e-Government Assessment in Republika Srpska RAPID ASSESSMENT RESULTS April, 2023 © 2023 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, inter- pretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, proce- sses, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages disseminati- on of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202- 522-2625; e-mail: pubrights@worldbank.org. Contents Table of figures............................................................................................................................................................................ 4 Acknowledgements................................................................................................................................................................... 5 Acronyms and Abbreviations................................................................................................................................................. 6 Executive Summary................................................................................................................................................................... 7 1. Introduction......................................................................................................................................................................... 15 2. Methodology....................................................................................................................................................................... 17 3. As-is State of Digital Government in the RS............................................................................................................ 18 3.1 Policy and Strategy to Drive e-Government Development............................................................................ 21 3.2 A Conducive Legal and Regulatory Environment for e-government Development............................... 23 3.2.1 Existing Laws Enabling e-Government in RS............................................................................................ 25 3.3 Institutional Framework and Coordination for Whole-of-Government Reform...................................... 32 3.4 ICT and e-Government Infrastructure to Facilitate Integrated Service Delivery..................................... 34 3.4.1 The e-Srpska e-Government and e-Service Portal.................................................................................. 34 3.4.2 Electronic Registries.......................................................................................................................................... 38 3.4.3 E-delivery and e-mailbox................................................................................................................................. 39 3.4.4 E-payment............................................................................................................................................................ 40 3.4.5 Interoperability Infrastructure to Facilitate Data Exchange and Integrated Service Delivery..... 41 3.4.6 Identity Management and Public Key Infrastructure in the RS............................................................ 45 3.4.7 Data Center Infrastructure............................................................................................................................... 49 3.4.8 Security of ICT Infrastructure.......................................................................................................................... 51 3.5 Resource Management for a Sustainable Digital Transformation............................................................... 51 3.5.1 Human Resources.............................................................................................................................................. 52 3.5.2 Financial Resources........................................................................................................................................... 58 4. Recommendations............................................................................................................................................................ 62 1/ Develop a long-term whole-of-government digital transformation strategy............................................. 63 2/ Strengthen the Legal and Regulatory Framework for Digital Government................................................ 63 3/ Strengthen the Institutional Framework for Whole-of-Government Coordination.................................. 65 4/ Develop ICT Infrastructure for Integrated e-Service Delivery......................................................................... 67 4/1 Focus on e-Srpska Functionalities.................................................................................................................... 67 4/2 Adopt a User-Centric Approach to e-services Design and Delivery..................................................... 68 4/3 Achieve Whole-of-Government Interoperability......................................................................................... 70 4/4 Data Storage, Backup and Recovery............................................................................................................... 71 5/Strengthen Key Capacities to Implement, Monitor and Report on Modernization.................................... 72 Annexes..................................................................................................................................................................................... 76 Annex 1: Alignment of the Law on Electronic Signature to the EU eIDAS...................................................... 76 Annex 2: G2C, G2B and G2G Services....................................................................................................................... 80 Annex 3: Shared services provided by the Government Data Center............................................................... 87 Annex 4: References......................................................................................................................................................... 88 4 E-government Assessment in Republika Srpska Table of figures Figure 1: UN E-Government Index Online Service Index 2022................................................................................ 18 Figure 2: GTMI Overview...................................................................................................................................................... 19 Figure 3: GTMI Components................................................................................................................................................ 19 Figure 4: Organigram of the MNRVOID........................................................................................................................... 32 Figure 5: Example Service to-be Map with Simplification.......................................................................................... 37 Figure 6: Overview of Public Key Infrastructure............................................................................................................ 46 Figure 7: European Digital Competence Framework (DigComp 2.2) .................................................................... 56 E-government Assessment in Republika Srpska 5 Acknowledgements This assessment report has been developed by the World Bank Governance Team led by Shiho Nagaki, Senior Public Sector Specialist, and Zuhra Osmanovic-Pasic, Senior Governance Specialist. The assessment was co-authored by Kimberly Johns, Senior Public Sector Specialist, Esmin Ber- hamovic, Public Sector Specialist (Consultant), Sabina Dapo Public Sector Specialist (Consultant), Vikram Menon, Senior Public Sector Specialist, Mogens Rom Andersen, Public Sector Specialist (Consultant), Wouter van Acker, Public Sector Specialist (Consultant), and Boris Vasko, Public Se- ctor Specialist (Consultant). Overall guidance for the report was provided by Christopher Sheldon, Country Manager, and Fabian Seiderer, Practice Manager. The team is grateful for additional gui- dance from the peer reviewers: Tiago Peixoto, Senior Governance Specialist, Constantin Rusu, Se- nior Public Sector Specialist, and Silvana Kostenbaum, Senior Public Sector Specialist. 6 E-government Assessment in Republika Srpska Acronyms and Abbreviations API Application Program Interface APIF Agency for Intermediary and Information Services APS Australian Public Service BiH Bosnia and Hercegovina BPM Business Processing Modeling BPR Business Process Re-engineering CA Certificate Authority CERT Computer Emergency Response Team CIA Confidentiality, Integrity, and Availability COM Council of Ministers DMS Document Management System EC European Commission EGDI e-Government Development Index eIDAS Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market EIF European Interoperability Framework ESB Enterprise Service Bus EU European Union FBiH Federation of Bosnia and Hercegovina GAPA Law on General Administrative Procedure GCI Global Cybersecurity Index GDPR General Data Protection Regulation G2B Government to Business G2C Government to Citizen G2P Government to Person GSB Government Service Bus GTMI GovTech Maturity Index HRM Human Resource Management IAP Identification and Authentication Platform ICT Information and Communication Technologies IIS Interoperability Information System IT Information Technology KPI Key Performance Indicator MDAs Ministries, Departments and Agencies MNRVOID Ministry of Scientific and Technological Development, Higher Education and Information Society MoI Ministry of Interior MPALSG Ministry of Public Administration and Local Self-Government NIS Network and Information System OECD Organisation for Economic Co-operation and Development OSI Online Service Index P2G Person to Government PAR Public Administration Reform PII Personally Identifiable Information PKI Public Key Infrastructure PMO Project Management Office PPL Public Procurement Law PSD Payment Services Directive PSI Public Sector Information RS Republika Srpska RUGIP Administration for Geodetic and Property-Legal Affairs SDGR Single Digital Gateway Regulation SOA Service-Oriented Architecture UK United Kingdom WAN Wide-Area Network WMS Workflow Management System E-government Assessment in Republika Srpska 7 Executive Summary Digitization of the public administration is among the five reform pillars of the Republika Srpska (RS) Government. There is significant interest in further developing the digital government in the RS to meet public sector reform objectives, including improving public service delivery. The RS aims to promote a user-oriented administration, which is focused on providing efficient services to all. Digitization is noted as a continuation of public administration reform, and it is seen as a primary way to improve public sector performance. Alongside the efforts of the RS to modernize its public administration, Bosnia and Herzegovina (BiH) is implementing an ambitious state-building agenda, driven partly by the aspiration for mem- bership to the European Union (EU). Together with the rule of law and e-governance, public admini- stration reform, including service delivery, is one of the main pillars of the EU Enlargement Agenda.1 Thus, reform efforts should be aligned with EU standards to ensure longer term sustainability. The government’s transition to integrated digital solutions offers opportunities for improving productivity, efficiency, effectiveness, responsiveness, and trust in government. One of the key challenges is to integrate digital governance strategies into public sector modernization efforts to create a data-driven (digital) culture in the public sector to achieve these aims. In addition, the co- ordination of ongoing parallel reform activities is crucial to maximizing the benefits of investments in large-scale information and communication technologies (ICT) and encourage the use of shared platforms for cost-effective delivery and sustainability of government systems and e-services. This report, which is funded by the EU under the Support to Public Sector Management Re- form Project in BiH, presents an assessment of e-services and key enablers that underpin an efficient and user-centric digital government in the RS, including recommendations for further development. The assessment was conducted at the request of and in close collaboration with the RS Ministry of Scientific and Technological Development, Higher Education and Information Society (MNRVOID). The report is meant to inform the RS Government’s future reform plans in the area of digitization. This assessment is based on multiple methods, combining semi-structured interviews and desk research. The primary methodology was semi-structured, and it included qualitative interviews with high-level decision-makers and technical experts in key government agencies, ministries and donor partners. The desk review examined existing laws and regulations at the RS, BiH and EU levels to identify gaps and opportunities to strengthen the current enabling environment. The as- sessment focuses on five key components: (i) strategies and policies, (ii) laws and regulations, (iii) institutions and coordination, (iv) ICT and e-government infrastructure, and (v) capacity and reso- urces. Taken together, these five components underpin the enabling environment for integrated e-service delivery in the RS. The components also align to those measured using other tools such as the Digital Government Readiness Assessment. However, this analysis provides a more in-depth examination of specific aspects, including the infrastructure and alignment of legal and regulatory instruments with the European Union requirements. 