used in the EU or affects EU residents. This “Brussels effect”¹³ turns the Regulation into a de facto global benchmark, where companies worldwide must meet its standards if they wish to access the EU market or handle EU-related data flows. Lawmakers from Canada to Brazil are already citing the Act’s risk-based model when drafting their own AI rules, underscoring the EU’s role as a pace-setter in trustworthy, rights-based AI governance.¹⁴

The significance of legal alignment with EU AI Act for Bosnia and Herzegovina

For BiH, legal harmonization with the AI Act is not optional. Moreover, the European Commission regularly assesses BiH on its capacity and dynamic to transpose and implement EU acquis. However, beyond formal compliance, legal alignment with the AI Act is essential for the country’s governance, economy, and citizens. By balancing innovation with fundamental-rights protection, the AI Act offers a clear, transparent framework for managing data, algorithms, and critical infrastructure, while giving BiH companies unrestricted access to the EU single market and funding programmes. Ultimately, adopting the AI Act is far more than a box-ticking exercise for accession. It is a strategic choice that allows BiH to shape its digital future on its own terms.

First and foremost, fundamental rights must be protected in the digital age. AI technologies, if left unregulated, could amplify structural inequalities. Legal alignment offers safeguards against such risks.

Second, there are clear economic incentives. The AI Act has extraterritorial scope, meaning that non-EU companies, including those in BiH, must comply if they want to market AI products or services in the EU.¹⁵ For BiH’s expanding tech sector, alignment is essential to remain competitive, secure investments, and access the EU single market.

Third, the process of aligning with such a complex and ambitious Regulation increases institutional credibility. It demonstrates BiH’s capacity to enforce EU law, safeguard its citizens, and responsibly support innovation. 

What does legal alignment involve?

Legal harmonization with the AI Act is not just about copying and pasting a Regulation into domestic law. It requires an effective implementation meaning a comprehensive transformation of the legal and institutional landscape. This involves:

• Legislation reform: BiH must draft and adopt domestic AI legislation or sectoral laws that reflect the core obligations of the AI Act. These laws must define AI, categorize AI systems by risk level, prohibit dangerous practices, and introduce oversight responsibilities.  This means that BiH AI legislation will have to transpose EU Act’s definition and scope, the same risk classification, list of prohibited AI practices and equivalent obligations for high-risk systems.
• Institutional infrastructure: The AI Act requires the designation of supervisory authority, establishment or accreditations of notified bodies for conformity assessment.¹⁶
• CE marking:¹⁷ Any domestic company targeting the EU market must comply with the AI Act’s technical and legal requirements and go through a conformity assessment process. Without this, products and services cannot enter the EU market.
• Creating an AI register: To better comply with the AI Act’s requirements, BiH can map and register all AI systems used in important sectors. These systems can be then categorized since each category carries distinct legal obligations.
• Horizontal legal harmonization: Legal alignment must ensure consistency with existing laws, such as data protection, non-discrimination, consumer protection, and access to justice. For example, antidiscrimination legislation needs to be amended to clarify that algorithmic discrimination is also unlawful.
• Capacity building: All relevant stakeholders such as public administration, regulators, judges, lawyers, companies, civil society actors, etc. must be explained on AI risk categories, algorithmic discrimination, explainability standards, and transparency requirements.¹⁸
• Public awareness and participation: The AI Act promotes a human-centric approach to AI governance. It calls for transparency, consultation, and civic participation. 

The challenges of Bosnia and Herzegovina’s alignment with the EU AI Act

Aligning with the EU AI Act presents Bosnia and Herzegovina not only with legal obligations, but with significant structural and institutional challenges that can directly impact its institutions, businesses, and citizens.

At the institutional level, BiH’s complex and fragmented governance system makes the creation of a unified AI legal framework challenging. Responsibilities are divided among state, entity, and cantonal levels, meaning that any comprehensive, country- wide policy on AI will require intensive coordination and political will. A practical step could be establishing a state-level AI coordination task force to ensure legal clarity and regulatory coherence.

