2. |
  3. News
  4. |
  5. Digital Forensics, Artificial Intelligence,...
Digital Forensics, Artificial Intelligence, and Cybercrime in Bosnia and Herzegovina: Interview with Investigator Saša Petrović
October 08, 2025

The prosecution of cybercrime in Bosnia and Herzegovina remains hampered by a range of legal and institutional barriers. Overlapping jurisdictions, an inconsistent legal framework, the lack of clear regulation on cryptocurrencies, and the growing misuse of artificial intelligence pose serious challenges for the justice system.

We discussed these issues with Saša Petrović, Head of the Cybercrime Department at the Federal Police Administration and a digital forensics expert, following a professional forum of the BiH Court College in Neum. The event brought together judges, legal officers, and experts to address current challenges and trends in criminal law.

Bosnia and Herzegovina is the only country in Southeast Europe without a national cybersecurity strategy or a national CERT team. Experts also warn that the misuse of new technologies—from cryptocurrencies and encryption to the management of digital evidence—presents one of the biggest challenges for the rule of law, while international cooperation in this area remains slow due to complex procedures. What gaps in legislation or practice currently make it most difficult to prosecute cybercrime? What are the differences between entity and state levels, and where do you see room for improvement?

Saša Petrović: Cybercrime offences are criminalised in the entity criminal codes and in the Criminal Code of the Brčko District. In the Federation of BiH, these offences are defined under Chapter XXXII of the Criminal Code — “Criminal Offences Against Computer Data Processing Systems.” However, the state-level Criminal Code of BiH does not include these offences, which means that the BiH Prosecutor’s Office, the BiH Court, and state-level police agencies have no jurisdiction, nor specialised departments or investigators dedicated to this type of case. There are, however, specific instances where cybercrime is linked to other offences under the jurisdiction of the BiH Prosecutor’s Office — in those cases, based on legal provisions, the BiH Court and Prosecutor’s Office can assume jurisdiction.

Current criminal legislation is aligned with the European Convention on Cybercrime. Following the most recent amendments to the Federation’s Criminal Code, which entered into force in August this year, there are no major legal gaps that prevent prosecutors and police from investigating these offences — except in relation to the use of cryptocurrencies as a means of payment. The value of cryptocurrencies is not clearly defined, nor are there established procedures for their seizure, storage, or disposal. According to available information, certain initiatives to amend the relevant legislation are already underway.

There is also a gap in how digital evidence is identified, temporarily seized, stored, presented, and protected during proceedings. For example, there is a need for the use of hash control and verification algorithms to ensure evidence integrity, and for clear standard operating procedures covering seizure, transport, storage, examination, and presentation of digital evidence. This lack of definition leaves significant room for debate and leads to “instability” of evidence in criminal or civil proceedings.

Cryptocurrencies are increasingly used in criminal activities in Bosnia and Herzegovina, particularly in money laundering and the financing of illegal operations. While investigations and asset freezes are already taking place, the legal framework remains incomplete—from how cryptocurrencies are identified and temporarily seized to how they are managed. It is estimated that the value of virtual assets on the market stands at around two billion BAM, with little regulatory oversight, highlighting the scale of risk faced by institutions. When it comes to cryptocurrencies, what are the biggest challenges within the justice system?

Saša Petrović: In practice, we are seeing cryptocurrencies used for criminal purposes. However, their legal treatment is not clearly defined under current law, which leaves room for varying interpretations. A particular problem is the lack of clear procedures for temporary seizure, confiscation, storage, and the possible return of seized assets. As a result, everything that is not explicitly prohibited by law is effectively allowed.

Technology-facilitated violence against women in Bosnia and Herzegovina has been recognised, but it is still not systematically regulated. The Council of Europe has pointed to the need to align domestic legislation with international standards — particularly the Istanbul Convention and GREVIO recommendations — which includes adopting legal provisions that precisely regulate the collection and use of digital evidence in such cases. How well are cases of technology-facilitated gender-based violence — such as blackmail or sharing intimate content without consent — recognised in BiH, and how do courts handle them?

Saša Petrović: First of all, I believe that the courts generally do a good job. However, I am personally not satisfied with how some individuals in the police–prosecution chain handle these cases. It is important to note that recent amendments to the Criminal Code have significantly improved the ability of police and prosecutors to work on such cases, which used to be extremely difficult, and in some situations, nearly impossible.

The most frequent targets of cyberattacks in Bosnia and Herzegovina are the judiciary, energy, and healthcare sectors, with consequences including operational disruptions, data leaks, and financial losses. The lack of a national CERT and unified cybersecurity strategy continues to hinder coordination and international cooperation. How frequent and serious are cyberattacks on institutions and infrastructure in BiH, and how well do courts understand the complexity of these cases?

Saša Petrović: Given the segmented nature of our critical infrastructure, as well as our broader environment and budget limitations, I can say that the professionals maintaining these systems are doing an excellent job. Cyberattacks have occurred and will continue to occur, but not at a scale that should be considered alarming. I can also confirm that the courts recognise the seriousness of this issue, and we have not experienced any delays or rejection of our or prosecutors’ requests, provided that they are well-substantiated and in accordance with the law.

Misuse of artificial intelligence — including deepfake content that imitates someone’s likeness or voice — is becoming increasingly common across the region. Denmark recently proposed treating one’s image and voice as personal intellectual property, allowing for faster removal of such content and compensation for damages, while placing obligations on digital platforms. Similar models could guide future legal reforms in the Western Balkans. How prepared is the judiciary to handle cases involving AI misuse, and are legal amendments needed in line with European standards?

Saša Petrović: As of 9 August 2025, amendments to the Federation’s Criminal Code have come into force, clearly defining this area. I believe we will not face major issues in investigating cases involving image manipulation, revenge pornography, or similar forms of abuse. Prosecutors and investigators are now fully empowered to document and prosecute crimes committed through the misuse of artificial intelligence.

Why Asset Recovery Is Central to the Berlin Process

Why Asset Recovery Is Central to the Berlin Process

Illicit financial flows in the Western Balkans are estimated at around six per cent of the region’s GDP — billions of euros each year that should be funding schools, hospitals and infrastructure. Beyond the numbers, this loss erodes public trust, strengthens organised...