1 http://mei-ks.net/repository/docs/20180206143311_strategjia_e_zgjerimit_e_be-se_2018_eng.pdf. 8 E-government Assessment in Republika Srpska KEY FINDINGS AND RECOMMENDATIONS: STRATEGY AND POLICY TO DRIVE E-GOVERNMENT DEVELOPMENT  Digitization of public administration is recognized as one of the RS Government’s priorities. In March 2020, the RS Government adopted the Strategy for the Development of e-government in the RS for 2019-2022 (e-governance strategy). The strategy is a key document for normative, technolo- gical and personnel modernization of the electronic public administration system in the RS. As part of the 2019-2022 Joint Socio-Economic Reforms Program, the RS Government committed to the improvements to the digital eco-system and the digital transformation to release the potential of in- formation technologies to spur innovation and growth. The RS has a strategy and vision for the development of e-government, but it can be updated. The strategy provides the medium-term strategic direction and guidance for policy makers and administrators to move toward citizen-centric e-government services. It prioritizes establishing the missing building blocks (such as digital services infrastructure) and enablers that have been identi- fied as key obstacles to the design and implementation of the integrated citizen-centric e-services. The strategy has increased the political will of institutions and business entities to support digitiza- tion, a key driver of reform success. Develop a long-term, whole-of-government digital transformation strategy to provide the vision for the digital government to guide the process of modernization and migration to digital service deli- very. While the RS is working in tandem on a sectoral strategy, creating a new strategy or updating the existing strategy is necessary to accommodate new technologies and a whole of government approach. A whole of government approach promotes systems thinking and focuses on development of integrated approaches for policymaking and service delivery. The coordination is necessary to reduce fragmentati- on and silos, but can be complex, needing organizational incentives, skills, and capacities to realize. The new long-term strategy would set the tone for the next phase of reforms. The strategy should consider the overall objectives of the RS government. As such, it should outline the plans to overcome key challenges. This strategy would be accompanied by a time-bound and costed action plan with key performance indicators to manage, monitor and report on implementation. This stra- tegy would also serve as a roadmap for the future reform agenda and resource planning.   KEY FINDINGS AND RECOMMENDATIONS: LEGAL AND REGULATORY ENVIRONMENT FOR E-GOVERNMENT DEVELOPMENT In accordance with constitutional arrangements of Bosnia and Herzegovina, state and entity gover- nment levels have competences to enact laws to enable digital transformation of the public service delivery at their respective levels. Given the aims of BiH to join the European Union, reforms are needed at the entity and central level to become compliant with relevant EU policies and ensure that services pro- vided online have the same legal standing as those obtained through other means, such as face to face. The RS has achieved significant progress in establishing the legal and regulatory framework for digital transformation that forms the basis for further e-government development. A number of important laws are in place to enable digital government, including the Law on General Administra- tive Procedures, the Law on Electronic Signature, the Law on Electronic Document, the Law on Ar- chival Activities and the Law on Electronic Doing Business. Some still need further alignment with the respective EU regulations and directives to enforce principles of the European Interoperability Framework 2.0, launched in 2017. E-government Assessment in Republika Srpska 9 In 2020, activities were undertaken to improve the existing strategic and legal framework for infor- mation security in the RS. The MNRVOID is currently working on a draft Information Security Strategy, as well as a draft of a new Law on Information Security. The aim is to harmonize it with the Network and Information System (NIS) Directives, as well as other EU regulations in the field of information security. It is recommended that the RS examine and define additional gaps in specific legislation on digi- tal governance, adhering to the distinct state-level legislative frameworks, to the extent they exist, and EU requirements to enable longer term compatibility. This includes legal and regulatory mecha- nisms that mandate the use of the Government Service Bus (GSB), amending the digital signature law, the data protection law, the information/cyber security law, e-payments and accessibility. Additional work is needed at the BiH level to ensure compliance with EU requirements and ena- ble further advancement of digital government. Specific examples include harmonizing the BiH Law on protection of personal data with the GDPR, the development of an electronic communicati- ons and electronic media law, and to adopt a law on electronic identity and trust services. Additional work is needed on cybersecurity such as the adoption of law on critical infrastructure at the level of Bosnia and Herzegovina to establish an effective framework for information security management and mechanisms to monitor and respond to to cyber security incidents that aligned with EU aquis (the NIS Directives and the Critical Infrastructure Directive). KEY FINDINGS AND RECOMMENDATIONS: INSTITUTIONAL COORDINATION FOR WHOLE OF GOVERNMENT REFORM Strong institutional coordination is one of the enablers of successful digital government reforms. Leadership, political commitment, capacities and incentives are also key drivers to achieving a whole of government approach to digital government. In countries with advanced digital government such as Singapore, South Korea, Denmark, and many EU countries utilize an approach of a single entity responsible for implementing digitization reforms, and playing a coordinating role across government bodies, both horizontally across ministries, but also vertically across levels of government. Given the complex governance arrangements of Bosnia and Herzegovina, the assessment focused on the institutional organization of the Republika Srpska entity only. An institution responsible for implementing the strategy has been established. In December 2018, the Government of the RS adopted a decision to establish a new ministry, the MNRVOID, which succeeded the previous Agency for Information Society. The Government made it responsi- ble for establishing and developing effective systems of e-governance through the implementation of the e-governance strategy. Despite the operationalization of the MNRVOID to implement e-government, in practice, coor- dination across different government institutions is fragmented. Individual central government institutions are supported by their own IT staff or units. There is a lack of a whole-of-govern- ment coordination to support e-service development. The ICT units in most of the public admi- nistration institutions2 are relatively small. As such, they tend to work in silos, rarely exchanging resources, or knowledge and information with others. Most institutions have their own systems that support their business processes that can act as a basis for the development of integra- 2 Except the RS Ministry of Interior and RS Tax Administration. 10 E-government Assessment in Republika Srpska ted e-services. The absence of central ICT infrastructure records, centralized procurement pro- cedures and coordinated IT projects reduces the ability of the government to manage ICT infra- structure. Consequently, it makes it difficult to establish interoperable information systems. It is recommended to strengthen the convening and coordinating power of the MNRVOID, including coordination with the Ministry of Public Administration and Local Self-Government (MPALSG). Political commitment and leadership at the highest level of government are needed to drive a compre- hensive public sector digital transformation, and to coordinate and ensure a long-term commitment to the reforms. As the e-government agenda is at its heart a public sector reform agenda, increasing coordination with the MPALSG is also critical. MPALSG is responsible for the overall coordination of public administration reform activities. Further, it owns and maintains the civil status registry which covers birth, death, and marriage and is a key dataset for integrated service delivery. The existing Pu- blic Administration Reform Strategy defined the directions and guidelines for activities needed during the implementation of e-government. Implementing e-government, as outlined in this assessment, may require changes in the legal and regulatory framework, human resource management, financial management, and procurement. These represent the core public administration functions. Partne- ring with the MPALSG may also increase the political will and sustainability of reform efforts. To improve the whole-of-government coordination for digital transformation, the RS Govern- ment should consider establishing an overarching council or steering committee for e-gover- nment development and implementation. This council would consist of representatives of the MNRVOID and other line ministries providing citizen and business services. MNRVOID will need to coordinate with stakeholders in all service-oriented ministries, departments and agencies to im- plement a whole of government approach. This body (an entity-level administrative organization) could provide the necessary guidance and space for consultations to transform the government, establish user-centric e-services and promote a data-driven culture in public administration. The establishment of such a council would: foster collaboration across all ministries and other public administration bodies to implement a shared service model and user-centric e-services; maximize the value of ICT investments; and ensure alignment with the government’s strategic priorities. This new council can guide decisionmaking and help to coordinate activities concerning shared services and communicate the benefits across bodies. KEY FINDINGS AND RECOMMENDATIONS: ICT FOR SERVICE DELIVERY To achieve the vision of a citizen centric e-government and integrated service delivery for citizens, it is important to have key infrastructure in place. Key infrastructure includes functional building blocks which are considered preconditions to developing advanced e-services. These include a public-facing, unified public portal, public key infrastructure (PKI), e-mailbox, identification and authentication systems, interoperability platforms, e-document and tracking systems, and e-payments, among others. In 2009, the RS launched the project to establish the “eSrpska”3 e-government portal, which serves as an access point for e-services to citizens and businesses. Each sub-page is organized by topic, life or business events, such as housing, health, family, employment, education, and others. However, most available e-services are either informational only, or are enhanced services where electronic forms can be downloaded from the portal and processed in paper form. The RS has established a Government Service Bus to enable interoperability and data exchange, but it is underutilized. So far, the usage of the GSB for data exchange between different administra- 3 http://www.esrpska.com/ E-government Assessment in Republika Srpska 11 tive organizations is very limited. Currently, only three public administration bodies in the RS have published their services on the GSB. Another factor leading to underutilization is that the legal fra- mework in the RS/BiH does not enforce the usage of the GSB in the data exchange processes. Many institutions have established registers that are not published on the GSB. Instead of pu- blishing their registries on the GSB, public administration bodies build their own interoperability infrastructure, which is used for data sharing with other institutions. Systems in most institutions exchange electronic data based on mutually agreed protocols or agreements that regulate technical and semantic aspects of data exchange. This makes both maintenance and integration at the level of Republika Srpska, as well as integration with the state level a challenge. It also adversely impacts the ability to create new transactional e-services. This approach is not in line with the key principles of the European Interoperability Framework (EIF), such as the reuse of data and ICT infrastructure and administrative simplification, thus further fragmenting the systems. It is important to ensure interoperability across all levels in accordance with the EIF in anticipation of EU accession. Capabilities and functionalities should be increased. Based on global experience, adopting a mo- dular approach to infrastructure and the horizontal building blocks that focus on reusability is re- commended for the RS. This approach would be based on an enterprise architecture. It would center on standards for systems interoperability, information sharing, and information security and privacy controls across the public administration system. Shared services should include at minimum, a single Document Management System (DMS), an electronic payment system, an e-Mailbox, and an identification and authentication platform. These systems should be based on the principles of open specifications, protocols and standards that will enable integration with the future software modules for electronic delivery. Establishing a single e-payment platform to integrate with other key re-useable modules, such as e-document and e-signature, can enable transactional services that require applications or fee payments. The e-Mailbox would act as a single virtual place for e-service notifications to citizens and business entities. An RS-level identification and authentication platform (IAP) to enable access to electronic services is necessary, along with a user-centric authentication process that is mobile and cloud compliant. It is necessary to build a secure sign-on that can identify and authenticate users easily, quickly, and anywhere — and without mandatory requirements for special hardware. Each of these modules should be implemented to global standards, and they should be in alignment with relevant EU directives and regulations. A decision is needed on whether to centralize management for data hosting (with a separate disaster recovery location) or to invest in cloud infrastructure for data management. Ensuring secure and redundant data storage, backup and recovery is critical to the resilience and business continuity of government in the case of crises, such as the COVID-19 pandemic. It would be impor- tant that the cloud infrastructure take a network approach of several interconnected data centers that can serve the whole of government. A multi-nodal cloud could also serve as a form of data redundancy to support business continuity. 