The issue of regulatory capacity is equally challenging. Bosnia and Herzegovina lacks a comprehensive legal or regulatory framework tailored to artificial intelligence, meaning that no specific legislation currently governs the use of AI systems. Moreover, no comprehensive assessment has been conducted to evaluate whether public institutions possess the necessary tools, expertise, or infrastructure to assess AI systems, audit algorithms, or ensure compliance with the obligations set out by the EU AI Act, particularly in sensitive sectors such as healthcare, policing, or social services. Without strategic investment in institutional capacity and oversight mechanisms, legal alignment risks remain largely formal  and ineffective in practice.

The private sector faces its challenges. Small and medium-sized enterprises form the backbone of BiH’s economy, and many of them will face a lack of the capacity to meet the Act’s detailed requirements on documentation, transparency, and human oversight.¹⁹ Without targeted support, compliance risks becoming a barrier to innovation, particularly for startups aiming to export AI products to the EU market, where CE marking and conformity assessments are mandatory.²⁰

Non-compliance could also lead to violations of individual rights and legal accountability for public authorities using AI in services such as social protection or border control.²¹ For healthcare providers, using AI tools will require clear evidence that systems are safe, unbiased, and explainable and that patients are informed and protected.

Importantly, citizens in BiH will gain new rights once the AI Act is applied. They must be informed when AI is used in decisions that affect them and have the right to challenge those decisions and request a human review. 

To meet these challenges, BiH must take early and strategic steps, starting with mapping existing AI use, drafting AI-specific legislation, building institutional capacity, and involving the public in shaping an inclusive and transparent AI governance framework.

First strategic steps: A roadmap for BiH

The complexity and staged implementation of the EU AI Act offer Bosnia and Herzegovina an opportunity for gradual alignment. This moment calls for strategic planning and pragmatic action, starting with the basics.

First, it might be helpful for the country to conduct a mapping of AI systems currently in use across public administration and key economic sectors in BiH.²² This will help identify not only where AI is used, but also the level of risk it presents, and whether those systems are compliant with principles of fairness and transparency. Without this step, legal alignment will be built on uncertain ground.

Next, BiH should begin with drafting legislation. It may start with a more focused scope, however, the law has to lay the ground for a broader regulatory framework requested by the EU AI Act.  

Another important step is appointing a central coordination body for AI governance. This body should have a clear mandate, sufficient resources, and the authority to coordinate horizontally across government and vertically with entity and cantonal counterparts.

Training and capacity building must also begin as soon as possible. The legal, technical, and ethical dimensions of AI systems need to be understood by a wide spectrum of relevant stakeholders such as  judges, regulators, civil servants, and business leaders. Civil society organizations and journalists should also be knowledgeable to monitor AI deployment and advocate for accountable governance.

Lastly, public engagement must not be overlooked. Engaging citizens, researchers, academia, and industry in the development of a comprehensive AI strategy will ensure that the resulting framework is not only legally sound but also socially legitimate.

Regional lessons: Learning from neighbors

Bosnia and Herzegovina is not navigating this regulatory terrain alone. Other countries in the region offer instructive examples, both positive and cautionary.

Serbia, for example, has emerged as a regional frontrunner.  It made significant progress towards responsible AI governance with its current AI strategy (2025–2030),²³ an expected AI law, and significant investment in AI infrastructure, including a national supercomputer.²⁴ In Montenegro the first AI readiness assessment report for public administration has been presented that will also serve as a foundation for Montenegro’s first national AI Strategy.²⁵ In contrast, North Macedonia has made only high-level political commitments and despite the initiative to create a National strategy for AI in 2021., to this date the country has not adopted a specific AI law or formal strategy.²⁶ Kosovo, meanwhile, remains at an even earlier stage, with no dedicated AI framework.²⁷

Bosnia and Herzegovina can draw lessons from these examples. How it positions itself in this evolving regional landscape will shape its capacity to regulate and use AI responsibly as well as to become and stay  a relevant partner in future digital integration processes.