12 E-government Assessment in Republika Srpska KEY FINDINGS AND RECOMMENDATIONS: SERVICE REFORM AND DIGITIZATION  The e-Srpska Portal provides access to informational level services, but the vision is to imple- ment transactional and integrated services that meet the needs of citizens and businesses. This includes, inter alia, functions such as e-payment, e-mailbox, e-signature, digital seals, and data use and re-use across the MDAs. When digitizing services, efficiencies can be made and processes op- timized to simplify the tasks of both service providers and service beneficiaries. Applying concepts of design thinking and user centricity can result in better quality services that meet the needs and capabilities of different users. Regarding e-services design and delivery, it is recommended to adopt a user-centric approach to service reform. Redesigning services focusing on the users’ experience and needs — meeting their preferences, capabilities, and accessibility requirements — can increase citizen or business sa- tisfaction with service delivery. Taking a user-centric approach includes consultations with citizens, businesses, and other users of services to determine service challenges, needs and preferences. It is recommended to prioritize e-services for re-engineering and digitization by first developing a comprehensive service inventory that includes all citizen-facing services from all Ministries, Departments and Agencies (MDAs). An inventory of citizen-facing services could be used to pri- oritize those services to be digitized, identify redundant services, map life journeys, and provide level 1 informational services on the e-Srpska portal. The RS Government then needs to prioritize services based on specific criteria, such as the complexity of the service, readiness for digitization, the demand or number of transactions, and the existence of information technology (IT) staff in the relevant MDA to support the process. Greater efficiency gains occur through redesigning processes and procedures augmented by technology; this is often referred to as business process re-engineering (BPR) or simplification. Applying BPR to services before digitizing them can reduce the time to deliver public services, for example, through removing document requirements, reusing data via an interoperability platform, streamlining approvals, linking parallel processes, applying technology, and automating informati- on processing. Interoperability platforms, catalogues, and frameworks can enable real-time data exchange, verification, and validation that can significantly cut public service delivery time. While services are already being streamlined and digitized (such as e-baby) this practice can be expanded further to include all citizen- and business-facing services. Using a single Business Processing Modeling (BPM) platform would facilitate the mapping and documenting of business processes. All subsequent changes in business processes could later be incorporated in a simpler way to the application solutions of the electronic public administration services, without the need to change the program code. The application of BPM software tools wo- uld enable business analysts and the management structure of public administration bodies to defi- ne changes and rules in business processes and to simulate and test their effectiveness in real time. Develop an institutional change management strategy and action plan. Utilizing new technology in the day-to-day work of the MNRVOID and the government at large requires training and adap- ting to new ways of doing things. Communicating changes and sensitizing staff to the reforms and new technology can reduce resistance to the reform. Migrating to e-services can be challenging politically, culturally, and administratively. Focusing on change management can reduce the stress of front-line service providers by informing them of the benefits of digitization and fostering a sense of ownership over the reform. E-government Assessment in Republika Srpska 13 Develop Key Performance Indicators (KPIs) to monitor the impact of reforms and use of e-ser- vices. Monitoring of the KPIs is included as one of the functionalities of the afore-mentioned In- formation System for ICT projects. Specific KPIs could include the delivery time, the percentage of services completed, the abandon rate, and citizen satisfaction. among others.4 Engage citizens, businesses and other stakeholders throughout the reform process. Citizen en- gagement and outreach are of utmost importance to raise awareness of the reform and service availability. Citizens need to be informed of available services and, oftentimes, how to use them. Migrating to digital services has a cultural aspect for the beneficiary, and change management is important on both the supply and demand sides. As part of the process of monitoring public service delivery, citizen engagement or civic tech tools should be deployed to gather real time data about user feedback. This feedback can identify good practices, as well as the remaining challenges. As such, it should be used to adapt the service reform model. KEY FINDINGS AND RECOMMENDATIONS: RESOURCE MANAGEMENT FOR SUSTAINABLE DIGITAL TRANSFORMATION A primary challenge to public sector modernization and digitization concerns adequate reso- urces to design, implement and monitor systems, services, and solutions. These include human, financial, and technical resources. In the RS, these resources are limited, thus constraining the po- tential for the sustainable digital transformation and digital service delivery. The RS is faced with a shortage of various IT-related professionals. Interviews illuminated se- veral challenges with hiring and retention of key ICT staff across government. It is recommended to consider ways to improve the employment status and salaries of employees. This would help to increase motivation and retention of employees with specialized skills and a proven record of results in the digital transformation projects. Furthermore, a thorough analysis will have to be conducted to identify exact baseline information about missing human resources, and missing competences. However, it will also be necessary to identify staff in public administration bodies that do possess the specific competences and knowledge. Strengthening capacity is not only achieved through hiring. Other options include continuous tra- ining or retraining of existing human resources, the redeployment of existing staff, the integration of certain ICT services within the public administration system, or external provision (outsourcing) of ICT services. When choosing one of these options, it will be necessary to take into consideration the short- and long-term needs of the individual public administration body, as well as the needs of the public administration system as a whole, including the costs and benefits of each option.5 An additional challenge concerns the digital literacy and skills of general civil and public ser- vants. In addition to training on the digital transformation and impacts, specific needs inclu- ded training on advanced Microsoft applications, business analytics, and system administra- tion. It is recommended to carry out a thorough skills demand and supply analysis, and form a strategy of buying, borrowing or building skills based on the skills gaps that are found. Digitizing the public administration requires significant financial investments to cover upfront and recurrent costs. Two critical issues impact financial management of e-Government: first, limi- 4 Ibid. European Union. Project № BG05SFOP001-¬2.001-0009: Implementation of the Principle of the Shared Services in the Organization and Functioning of the Central Administration, funded by Operational Program Good Governance, co-funded by the European Union through the European Social Fund, ICT Report, March 2018. 5 Government of Republika Srpska, “Electronic Government Development Strategy of Republika Srpska for the period 2019 – 2022,” p. 57. 14 E-government Assessment in Republika Srpska ted funding, and second, knowledge of respective IT budgets by individual bodies. The budget of the RS contains very limited funds for capital investments in IT. Currently, there is no standard or tool to track ICT costs. However, an information system for ICT projects and regulation manage- ment is in development. To better manage resources, centralizing IT procurement through the MNRVOID would benefit interoperability and compatibility of new purchases and take advantage of economies of scale. In the domestic context, it should be noted that the RS has implemented a unified procurement of Microsoft licenses for the use of the RS ministries. This practice could be extended to other public administration bodies and other digital technology vendors, as it would allow for additional savings in the procurement of software licenses, ICT equipment and services. This recommendation is in accordance with the e-Government Strategy. Improvements in legislative framework would be beneficial to better meet the requirements for data security and data openness in the procurement process. The country-wide Public Procure- ment Law provides a framework for transparent public procurement, and its recent amendments have introduced exemptions from its application for procurements that include security aspects and for which adequate protections of classified data cannot be ensured by applying other measures. The legal practice is yet to show the effectiveness of these provisions. The ‘special regime’ procure- ment can be used for contracts which involve the use of classified data. However, the rulebook that regulate the award of such contracts is outdated and requires revision. A concerted country-wide effort is needed to align this rulebook with Public Procurement Law, relevant state-level regulations in the areas of data protection and security, and relevant EU Directives. E-government Assessment in Republika Srpska 15 1. Introduction 1. The governance system of Bosnia and Herzegovina is considered one of the most complex in Europe. The country comprises two entities - the Federation of Bosnia and Herzegovina and Republika Srpska, with Brčko District as autonomous self-government, and 10 cantons within the Federation of Bosnia and Herzegovina. Overall, the country has 13 constitutions, legislati- ve systems, and 13 prime ministers. The multiple levels of governance are more complex than central versus subnational that is seen in other countries. In this context, this report covers the entity of Republika Srpksa while recognizing needed reforms at the central level of BiH, as well as what can be implemented across entities. 2. In Republika Srpska (RS) there is significant interest in further developing digital govern- ment to meet public sector reform objectives, including improving public service delivery. To this end, the RS aims to promote a user-oriented administration focused on providing efficient services to all.6 This aim is enshrined in the recent e-government strategy7 and the govern- ment’s reform program.8 3. In June 2020, the RS Government adopted the countrywide Strategic Framework for Public Administration Reform (PAR SF) for 2018-2027. By the end of 2020, the Bo- snia and Hercegovina (BiH) Council of Ministers, the RS governments, the Federati- on of BiH (FBiH), and the Brcko District adopted the related PAR Action Plan for 2020- 2022. The importance of taking a strategic approach to e-governance reform was also recognized in the first Public Administration Reform (PAR) strategy adopted in 2006 and the accompanying action plans. This strategic framework sets the directions and guideli- nes for activities during the implementation of e-government at all governmental levels. 4. The transition from fragmented and/or outdated government systems to modern ‘integrated digital solutions’ offers great opportunities for improving productivity, efficiency, effective- ness, responsiveness, and trust in government — all essential to fighting extreme poverty and boosting shared prosperity and inclusion in most countries. One of the key challenges is to inte- grate digital governance strategies into public sector modernization efforts for creating a data-dri- ven (digital) culture in the public sector to achieve these aims. Also, the coordination of ongoing parallel reform activities is crucial to maximizing the benefits of large-scale investments in infor- mation and communication technologies (ICT). This will help to encourage the use of shared plat- forms for cost-effective delivery and sustainability of government systems and e-services. 5. The COVID-19 pandemic created unprecedented challenges for the public administration in the RS, reinforcing the importance of further advancing the digitization of public service delivery. The continuity of public service delivery has been constrained due to lockdowns and the crisis response. In general, the COVID-19 pandemic has disrupted traditional operational and decision-making processes, while also forcing governments to deliver public services more quickly. Like many governments, the RS Government has been forced to operate virtually and remotely, thus requiring new means of communication, outreach, and execution. Its ability to 6 See https://neighbourhood-enlargement.ec.europa.eu/bosnia-and-herzegovina-report-2021_en. 7 Strategy for Development of E-Government in RS for the period 2019-2022, available at https://www.vladars.net/sr-SP-Cyrl/Vlada/Ministarstva/mnk/ Documents/Strategija%20e%20uprave%20pdf.pdf. 8 The Government of RS, Exposé of the Prime Minister, https://www.vladars.net/sr-SP-Cyrl/Vlada/Premijer/Media/Govori/Pages/ekspoze-mandatara-visko- vica-21122022.aspx. 16 E-government Assessment in Republika Srpska respond has been partly constrained by the absence or insufficient quality of e-government digital service infrastructure, skills, and complex internal business processes. It is increasingly recognized that improved digital capabilities will be critical to ensuring the continuity of servi- ces, effective responses, and increased preparedness for the future. At the same time, existing structural and regulatory weaknesses also impact service delivery. An expansion of digital go- vernance and e-services will require technical changes, as well as reforms in critical areas that impact the government’s general capacity to effectively and efficiently deliver services. 6. The governments and the citizens recognize that digitization of services provides an effective tool for achieving greater transparency in public administration, while also in- creasing citizens’ satisfaction with public services. Although there is limited data for the RS concerning citizen satisfaction with public services, businesses note that easi- ly accessible information and services through secure online platforms are a priority for them in the BiH. Indeed, in recent surveys, 97 percent of enterprises noted digitization of interactions with government would substantially help their business operations9. 7. Alongside the efforts of the RS to modernize its public administration, the BiH is implementing an ambitious state-building agenda, which is driven partly by the aspiration for membership to the European Union (EU). In the context of EU accession, the BiH has prioritized public admi- nistration reforms to transform its public sector into a more modern, efficient, and citizen-centric administration. These reforms would be supported using information technology (IT) in public service delivery. The reforms were undertaken since 2006, with the adoption of the first Public Administration Reform Strategy and continued with the adoption of BiH’s Strategic Framework for Public Administration Reform (2018-2027), which provides the main strategic orientations for governmental public service delivery. Both these strategies and related action plans were developed within the context of the EU enlargement process. Likewise, the reforms undertaken in all Western Balkan countries are a result of the European Integration Agenda. Alongside the rule of law and e-governance, public administration reform — including service delivery — is one of the main pillars of the EU Enlargement Agenda10. The relevance of this for the RS is clear, that is, that reform efforts should be aligned with EU standards to ensure longer term sustainability. 8. This note presents an assessment of e-services and the key enablers that underpin an effi- cient and user-centric digital government in the RS, including recommendations for further development. The foundations of the digital government were also reviewed, including digital infrastructure, platforms and solutions, as well as critical non-digital elements, such as legisla- tion and regulations, leadership and institutions, the environment for delivery and innovations, the necessary skills, and partnerships. This note is meant to inform the RS Government’s future reform plans in the area of digitization. The document proceeds as follows: The methodology for the assessment is presented in Section 2. The current state of the different foundations is presented in Section 3. Finally, Section 4 focuses on recommendations and actions to further the digitization agenda in the RS. 9 https://www.measurebih.com/uimages/MEASURE-BiH20E-Governance20E-Administration20Assessment20Final20Report2012Dec2018.pdf. 10 http://mei-ks.net/repository/docs/20180206143311_strategjia_e_zgjerimit_e_be-se_2018_eng.pdf. E-government Assessment in Republika Srpska 17 2. Methodology 9. This assessment is based on multiple methods, combining semi-structured interviews and desk research. The assessment was conducted at the request of and in close collaboration with the Ministry of Scientific and Technological Development, Higher Education and Informa- tion Society (MNRVOID). The assessment focuses on five key components: (i) strategies and policies; (ii) laws and regulations; (iii) institutions and coordination; (iv) ICT and e-Government infrastructure; and (v) capacity and resources. Taken together, these five components underpin the enabling environment for integrated e-service delivery in the RS. As improving online servi- ce delivery is a key objective of RS, this report focuses on these components as related to ena- bling integrated online services. These components also align to those measured using other assessments such as the Digital Government Readiness Assessment. However, this analysis provides a more in-depth examination of specific aspects, including the infrastructure and ali- gnment of legal and regulatory instruments with the European Union requirements. 10. The primary methodology involved semi-structured qualitative interviews with high-level decision-makers and technical experts in key government agencies and ministries. Inter- views were also held with donor partners. These interviews were supplemented by a desk review of strategic policy documents, regulations, and other data. These were used to assess the RS’s current potential for the development of digital government. Additional interviews, focusing on IT skills, capacity and human resource management (HRM)-related issues, were conducted with IT managers at six central government institutions in collaboration with the RS MNRVOID.11 11. These interviews were supplemented by a desk review of strategic documents, regulations and other data to assess the RS’s current potential for the development of digital govern- ment. The desk review examined existing laws and regulations at the RS, BiH and EU levels to identify gaps and opportunities to strengthen the current enabling environment. The review also included previous country-level and entity-level reports concerning e-government and di- gitization, as well as global indicators of e-government development. 11 Representatives from six institutions were selected and interviewed, as they have the largest IT departments. They include the General Secretariat, the Ministry of Scientific and Technological Development, the Higher Education and Information Society (MNRVOID), the Ministry of Public Administration and Local Self-governance (MPALSG), the Ministry of Finance, the Tax Authority, and the RS Administration for Geodetic and Property-legal Affairs (RUGIP). 18 E-government Assessment in Republika Srpska 3. As-is State of Digital Government in the RS 12. To further advance the state of digital government in the RS, an as-is assessment was com- pleted to inform needs and opportunities. This section outlines the key findings related to the five pillars. This section does not include data concerning how the RS fares on global indicators related to digital government, as most of these indicators only measure the central-level perfor- mance in BiH. Accordingly, a benchmarking of state-level e-government performance for the BiH is presented in Box 1. Box 1: Benchmarking Bosnia and Herzegovina Digital Government As BiH is now an EU candidate country, there is work to do at the state and entity levels in order to meet accession requirements and align to relevant regulations and directives (see also Box 2 and Box 4). To place the findings and recommendations in context, it is useful to examine global indicators of ICT and e-government. Most global indicators and indices of ICT and e-government performance focus on the central governmental level, such as the the UN’s E-government Development Index, and the World Bank’s GovTech Maturity Index (GTMI). The BiH-level performance is useful when examining RS level performance and opportunities. Overall, the United Nations e-Government Development Index (EGDI) rates BiH in the high category, with a ranking of 96 of the 193 countries assessed12. The EGDI measures three areas of e-governance: online services, telecommunications infrastructure, and human capital. BiH falls just above the global average, but below the regional averages on the EGDI. BiH falls below the global and regional averages on the Online Service Index (OSI)13. See Figure below. Figure 1: UN E-Government Index Online Service Index 2022 Bosnia and Herzegovina World Leader Estonia Regional Leader Estonia Sub-Region Leader Malta World Average Region Average Sub-Region Average Source: UN E-Government Knowledgebase 2022 12 https://publicadministration.un.org/egovkb/en-us/Data-Center 13 EGOVKB | United Nations > Data > Country Information E-government Assessment in Republika Srpska 19 The World Bank’s (GTMI) for 2022 places BiH in the C category or “some” focus on GovTe- ch. As seen in figure 2 and figure 3, BiH falls below the regional and global averages on all four aspects of the index. The highest score is seen on the Core Government Systems Index (CGSI), and the lowest scores are on the Digital Citizen Engagement Index and the GovTech Enablers Index. These scores at the state level reflect similar weaknesses in readiness and maturity in GovTech, comparable to those seen at the RS level. Figure 2: GTMI Overview Figure 3: GTMI Components 2022 GovTech Maturity Index Components 2022 GovTech Maturity Bosnia and Herzegovina Regional Avg Global Avg Bosnia and Herzegovina Source: World Bank, (2022), GovTech Maturity Index, 2022 Update: Trends in Public Sector Digital Transformation. World Bank, Washington, DC. There are additional opportunities to improve internet access for residents of BiH. Overall, BiH is ranked 73rd globally in terms of Internet use.14 In the middle of 2020, more than 2.8 million citizens of BiH had an Internet connection, representing 86.2 percent of all households. This is very close to the average European Internet penetration rate of 87 percent.15 Smart phone ownership is also high, with 107 mobile phones per 100 inhabitants. More than 73 percent of the BiH inhabitants are using Internet.16 BiH ranks 110 of 194 countries on the Global Cybersecurity Index (GCI). The GCI captures 5 aspects related to cybersecurity including: legal measures, technical measures, organizational measures, capacity building and cooperation. The GCI noted that relatively good results exist in the field of legal measures, but there is room for improvement in organizational measures, tech- nical and capacity-building measures. As noted in Box 2 there are relevant areas of digital government that fall under the purview of the state level, particularly personal data protection and its alignment with the EU General Data Protection Regulation (GDPR). The EU also requires certain aspects to be compliant at the state and entity levels to achieve vertical integration. These aspects include identity and au- thentication (eIDAS), interoperability, and cybersecurity will need to cut across each body. This will also support compliance with the Single Digital Gateway Regulation that calls for a single point of contact for each EU member state. It is important to align the legislation, frameworks, and technology across the different entities inc- luding RS and with the state level to ensure compliance with the EU requirements. Doing so early in the digital transformation process can be more efficient than revising relevant regulations and fra- meworks down the line. To accomplish this it is important to establish coordination across the entities and the state level. Establishing coordination mechanisms to manage implementation of these aspects will be beneficial to the overall maturity of the BiH e-government but also prepare for future accession. 14 https://www.theglobaleconomy.com/rankings/Internet_users/ 2020 15 https://www.internetworldstats.com/list2.htm 16 https://data.worldbank.org/indicator/IT.NET.USER.ZS?locations=BA 20 E-government Assessment in Republika Srpska 3.1 Policy and Strategy to Drive e-Government Development 13. In Bosnia and Herzegovina, there is no countrywide strategic framework and policy vision to guide whole-of-government approach to the digital transformation and development of digital services aimed at citizens and businesses, because responsibilities in the segment of public service delivery are decentralized. Policy for the Development of the Information Society in BiH for the period 2017-2021 was adopted at the state level.17 However, state gover- nment level and the Federation of Bosnia and Herzegovina have not adopted strategy for the development of e–government at these respective levels yet.18 14. Digitization is recognized as one of the Government’s priorities. In the 2019-2022 Joint So- cioeconomic Reforms Program, the RS Government committed to improvements in the digital eco-system and the digital transformation to release the potential for information technologies to spur innovation and growth. Digitization is also among the five reform pillars of the newly elected RS Government19. Other pillars include increased economic growth, public enterprise reform, improved health and social policy, and the demographic renewal of the RS. Digitization is viewed as an integral part and continuation of public administration reform. As such, it is seen as a primary way to improve public sector performance. 15. The RS has a strategy and vision for the development of e-government, but it can be up- dated. In March 2020, the RS Government adopted the Strategy for the Development of e-government in the RS for 2019-2022 (e-governance strategy). The strategy is a key docu- ment for normative, technological and personnel modernization of the electronic public ad- ministration system in the RS. The strategy focused on developing a unified, systematic, and sustainable e-government for the RS. The strategy is unified because it takes a whole-of-go- vernment approach to include all public institutions. It is systematic in that it focuses on the building blocks to enable mature e-services. Finally, it is sustainable in that it is fully financia- lly self-sustaining. The strategy prioritizes the establishment of the missing building blocks (such as digital services infrastructure), as well as the enablers that have been identified as key obstacles to the design and implementation of integrated citizen-centric e-services. 16. The strategy provides medium-term direction and guidance for policy makers and admini- strators to move toward more citizen-centric e-government services. The goals in the stra- tegy focus mainly on the key enablers or building blocks of digital government, including: (i) an enabling legal framework and management of ICT infrastructure; (ii) key public infrastructure; (iii) information security, digitization of core business operations, interoperability, and develop- ment of user-centric digital services; and (iv) the strengthening of ICT capacities, among other issues. 17. The implementation of the strategy has resulted in visible legal and regulatory reforms, but more work is needed on other aspects to realize efficiency and performance gains. The stra- tegy has increased the political will of institutions and business entities to adopt digitization, a key driver of reform success.20 However, public sector modernization is a complex and long- 17 This Policy is mostly based on the “Europe 2020” strategy and the Digital Agenda for Europe. 18 Draft strategy documents were developed in 2020 within the scope of the UK’s Good Governance Fund “Support to e-government reforms and the digitalisation of services in Bosnia and Herzegovina” Project. 19 RS Government Program, December 2022, available at https://www.vladars.net/sr-SP-Cyrl/Vlada/Premijer/Media/Govori/Pages/ekspoze-mandatara-vi- skovica-21122022.aspx. 20 World Bank, 2020, ”GovTech Launch Report and Short Term Action Plan”, (Washington, DC: World Bank, 2020). E-government Assessment in Republika Srpska 21 term reform process. Pairing legal and regulatory reforms with necessary investments in key infrastructure, institutional development, change management and ICT capacity development takes time. The next section highlights key achievements in the legal and regulatory framework that support the development of e-government. 22 E-government Assessment in Republika Srpska 3.2 A Conducive Legal and Regulatory Environment for e-government Development 18. In accordance with constitutional arrangements of Bosnia and Herzegovina, state and en- tity government levels have competences to enact laws to enable digital transformation of the public service delivery at their respective levels. In general, significant progress has been made in recent years regarding digital transformation regulations (i.e. laws on general admini- strative procedures, laws on e-signature, e-document, etc.). In that regard, the laws on general administrative procedures at all government levels stipulate the “once only“ principle. Bosnia and Herzegovina is on the EU accession path and needs to align its legislation framework with the EU acquis. For that purpose, Bosnia and Herzegovina still needs to establish or complete framework for internal interoperability of the electronic services, electronic identification and trust services within the country and align it with EU regulations and directives to achieve cro- ss-border interoperability. 