Conclusion: A strategic choice for BiH’s digital future

The EU AI Act is more than a technical regulation, it is a test of a country’s readiness to govern new and emerging technologies in a way that respects human dignity, democratic accountability, and innovation. For Bosnia and Herzegovina, aligning with this Regulation is not just a legal necessity in the EU accession path, it is also a strategic choice about the kind of digital society the country wants to build.

However, legal alignment must go hand in hand with institutional reform, capacity building, and civic engagement. AI is not a distant future.  It is already here, shaping and influencing processes about employment, health, security, and finance. If BiH wants to ensure that these processes remain fair, transparent, and rights-based, now is the time to act.

1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the “Artificial Intelligence Act”), Official Journal L1689, 12 July 2024; Full text available via EUR-Lex: http://data.europa.eu/eli/reg/2024/1689/oj.
2. Entering into full effect by August 2027. The bans on prohibited AI systems and the requirements related to AI literacy started to apply in February 2025. By August 2026, all obligations concerning high-risk AI systems will come into effect. And finally, by August 2027, full compliance with the AI Act will be mandatory for all providers and users of AI systems covered by the Regulation.
3. OECD (2024), “OECD Framework for the Classification of AI Systems”, Available at: https://www.oecd.org/en/publications/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en.html  (Accessed 20 June 2025)
4. Data Protection People. The EU AI Act: What You Need to Know. Available at: https://dataprotectionpeople.com/resource-centre/the-eu-ai-act/#:~:text=The%20EU%20AI%20Act%20is,are%20transparent%2C%20secure%2C%20and%20accountable  (Accessed18 June 2025)
5. Regulation (EU) 2024/1689, Article 5(1)(c)-(d).
6. Regulation (EU) 2024/1689, Article 14.
7. Regulation (EU) 2024/1689, Article 11.
8. Regulation (EU) 2024/1689, Article 43.
9. Regulation (EU) 2024/1689, Article 61.
10. Regulation (EU) 2024/1689, Article 52(1).
11. Regulation (EU) 2024/1689, Articles 4 and 6 (implicitly, as minimal-risk systems fall outside the defined scope of higher-risk categories).
12. The General Data Protection Regulation (GDPR), the EU’s main data protection law, formally known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Official Journal L 119, 4.5.2016, pp. 1–88; Full text available via EUR-Lex: http://data.europa.eu/eli/reg/2016/679/oj.The GDPR establishes comprehensive rules for processing personal data, imposing strict requirements on how organizations collect, store, and use such data. It ensures that individuals have control over their personal information and that data processing is transparent, fair, and secure.
13. Anu Bradford, “The Brussels Effect,” Northwestern University Law Review 107(1) (2012), 1-68, Available at: https://scholarlycommons.law.northwestern.edu/nulr/vol107/iss1/1/ (Accessed 25  July 2025).
14. See: Government of Canada, Companion document to the Artificial Intelligence and Data Act (AIDA),Availableat:https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act-aida-companion-document; Chambers & Partners, Artificial Intelligence 2025-Brazil: Trends and Developments (22 May 2025), Available at:https://practiceguides.chambers.com/practice-guides/artificial-intelligence-2025/brazil/trends-and-developments.
15. Regulation (EU) 2024/1689 of the European Parliament and of the Council, Preambule, recital 21 and 22, Official Journal L 1689, 12 July 2024, Available at: http://data.europa.eu/eli/reg/2024/1689/oj (Accessed 18 June 2025).
16. EU AI Act Resource Center, EU AI Act  – Article 43: Technical Documentation & Notified Body Involvement. Available at: https://securiti.ai/eu-ai-act/article-43/#:~:text=and%20the%20Technical%20Documentation%20with,Involvement%20of%20a%20Notified%20Body (Accessed on 1 June 2025)