19. Another area in need of development is cybersecurity and trust services. The Legislative fra- mework for effective coordination of cross-governance cyber security response and reporting mechanisms and protection of critical infrastructure has not been established at the state level. It needs to be established in alignment with respective EU acquis. The law on the protection of personal data is yet to be amended at the state level in line with principles of the EU GDPR re- gulation. The process of developing this legislation can be complicated, and political challenges are a common barrier slowing progress. 20. The RS has achieved significant progress in establishing the legal and regulatory fra- mework for digital transformation that can form the basis for the further development of e-government. A number of important laws are in place to enable the smooth implemen- tation of the digital governance agenda. These include the Law on General Administrative Procedures, the Law on Electronic Signature, the Law on Electronic Documents, the Law on Electronic Doing Business and the Law on Archival Activities. Some of these laws still need further alignment with the respective EU regulations and directives and BiH framework legi- slation, once adopted. For example, it is necessary to enforce the principles of the European Interoperability Framework 2.0, launched in 2017 at all levels.21 BiH-level legislati- on relevant to digital transformation of the public services is presented in the Box 2. 21. This section provides a summary of the existing relevant laws and bylaws supporting digital transformation, focusing on those that, with revisions, could enable integrated service deli- very and strengthen public sector performance. 21 https://joinup.ec.europa.eu/collection/nifo-national-interoperability-framework-observatory/european-interoperability-framework. E-government Assessment in Republika Srpska 23 Box 2: BiH-Level Laws Informing the RS Approach and Recommendations for EU Accession Given the complexity of the governance and constitutionally assigned roles of the state vis-a-vis entity government levels, there are several relevant topics that are dealt with at the state level. Many of these align with the EU accession process requirements. This box summarizes relevant laws and regulations adopted at the BiH level. 1. The BiH Law on Freedom of Access to Information contains both material and proce- dural provisions, and regulates the area of access to information held by public bodies. However, this law does not make a clear distinction between access to information held by public authorities and access to other data, some of which is charged to individuals. 2. The issue of data ownership / possession and data reuse is not regulated in a uniform way. In practice, public administration institutions in BiH, including in the RS, have a strong sense of ownership over data created within their competence. In some cases, they are reluctant to allow access to data. The RS Law on Statistics contains provisions concerning the re-use of data, but this only applies to statistical data. The commercial use of data is not regulated in a uniform way either, and it differs from institution to institution. For example, the RS Agency for Intermediary and Information Services (APIF) regulates the commercial use of data by its bylaws, but only in terms of access to data in their possession. In other words, this issue is not treated by Lex Specialis. There is also no public administration body responsible for monitoring and controling this process. 3. Law on the protection of personal data. Competences over the regulation of personal data protection lay within the state level in BiH. With the Stabilization and Association Agree- ment, BiH has committed to harmonize domestic legislation with the Acquis Communauta- ire. This commitment applies to the harmonization of the Personal Data Protection Act with the EU GDPR Directive. With an eye to EU accession, there are activities to complete at both the BiH, RS and FBiH levels. For example, the harmonization of the BiH Law on protection of personal data with the GDPR is still in process. The BiH Agency for the Protection of Personal Data has prepared a proposal for the new law, which is aligned with the principles of the GDPR. This law is currently in parliamentary procedure. Additional recommendations for BiH to be in alignment with the EU acquis include the develop- ment of an electronic communications and electronic media law, and to adopt a law on electronic identity and trust services (see Section 3)22. It is also necessary for a Law on network and information security and law on critical infrastru- cture at the level of Bosnia and Herzegovina to be adopted to establish an effective framework for information security management and mechanisms for coordinated approach to cyber secu- rity incidents and resillient protection of critical infrastructure in Bosnia and Herzegovina. Laws must be aligned with EU aquis (the NIS Directives and the Critical Infrastructure Directive). 22 https://neighbourhood-enlargement.ec.europa.eu/system/files/2022-10/Bosnia%20and%20Herzegovina%20Report%202022.pdf 24 E-government Assessment in Republika Srpska 3.2.1 Existing Laws Enabling e-Government in RS 22. The General Administrative Procedure Act (GAPA), revised in 2018, regulates ele- ctronic communications between the public administration bodies of the RS and third parties; the electronic adoption and delivery of decisions; and the possibility of for- ming one-stop shops. Recent amendments to this law have provided for the electro- nic filing of party’s submissions, electronic case file management, as well as creation and delivery of public administration decisions and writs to parties in electronic form. 23. Despite significant improvements, some provisions of the GAPA law still prevent the di- gitization of specific steps or actions in the administrative procedure, thus preventing full implementation of e-services. The harmonization of other sector-specific legislation with the GAPA is also a prerequisite to enable legally valid e-services. The GAPA includes the principle of subsidiarity application in all those matters that are not regulated separately by a sector-specific law. Thus, it will be necessary to conduct a thorough assessment as to whether the sector-specific laws enable electronic communications with parties, as well as the usage of electronic data processing in the administrative procedures regulated by these special laws. The legality of electronic communications and electronic data processing en- sures that e-services are legally recognized as valid. The PAR Strategy Action Plan for 2018- 2027 did not include any specific action in this regard; however, the foreseen work on the catalogue of services might be a necessary enabler for the harmonization process.23 24. BiH strives to harmonize its legislation on e-identification with eIDAS. The only BiH instru- ment that fully corresponds to eIDAS is the Draft Law on the Electronic Identification and Trust Services for Electronic Transactions, which has been in Parliamentary procedure since March 2019. The State, the two entities and Brčko District of Bosnia and Herzegovina claim to have autonomy to regulate this area in accordance with their constitutional competences. As a result, the regulatory framework has been developing at an uneven pace, with Federation of Bosnia and Herzegovina still not having its law on electronic identification in place. Moreover, the laws at the different levels are not harmonized in a way that would ensure their interope- rability.24 25. Although the BiH Law on Electronic Signature was adopted 14 years ago, this supervisory body was established only in 2017. The state-level Office for Supervision and Accreditation of Certification Authorities carries out both ex-ante supervision (voluntary certification of trust service providers issuing secure electronic signatures) and ex-post supervision. Two public au- thorities (Indirect Taxation Authority and Agency for Identification Documents, Registers and Data Exchange of Bosnia and Herzegovina – IDDEEA) and one private company have already been accredited as the certificate bodies for the provision of qualified electronic certificates by the Office for Supervision and Accreditation of Certification Authorities. 26. A Single eID approach is still not functional in Bosnia and Herzegovina despite having all the technical and regulatory pre-conditions in place. In accordance with the Law on IDDEEA25, IDDEEA is responsible for personalization and technical processing of identity cards, and digital 23 Sigma OECD, “Monitoring Report – Principles of Public Administration (Bosnia and Herzegovina).“ (Sigma OECD, May 2022), p.127. 24 European Commission. The Bosnia and Herzegovina 2021 Report states that no progress has been made in ensuring the interoperability of the electronic signature system throughout the country. 25 Article 8, paragraph 2 and 6 of the Law on the Agency for Identification Documents, Registers and Data Exchange of Bosnia and Herzegovina - IDDEEA (“Official Gazette of Bosnia and Herzegovina” No. 56/08) E-government Assessment in Republika Srpska 25 signing in the field of identification documents, i.e. is in charge of electronic certificates and ele- ctronic signatures related to identification documents, in accordance with the law governing ele- ctronic signatures. With support of the Delegation of the EU in Bosnia and Herzegovina, IDDEEA has successfully completed the accreditation procedure for a certification authority issuing quali- fied electronic certificates by submitting positive Conformity Assessment Report to the Office for Supervision and Accreditation of Certificate Authorities within the Ministry of Communications and Transport of BiH. There is a final step that must be completed before IDDEEA can start issu- ing qualified electronic certificates in the identity card of citizens of Bosnia and Herzegovina for electronic identification of the assurance level high and qualified digital signing. That is the adop- tion of the Decision of the Council of Ministers on the prices of issuing eID cards. 27. The Law on Electronic Signature of the RS, amended at the end of 2019,26 regulates the right of natural and legal persons to use electronic signatures in administrative, judicial and other proceedings, as well as business and other activities. It provides qualified electronic signatures and electronic seals with the same legal force as handwritten signatures and ordinary seals. It prescribes the acceptance of a document in electronic form if it contains an electronic signature or an electronic seal. It also stipulates that an electronic signature cannot be challenged in court or other proceedings solely on the basis that it is in electronic form, or because it does not meet all the requirements for a qualified electronic signature. The law also regulates the rights, obli- gations, and responsibilities of both certification bodies (trust service providers) on the territory of the RS, including users of electronic certificates. However, at present there is not an e-signa- ture law at the BiH level, which will need to be adopted in alignment to the EU acquis27. 28. The Law on electronic signature of the RS establishes that electronic certifica- tes issued by certification bodies based in any of the European Union countries and some issued by those in other countries have the same legal force as certificates issued in the RS. The Law on Electronic Signature of the RS does not automatically (ex lege) re- cognize electronic certificates issued by qualified certification bodies accredited at the le- vel of BiH.28 These certification bodies (qualified trust service providers) need to go through a procedure for enrollment in the Registry of Certification Bodies of the RS. 29. The Law in the RS is not fully aligned with EU Regulation (EU) No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market (hereinafter eIDAS). 29 Specifically, the definition of what constitutes an electronic signature in the EU (eIDAS) is broader than that in the BiH and the RS. The RS Law falls short of what is required in terms of the supervisory function, as well as conformity assessments for trust ser- vice providers due to shared competence with the BiH level. As a result, qualified trust services in Bosnia and Herzegovina, including Republika Srpska will not be recognized as qualified in the EU according to the eIDAS regulation as long as there is no Law on the Electronic Identification and Trust Services for Electronic Transactions adopted and single trust list established at the state level. Annex 1 elaborates on the provisions of the Law on Electronic Signature of the RS that should be aligned with the eIDAS regulation. 26 The latest amendment from 2019 introduced electronic registered delivery as an additional trust service, which is also envisaged by an Electronic Identi- fication and Trust Services for Electronic Transactions in the European Internal Market (eIDAS) Regulation. Electronic registered delivery is an electronic data transmission service within which the certification body provides evidence of handling the transferred data, including proof of sending and receiving data, thus protecting the transferred data from the risk of loss, theft, damage, that is, any unauthorized changes. Data sent or received through an ele- ctronic delivery service may not be challenged in court or other proceedings solely on the basis that it is in electronic form or because it does not meet all the requirements for a qualified electronic registered delivery service. 27 European Commission Working Document Bosnia and Herzegovina 2022 report. Available from: https://neighbourhood-enlargement.ec.europa.eu/ system/files/2022-10/Bosnia%20and%20Herzegovina%20Report%202022.pdf 28 At this time, certified certificate authorities at the level of Bosnia and Herzegovina include: Halcom D.D. Ljubljana, Indirect Tax Administration of Bosnia and Herzegovina (ITA) and Agency for Identification Documents, Registers and Data Exchange (IDDEEA). 29 Regulation (EU) No. 910/2014 of the European Parliament and of the Council on Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market. 26 E-government Assessment in Republika Srpska Box 3: Relevant EU Regulations and Directives for Digital Services in the Public Sector With an eye toward EU accession, ensuring compliance with existing EU policies, regulations and directives at this stage of digital transformation is more efficient. There are two different types of EU legislation, Regulations and Directives. Regulations are binding legislative acts im- mediately applicable in their entirety in all Member States. Such EU regulations overrule national laws. Directives set the rules and objectives that all EU countries must reach and transposed into their national legislation within a defined timeframe. • eIDAS Regulation: This regulation aims to foster common rules and harmonization regar- ding the use of Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market. Chapter 2 and its relevant implementing regulations regarding in- teroperability and electronic identification set out the obligations to facilitate interoperability for cross-border electronic identification (eID) usage, including both identification and authen- tication. Chapter 3 and its relevant implementing regulations regulate trust services such as, but not limited to, electronic signatures and seals, advanced electronic signatures and seals, qualified electronic signature and seal certificates and qualified electronic signature and seal generation systems. The eIDAS regulation is currently being revised. Thus, it will be important to monitor the progress to ensure reform plans at all levels conform to the requirements. • Network and Information System (NIS) 2 Directive: NIS1 the first legislative framework of the European Union. It regulates specific aspects of protection against cyber attacks in sectors and entities. It calls for specific actions to increase cybersecurity, including establi- shment of Computer Security Incident Response Teams (CSIRTS), national strategies for cybersecurity, reporting obligations and other security-based measures. The NIS2 directive also includes all critical public and private infrastructure in EU member states. • General Data Protection Regulation (GDPR): The GDPR regulates the protection of per- sonal data and privacy of persons within the European Union, as well as the transfer of the data to third countries. The GDPR regulation: (i) defines the scope; (ii) harmonizes regu- lations; (iii) establishes bodies and mechanisms for monitoring the implementation of the regulation; (iv) promotes accountability and transparency in personal data processing; and (v) prescribes a framework for further strengthening and enforcing of technical and organi- zational measures for personal data protection and very severe sanctions for violators. • Single Digital Gateway Regulation (SDGR): The SDGR aims to grant online access to infor- mation, administrative procedures, and assistance services for residents and businesses in the EU. The purpose of the SDGR is to establish a single-entry point through which EU re- sidents and businesses can access information about relevant rights, rules, and obligations of all member states in a broad selection of administrative areas. This single-entry point is intended to help citizens and businesses who wish to exercise their rights in other member states, such as the right to travel, live, work, study, and do business. • The Open Data Directive: This regulates all public data that is not regulated by the GDPR. Adopted in 2019, the directive establishes the rules to ensure open access to public data. The directive stipulates the minimum requirements for EU member states regarding making public sector information available for re-use. This directive provides a common legislative framework for this area. The Directive is an attempt to remove barriers that hinder the re- use of public sector information throughout the European Union. E-government Assessment in Republika Srpska 27 • Web Accessibility Directive: This directive provides the legal framework for people with disabilities to have better access to public service websites and mobile apps. It obliges web- sites and apps of public sector bodies to meet specific technical accessibility standards. Fi- nally, it requires accessibility statements for websites and mobile applications, and feedback mechanisms to report accessibility issues, as well as regular monitoring and reporting. • Payment Services Directive (PSD) 2: This directive aims to enhance security of payment transactions and support consumer data protection. Based on common and open commu- nication standards, this enables online and remote payments such as those for government provided e-services. 30. The Law on Electronic Document (2015) regulates the use of electronic documents by pu- blic administration institutions in the RS. It provides the basic conditions for the implementati- on of the concept of electronic document processing and data exchange among different public administration bodies. It also covers private companies and other legal and natural persons in performing activities, as well as in proceedings before the competent authorities in administra- tive, judicial or other proceedings. These include proceedings in which electronic equipment and programs can be used in the creation, transmission, reception and storage of information in electronic form; the legal validity of an electronic document; and the use and circulation of an electronic document. The supervisory role over its application is assigned to the Inspectorate of the RS. 31. The RS Law on Electronic Doing Business, adopted in 2009, regulates the provision of in- formation society services, the responsibility of information society service providers, and the rules regarding the conclusion of contracts in electronic form. This regulation prescribes that the conclusion of a contract is possible electronically, that is, in electronic form. Also, such a contract will not be challenged for legal validity only on the basis of the fact that it is made in the electronic form. Amendments to the Law on Electronic Doing Business of the RS from 2016 lifted the ban on: (i) its application within the notarial activity; (ii) contracts in the field of family law or inheritance rights; (iii) gift contracts; (iv) contracts on the encumbrance and alienation of property that require approval of the competent authorities dealing with social protection; (v) contracts on the transfer of ownership of real estate or other legal transactions governing rights to real estate, except for real estate leases; and (vi) other contracts prescribed by special law to be drawn up in the form of a notary deed, or documents and contracts and expression of will guarantor, if the guarantor is a person acting outside his trade, business or professional activity. 32. The RS Law on Information Security (2011) defines information security measures and standards and prescribes institutional arrangements to implement and monitor the- se standards. A corresponding Decree on Information Security Measures and Rulebook on Information Security Standards provide a more detailed elaboration of information se- curity standards and measures. These provide basic data protection at the physical, te- chnical, and organizational levels for central government bodies, local self-government bodies, legal entities exercising public authority, and other legal and natural persons ac- cessing or handling electronic data. The Rulebook on Information Security Standards also prescribes that each public administration body must appoint an information secu- rity officer. This function must be separate from the IT management function of the pu- blic administration body. Finally, the Rulebook calls for the establishment of informa- tion security training for users and administrators in public administration bodies. 28 E-government Assessment in Republika Srpska 33. In 2020, activities were undertaken to improve the existing strategic and legal framework for information security in RS, but their adoption was slowed by the circumstances caused by the COVID-19 pandemic. The MNRVOID is currently working on a draft Information Secu- rity Strategy and a draft of a new Law on Information Security. The aim will be to harmonize it with the NIS Directives, as well as other EU regulations in the field of information and cyber security (See Box 4). Box 4: Management of Information Security in the RS As prescribed by the Law on Information Security of the RS, the Computer Emergency Res- ponse Team (CERT) was established in 2015 as the Department for Information Security at the Agency for Information Security. Following the transition of the competencies of the Agency to the MNRVOID, the CERT is now an organizational unit of this ministry. This Department ma- nages all aspects of information systems and cyberspace protection through the application of information security measures and standards. During 2020, the MNRVOID RS established the Security Operations Center with the aim of providing continuous electronic monitoring of the information security of the most critical ICT in- frastructure at the public institutions. In the first year of operation, the basic ICT infrastructure of the RS administrative bodies in the RS Government Administrative Center was connected. The scope of critical and key ICT infrastructure of the RS is expected to be expanded in the future. Activities are underway to improve the existing strategic and legal framework for information security in the RS. The MNRVOID is currently working on a draft Information Security Strategy and a new Law on Information Security, with the aim of harmonizing it with the NIS Directive, as well as with other EU regulations in the field of information and cybersecurity. The new law should unify the subject-matter currently listed in the Law and related Decree to distribute institutional competence in the field of security in accordance with the good practices of the European Union and Serbia. Data classification and protection in computer networks should be formalized in such a way that all public authority institutions are obliged to establish minimum technical requirements in the field of information and cyber-security. The recently adopted NIS 2 Directive30 extended this obligation to privately owned critical infrastructure. 34. The Law on Security of Critical Infrastructure: Adopting the Law on Security of Critical Infra- structure in 2019 was an important step toward the alignment with EU legislation on cyberse- curity and critical infrastructure (the NIS Directives and the Critical Infrastructure Directive31).32 According to Article 2 of this Law, critical infrastructure are systems, networks and facilities of special importance, the destruction or endangerment of which can cause serious disturbances in the free movement of people, transport of goods and provision of services. As such, these disturbances can adversely affect internal security, human health and life, property, the envi- ronment, external security, economic stability, and the continuous functioning of public admi- nistration bodies. This law regulates critical infrastructure sectors in the RS, including critical infrastructure management. It addresses a variety of aspects, such as mandatory risk analysis, security plans for critical infrastructure facilities, the security coordinator and person responsi- ble for the management and protection of critical infrastructure facilities, the handling of prote- 30 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), https://eur-lex.europa.eu/eli/dir/2022/2555. 31 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. 32 Law on Security of Critical Infrastructure in RS, Official Gazette of RS, 58/19. E-government Assessment in Republika Srpska 29 cted data, as well as supervision over the implementation of this law. The MNRVOID is the com- petent body for proposing and managing the critical infrastructure in the sectors of information and communication infrastructure, as well as public services. Unlike the Law on Information Security, this law prescribes financial sanctions in the case of established non-compliance with its provisions. Such provisions are in line with the principles and norms of the NIS Directive. 35. While progress is being made in cybersecurity in RS, at the BiH level there is significant room to strengthen monitoring, response and enforcement. At the level of BiH, there is cu- rrently no cyber security strategy and legislation that would pave the way for the coordinated action on cybersecurity response. This is critical for coordination of all public bodies and owners of critical infrastructure at different government levels in terms of strengthening resilience and improving response in the event of cyber attacks, with concrete measures defined, and respon- sible institutions appointed in this process. Research from the EU33 and the Regional Coopera- tion Council34 (RCC) highlights gaps such the absence of laws and strategies on “cyber” secu- rity on at all relevant levels in Bosnia and Herzegovina, and unidentified critical infrastructure. Bosnia and Herzegovina is the only country in Europe that does not have an established Com- puter Security Incident Response Team system (a system to assist Internet users in Bosnia and Herzegovina in applying proactive measures to reduce the risk of computer security incidents and providing assistance in combating the consequences of computer security incidents).35 This hinders response and leaves BiH vulnerable to cyberattacks. 36. The legislation provides the MNRVOID with sufficient authorizations for data protection. The management of classified data, including authorizations for data classification at different government levels, is regulated by a country-wide Law on Protection of Classified Data36. The law defines classified information as the data, the disclosure of which to an unauthorized per- son, media, institution, authority, another state, or an authority of another state could cause a threat to the integrity of BiH in several areas. This includes, among other things, public security; communications and other systems that are important for state interests; the judiciary; defen- se and intelligence-security related projects and plans; and scientific, research, technological, economic and financial affairs important for the security of operations of BiH institutions and security structures at all governmental levels37. 37. The Law on Administrative Fees of the RS regulates the payment of fees by natural or legal per- sons who are parties to the administrative procedures before public administration bodies. The law does not envisage electronic payment of administrative fees, nor does it specifically regulate the moment of occurrence of the fee obligation for electronic submissions. Currently, the predominant usage of non-electronic payment forms incurs higher operating costs, while also lowering the abi- lity to control payments and ensure transparency. As such, it carries a higher risk of fraud. 