17. CE marking (“Conformité Européenne”) is the symbol manufacturers must affix to a product to certify that it meets all relevant EU safety, health and environmental requirements and can circulate freely throughout the European Economic Area. See: European Commission, CE marking-Internal Market, Industry, Entrepreneurship and SMEs. Available at: https://single-market-economy.ec.europa.eu/single-market/goods/ce-marking_en.Under Article 48. of the EU AI Act, every high-risk AI system must have  a physical or digital CE mark, visible, legible and (for software) easily accessible, to certify it has passed the Regulation’s required conformity assessment and documentation checks. See: https://artificialintelligenceact.eu/article/48/
18. The EU has set early deadlines for AI literacy initiatives meaning that member states needed to start rolling out awareness programs by February 2025.
19. ACT online. The EU’s AI Act Unpacked: What’s in It for SMEs? 10 July 2024. Available at: https://actonline.org/2024/07/10/the-eus-ai-act-unpacked-whats-in-it-for-smes/#:~:text=The%20EU%27s%20AI%20Act%20Unpacked%3A,We%20view%20these%20measures (Accessed 20 June 2025).
20. The European Commission has recognized that startups and SMEs may find the stringent requirements of the EU AI Act difficult to comply with. Therefore EC is through several initiatives trying to lessen the regulatory burden. These consist of financial aid through initiatives like Horizon Europe, more flexible application of the law for SMEs, regulatory sandboxes, and technical support via digital innovation hubs. These steps are intended to promote innovation while maintaining security and safeguarding fundamental rights. See European Commission, May 2025, The EU Startup and Scaleup Strategy, Available at: https://research-and-innovation.ec.europa.eu/strategy/strategy-research-and-innovation/jobs-and-economy/eu-startup-and-scaleup-strategy_en (Accessed 5 June 2025).
21. For example, if a social service institution deploys an AI system to allocate welfare benefits, and it is not compliant, and that may mean that has bias, people can be unfairly denied aid which will lead to discrimination and due process. Under the AI Act that system would need thorough risk assessments and human oversight, and individuals would have the right to contest decisions.
22. Mapping of AI systems has not be explicitly demanded by the AI Act however it is strongly advisable step. However, in Article 71. of the AI Act is enviseg establishment of  an EU-wide database where providers must register high-risk AI systems before deployment.
23. Government of the Republic of Serbia. “Serbia and Artificial Intelligence.” Official website of the Government of Serbia. Available at: https://www.srbija.gov.rs/tekst/437277 (Accessed 20 June 2025).
24. United Nations Development Programme (UNDP) Serbia. “Artificial intelligence has potential to accelerate human development.” News release. Available at: https://www.undp.org/serbia/news/artificial-intelligence-has-potential-accelerate-human-development#:~:text=technological%20challenges%20for%20all%20of,the%20foundation%20of%20this%20platform (Accessed 18 June 2025).
25. United Nations Development Programme (UNDP) Montenegro. “Montenegro Presents Its First AI Readiness Assessment Report for Public Administration.” Press release. Available at: https://www.undp.org/montenegro/press-releases/montenegro-presents-its-first-ai-readiness-assessment-report-public-administration (Accessed 20 June 2025).
26. The status and future prospects of AI regulation and development in North Macedonia, See more: https://www.schoenherr.eu/content/the-status-and-future-prospects-of-ai-regulation-and-development-in-north-macedonia. (Accessed 20 June 2025).
27. Institute for Technology and Society, The Effects of Artificial Intelligence on Human Rights: Kosovo Case (Western Balkans Fund, Nov. 2024), p. 6. Available at: https://westernbalkansfund.org/wp-content/uploads/2024/12/ITS-The-Effects-of-Artificial-Intelligence-on-Human-Rights-Final-EN.pdf (Accessed 20 July 2025).