38. The current administrative fee system appears to incentivize entrepreneurs to register di- gitally. According to Article 4 of the Law on Administrative Fees of the RS amended in 2020, if the request regarding the registration of entrepreneurs is submitted electronically, the amount of the fee is reduced by 50 percent. This reduction of fees could incentivize users to submit their requests electronically. Also, if applied to other services, it could promote greater uptake of digital services. Other countries are using similar incentives, such as reduced fees or reduced 33 European Commission, Report on Bosnia and Herzegovina for 2020, Brussels, 6 October 2020 34 Regional Cooperation Council, A NEW VIRTUAL BATTLEFIELD - How to prevent online radicalisation in the cyber security realm of the Western Balkans, 06 Dec 2018 35 ENISA, CSIRTs by Country - Interactive Map, https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory/certs-by-country-interactive-map 36 The Law on Protection of Classified Data, BiH Official Gazette 54/05 and 12/09. 37 Article 8 of the Law on Protection of Classified Data. 30 E-government Assessment in Republika Srpska time to deliver services. This is achieved by choosing online services over face-to-face mee- tings, thereby encouraging the use of the e-services. The same principles should be applied by the future amendments to the Law concerning all writs and requests that are electronically submitted. 39. The Law on Archival Activities provides the prerequisites for the establishment of electronic archiving in the public institutions in the RS. It defines the collection, recording, arranging, storage and protection of public archival and documentary material, both in paper and digital form. The Rulebook on General Conditions for Preservation of Documentary Material in Di- gital Form and Special Conditions for Preservation of Specific Documentary Material, which was adopted on the basis of this Law, determines the conditions under which documentary material is archived in electronic form. This law is of particular relevance to the development and delivery of e-services, which rely upon or require archived materials to issue official do- cuments such as land titles, birth registrations, licenses and other official documents. 40. The Decree on Office Operations of RS Administration Bodies provides the enabling en- vironment for electronic document management within the public administration bodies. Adopted in 2020, the Decree recognizes the electronic office operations and establishes a legal basis for electronic office operations. Furthermore, the Decree on Office Operations prescribes that cases that are processed and stored using electronic registry can be archived, once com- pleted. This would be done electronically in a way that ensures their authenticity and long-term storage. It also provides for the possibility of their transfer to new technological platforms and conversion into new formats. This is particularly relevant for any electronic document or ele- ctronic version of administrative documents. E-government Assessment in Republika Srpska 31 3.3 Institutional Framework and Coordination for Whole-of- Government Reform 41. In accordance with the digital transformation of the public sector, the e-Government lands- cape of all institutions in the RS is transitioning to digital government. An institutional fra- mework for implementing the strategy has been established. Until 2018 this framework was embedded in the RS Agency for Information Society. Recognizing the need to strengthen the institutional mechanism and introduce a clear mandate and responsibility for reforms, in De- cember 2018, the RS Government adopted a decision to establish a new administrative unit, the MNRVOID. Subsequently, the previous Agency was closed. MNRVOID is responsible for establishing and developing effective systems of e-governance through the implementation of the e-governance strategy. 42. The MNRVOID is the main institution responsible for governance of the process of digital transformation in the RS. The RS Law on Administration38 gives the MNRVOID clear res- ponsibilities related to governance and strategic planning of the digital transformation of the public administration, public services and the information society in general. The MNRVOID is supported at the operational level by the Sector for IT of the RS Government’s General Secre- tariat. This sector reports to the General Secretariat, which is a supporting body of the Prime Minister’s Office. It has operational management responsibilities over shared ICT services, such as the administration and management of the Data Center established for the use of the RS Go- vernment, including the ministries and other public administration bodies. This is in accordance with the Law on RS Administration. 43. The allocation of clear IT governance responsibilities to one institution (MNRVOID) reflects a political commitment to the further development of the information society in the RS. A high-level political commitment has been shown to be a facilitator of successful public sector modernization39. More governments are consolidating responsibilities into one body to coordi- nate, manage and monitor implementation of digital government using a whole-of-government approach. The 2022 GovTech Maturity Index40 showed that dedicated digital government in- stitutions are present in 154 economies, leading the digital transformation agenda. These co- untries include the neighboring countries of Albania, Austria, Croatia, the Czech Republic, and Serbia. 44. In addition to the governance and strategic planning competences, the MNRVOID has cer- tain operational management responsibilities over key aspects of e-government enablers. Specifically, this includes the implementation of information security, digital identity, and ele- ctronic signature, as well as oversight/approval of implementation of ICT projects, including procurement of hardware and software. The Sector for Information Society, an organizatio- nal unit responsible for carrying out tasks and activities related to the Ministry’s competences over information society, includes four departments: the Department for Strategic Planning, Analysis, Development and Coordination of IT Projects; the Department for Information Se- curity; the Department for the Development of e-government; and the Department for Digital Identity Management (Figure 4). 38 Government of Republika Srpska. Law on RS Administration, RS Official Gazette, No. 115/18. 39 World Bank, “GovTech Launch Report.” (World Bank, 2020). https://documents1.worldbank.org/curated/en/213131609824669955/pdf/GovTech-La- unch-Report-and-Short-Term-Action-Plan.pdf. 40 World Bank, “GTMI Update Report.” (World Bank, 2022). https://openknowledge.worldbank.org/bitstream/handle/10986/38499/P1694820b- cef0903e091160315d2050d03b.pdf?sequence=1&isAllowed=y 32 E-government Assessment in Republika Srpska 45. Despite the solid institutional framework, the existing organizational model of delivering ICT services in the RS public sector is fragmented. Individual central government institutions are supported by their own IT staff or units. There is a lack of whole-of-government coordinati- on to support e-service development. The ICT units in most of the public administration41 insti- tutions are relatively small. They tend to work in silos, rarely exchanging resources, knowledge and information with others. Most of the institutions have their own systems that support their business processes that can act as a base for the development of integrated e-Services. The absence of central ICT infrastructure records, centralized procurement procedures, and coor- dinated IT projects reduces the ability to manage ICT infrastructure. Consequently, it makes it difficult to establish interoperable information systems. (See next section). Figure 4: Organigram of the MNRVOID MINISTER INTERNAL CABINET AUDITOR OF THE MINISTER DEPARTMENT FOR SCIENTIFIC - DEPARTMENT FOR DEPARTMENT FOR SECRETARIAT TECHNOLOGICAL HIGHER EDUCATION INFORMATION SOCIETY DEVELOPMENT DEPARTMENT FOR DEPARTMENT FOR STRATEGIC PLANNING, DEPARTMENT FOR DEPARTMENT FOR INNOVATIONS AND ANALYSIS, DEVELOPMENT FINANCIAL - PLANNING HIGHER EDUCATION RESEARCH OF NEW AND COORDINATION OF IT AND ACCOUNTING INSTITUTIONS TECHNOLGIES PROJECTS DEPARTMENT FOR DEPARTMENT FOR DEPARTMENT FOR DEPARTMENT FOR INFORMING AND ACADEMICAND RESEARCH STUDENT STANDARD INFORMATION SECURITY PROMOTION NETWORK “SARNET“ DEPARTMENT FOR SCIENTIFIC RESEARCH AND DEPARTMENT FOR INTERNATIONAL SCIENTIFIC DEVELOPMENT OF TECHNOLOGICAL E-GOVERMENT COOPERATION DEPARTMENT FOR DIGITAL IDENTITY SCIENTIFIC RESEARCH MANAGEMENT PROGRAMS DEPARTMENT DEPARTMENT “DR MILAN JELIĆ FUND“ Source: MNRVOID. 41 Except the RS Ministry of Interior and the RS Tax Administration. E-government Assessment in Republika Srpska 33 46. Coordination across government entities can be improved. The regulatory framework pro- vides the MNRVOID with the authority to coordinate the implementation of IT projects in the public sector. Currently, many projects in the public administration institutions are managed separately and without the active involvement of the MNRVOID. In this regard, the MNRVO- ID gives prior approval for the procurement of IT and other IT equipment for the needs of the government, including the ministries, and central government directorates and administrative organizations. However, the projects pertaining to the digital transformation of public servi- ces have outcomes that affect one or more functional areas across the public administration system. As such, they require the strategic oversight by the MNRVOID. 34 E-government Assessment in Republika Srpska 3.4 ICT and e-Government Infrastructure to Facilitate Integrated Service Delivery 47. To achieve the vision of a citizen-centric e-government and integrated service delivery for citizens, it is important to have key infrastructure in place. Key infrastructure includes fun- ctional building blocks. These are considered preconditions to developing advanced e-services. These include a public-facing unified public portal; public key infrastructure (PKI); identification and authentication systems; interoperability platforms; e-document and tracking systems; and e-payments, among others. This section provides key findings regarding these enablers. 3.4.1 The e-Srpska e-Government and e-Service Portal 48. A key mechanism to foster access to e-services is the development of a unified public portal. Data shows that over 160 economies globally have a unified public portal to provide information about and access to administrative services.42 These portals are becoming more multi-functional, combining information, service access, and citizen engagement mechanisms at a single point of contact. A fully functional e-Government portal depends on the establishment of other building blocks, such as the identification and authentication platform, the Government Service Bus and semantic interoperability platform, the e-mailbox and the e-payment infrastructure. 49. In 2009, the RS launched the project to establish the “e-Srpska”43 e-government portal. The portal was envisaged to become the central location for accurate and reliable information about the work of public administration bodies. The Portal was originally intended as an information portal for the available services of public administration bodies, and not as an access point for e-services. 50. Today, the Portal “e-Srpska” does serve as an access point for e-services. It is divided into two main sub-pages for citizens and businesses. Each sub-page is organized by topic, life or business event, such as housing, health, family, employment, education, and others. Within each life or busi- ness event, users (citizens or business entities) can access useful information about specific issues. Currently, most of the available e-services via this portal are either informational (providing a des- cription of the procedure to exercise rights and fulfill obligations or providing one-way interaction, or enhanced services where electronic forms can be downloaded from the portal and processed further on in paper form (See Box 5). 42 World Bank, GTMI dataset. (World Bank, 2022). 43 http://www.esrpska.com/ E-government Assessment in Republika Srpska 35 Box 5: UN Definitions of the Four Levels of Online Service Development Level 1: Emerging information services Providing information on public policy, governance, laws, regulations, relevant documentation and the types of government services provided. They have links to ministries, departments and other branches of government. Citizens are able to obtain updated information in the national government and ministries and can follow links to archived information. Level 2: Enhanced information services Delivering enhanced one-way or simple two-way e-communication between government and citizen, such as downloadable forms for government services and applications. The sites have audio and video capabilities and are multi-lingual. Some limited e-Services enable citizens to submit requests for non-electronic forms or personal information. Level 3: Transactional services Engaging in two-way communication with citizens, including requesting and receiving inputs on government policies, programs, regulations, and so on. Some form of electronic authentication of the citizen’s identity is required to successfully complete the exchange. Government websites process non-financial transactions, such as filing tax returns online or applying for certificates, licenses, and permits. They also handle financial transactions, that is, where money is tran- sferred on a secure network. Level 4: Connected services Changing the way governments communicate with citizens. They are proactive in requesting in- formation and opinions from citizens using Web 2.0 and other interactive tools. E-Services and e-solutions cut across the departments and ministries in a seamless manner, and information, data and knowledge are transferred from government agencies through integrated applications. Gover- nments have moved from a government-centric to a citizen-centric approach, where e-Services are targeted to citizens through life cycle events. Governments create an environment that empowers citizens to be more involved with government activities and to have a voice in decision-making. Source: Adapted from World Bank (2022) and the UN E-Government Survey (2008) 51. The Portal e-Srpska acts as a single point of contact. It provides the links to web pages of other RS institutions and specific e-services such as Tax administration e-services, electronic land registry, e-education, etc. The Portal is outdated from a technological point of view as it is not integrated with shared services and building blocks such as SSO/Identity and authenticati- on providers, e-mailbox, and e-payment functionalities. 52. Expanding the list of services available on the portal and improving functionality is a prio- rity. The e-Srpska portal has a number of services available on the portal (see Annex 2). Most of the services are enhanced or are a level 2 in terms of sophistication, meaning that they do not enable two-way communication with the citizen. Several transactional or level 3 services are available from the Tax Administration, such as tax records and electronic submission of tax applications. Advancing the sophistication and capability of the existing e-services deploying a user-centric approach to reforms could yield significant savings in terms of time and cost to deliver administrative services. 36 E-government Assessment in Republika Srpska 53. The State level still does not have operational unified public portal for central level services and information. Both FBiH and Brčko District of Bosnia and Herzegovina also have unified public por- tals where e-services are organized by the life or business events. However, similar to the RS, these portals provide access to predominantly emerging (informational) or enhanced information services. 54. Adopting a user-centric approach to service reform implies focusing the design and delivery of services around the needs and preferences of the user. Oftentimes, services are reformed from the perspective of the ministry, which can negatively impact uptake and satisfaction with e-services, thereby reducing the value of the reform investment. Redesigning services with the user in mind, that is, meeting their preferences, capabilities and accessibility requirements, can increase citizen and/or business satisfaction with service delivery. Taking a user-centric approach includes consultations with citizens, businesses, and other users of services to deter- mine challenges, needs and preferences for services. This includes consulting a diverse body of users, such as women, the elderly, persons with disabilities, and others. In addition, these con- sultations should include front-line service providers to identify potential areas of improvement, as they have implicit knowledge about business processes and procedures. 55. Citizen centricity also implies accessibility for those with disabilities. Universally accessible e-services are a priority for the EU and are outlined in Mandate 376 on ICT accessibility and Mandate 420 on accessibility of websites and mobile standards. These services are compatible with assistive devices such as screen readers, and may be compliant with text to speech en- gines, closed captioning, alternative text and navigation. Considering accessibility at the first stage of design can save time and efforts to ensure that they meet standards such as the Web Content Accessibility Guidelines and are in alignment with EU requirements. 56. The four key stages of service reform include rationalization, re-engineering, digitization and delivery.44 The RS can use these stages as a guide for planning a comprehensive service reform and revising and upgrading the existing e-services in cooperation with other Government levels, in cases where public service delivery includes relevant institutions. The first stage focuses on servi- ce organization and elimination of redundant or obsolete services, as well as a selection of priority services. The second stage highlights re-engineering, streamlining and optimization of back-end processes. Stage three is where the digital service is created through interoperability, automation, and presentation. Stage four is delivery, highlighting quality and delivery standards, omni-channel access, such as through a mobile app, phone center, or chatbot. It highlights continuous improve- ment of services to use new technology, meet accessibility standards, and create value for users. 57. Reform planning includes organizing and prioritizing services for digitization. There is a preliminary list of e-services on the e-Srpska portal included in Annex 3. This list can be enhanced by adding on all other Government-to-Citizen (G2C) services. These services can then be organized by life event, and then pri- oritized or eliminated based on clear criteria. For example, services in high demand (demonstrating a high annual number of transactions) are those considered most important by citizens. Issues of concern in this regard include the cost and time to digitize, back-office readiness, sustainability, and others. 58. Stage Two is where most of the potential efficiencies and cost savings can be identified. Ser- vice simplification and re-engineering is a process that can be applied to the front- and back-end processing of services. By reducing the administrative burden in requiring less information from the citizen (as the government has the data already) and streamlining back-end processes, such as veri- fications, validations and approvals, services can be both faster and cheaper to deliver (See Box 6). 44 A suggested reform framework is provided in the World Bank’s Service Upgrade Report available at: https://thedocs.worldbank.org/en/doc/ c7837e4efad1f6d6a1d97d20f2e1fb15-0350062022/original/Service-Upgrade-The-GovTech-Approach-to-Citizen-Centered-Services.pdf. E-government Assessment in Republika Srpska 37 Box 6: Increasing Efficiency and Reducing Costs through Service Reform Migrating from informational services to transactional and connected services can result in time and cost savings for both governments and citizens. However, it requires back-office improve- ments. Many countries have undergone large-scale service reform programs while digitizing their services. These include redesigning processes and procedures and augmenting service delivery with IT. This simplification or business process re-engineering can reduce the time to deliver services through reducing document requirements, automating processing or approvals, validation, and so on. Different approaches to service simplification include the Standard Cost Model, that has been used in Organisation for Economic Co-operation and Development (OECD) countries and EU menber states. It reduces the administrative burden by 20 and 25 percent, respectively. This model can be applied to both G2C and Government-to-Business (G2B) services. It has also been used in developing country contexts, such as in Albania, Kenya, and Vietnam. Although it is difficult to estimate the potential cost savings for both the user and government sides, there are methods to measure the impact. When mapping a particular service, the time for each task can be estimated (for example, validating information, obtaining approvals, processing payments, and so on). This time estimate can be converted into monetary figures by using the average civil servant wage. Taking this number and extrapolating across the number of transac- tions, a better view emerges of the compliance costs and costs to deliver (Figure 5). Figure 5: Example Service to-be Map with Simplification Time to pay is reduced to 1.5 hours Driving License due to modernized payment systems. Provisional Driving Licenses: 7932 Time to get informed National Driving Licenses: 2699 Time to pay is is reduced to 1 hour Upgrades: 1065 Tests are given upon 1.5 hours due to due to online services. demand. No time modernized payment Enroll online; no time needed. needed. systems. Visit police Take station to enroll Visit bank to Take driving lessons Visists bank to Visit bank to pay Take passport Start Visit police theoretical Take (Total work time: pay 10,000 in fee tax to RRA for the photos and copies station to in theoretical passport pay 10,000 lessons test (2h) in tax for the 20h over a period of for the practical national driving of Identity Card identify Take photos 1 month (Total theoretical provisional test (3h) license: and provisional requirements work time: and Total cost: 100,000) • 50,000 Francs license (2h) Firm for driving test produce driving 45h over a (45 minutes + license (3h) for one category license and period of Visits bank to copies of • 10,000 Francs be informed pay 5,000 in 2h of travel) ID (2h) Enroll in practical 1 month) Get informed of for upgrades of upcoming Total cost: application fee exam (2h) (3h) Submit application tests (2h) for the theoretical upcoming tests at 20,000) Visit police the police, driving to police (2h) test (3h) to submit school or radio (2h) application Take practical (2h) exam (8h) Exam takes Enroll online; not more than Traffic Police of Rwanda Time to pay is no time 4 hours. reduced to 1.5 hours needed. The results of the due to modernized The theoretcal tests The Police issues a Exam is marked within 15 days and Driving license theoretical payment systems. test is marked are announced at the Police stations provisional results published is issued (1 month) driving license in police stations (within 2 and driving (2 months) and driving schools months) schools Enroll online; no processing time needed. End Apply online; no processing time needed. Source: World Bank (2022), ”Service Upgrade: A GovTech Approach to User Centric Services”, p. 22. The impact can be enormous. Based on a World Bank Project in India, reengineering of the top 10 services resulted into a cumulative savings of 59 million person days, resulting in a US$47 million cost savings. 38 E-government Assessment in Republika Srpska 59. To be truly citizen-centric, engaging stakeholders throughout the process can result in po- sitive outcomes. Stakeholders include different service agencies, users, and front-line service providers. As noted, different users have varying preferences and capabilities. Designing ser- vices with these guides in mind or co-creating services with a number of stakeholders can in- crease the satisfaction of users. In turn, this can increase the uptake of digital services, thereby increasing the return on investment of the reform. 60. Taking a modular approach to e-service development or re-using shared services, such as for payments, signatures and notifications, can accelerate service digitization. Countries such as Albania, Moldova, and the United Kingdom apply re-usable modules or re-usable Appli- cation Program Interfaces (APIs) that can be modified to suit new types of services. Using this approach, Albania developed over 500 transactional level e-services in less than five years. 61. Regardless of the method and framework for service reform, change management needs to be part of the process. Service reform changes the processes and procedures, often at both the front-end of delivery (for example, what information is needed) and the back end (such as validations and approvals). This requires new training for service providers to ensure that the new processes are followed and that they adapt to new ways of working. This too increases the return on investment, as the new technology is used to its full potential, thus creating time and cost efficiencies. 3.4.2 Electronic Registries 62. In accordance with the constitutional organization of BiH, institutions from different go- vernment levels have the competencies to establish, maintain and update electronic regi- sters. Institutions at the state level maintain a limited number of important electronic registers (citizen register with data on ID cards, passports, driving and traffic licenses, register of minor offences, VAT and customs-related data, registry of bank accounts of business entities in BiH, transport permits for international and inter-entity transport, register of immigrants, asylum seekers, refugees). RS and FBiH (or cantons in the FBiH) maintain all other electronic registers such as business entity and entrepreneur registers, land registers, geospatial data, registers in the sector of direct taxation, pension, disability and health contributions, health service, educa- tion, social welfare, industry, agriculture, energy, intra-entity transport, etc. Most of the basic electronic registers are digitalized, but many of them are either not interoperable or published at the relevant GSB instance. Data from specific electronic registers is made available to other institutions, which are authorized by the legislation and signed bilateral or multilateral agree- ments. Such access is usually provided via point-to-point web services using interoperability infrastructure outside the GSB. 63. The e-Srpska portal has a searchable register of public administration institutions. In additi- on to the full name of the institution, the search result provides other contact information about the institution, such as a contact person, internet address, address, telephone and fax number, and so on. The Portal also provides links to the pages of the competent institution where users can further their search. Some of the basic registers (including the Register of Business Entities, the Electronic Register of life events – birth, marriage, citizenship and death) are hosted on the virtual infrastructure, that is, the infrastructure as a service (IaaS) platform of the Government Data Center. E-government Assessment in Republika Srpska 39 64. Although the MNRVOID has collected data on over 240 e-registries at the local and RS levels, it has yet to establish a Meta-register that contains information of all electronic re- gisters established in the RS. The meta-register creates one of the key preconditions for the realization of comprehensive inter-institutional electronic services in public administration. The- se services are mainly based on the exchange of data from electronic public registers. The pur- pose of the Meta-register is to support semantic and technical interoperability and exchange of data and information on the registers; the organization of public registers; and changes in the structure of registers. This is necessary to increase the quality of public services and enable the planning and implementation of projects using data already collected by other public sector bo- dies. As such, it takes into account compliance with applicable regulations concerning personal data protection, data confidentiality, and the right to access information. The establishment of a meta-register must be coordinated with the state, FBiH and Brčko district of BiH level to build a single interoperable meta-register that will compile consolidated information across each level and institution. 65. The publishing of electronic registers and services on the Government Service Bus has not been proclaimed mandatory by the legislation of the RS. The same is true at other govern- ment levels in BiH. This is one of the key factors that has limited the number of e-services avai- lable on the interoperability platform,45 as well as the low level of inter-institutional cooperation and data exchange. This in turn limits the capability to streamline processes and reuse data. 3.4.3 E-delivery and e-mailbox 66. Currently, there is no centralized mechanism or system for qualified electronic delivery of documents in the RS. This is also missing at other government levels in BiH. As a result, there is also no centralized electronic mailbox for citizens and legal entities through which they could receive documents and notifications issued by public administration bodies. For G2C and G2B services, an e-mailbox is a service where messages from the government are sent to the citizen or business owner instead via physical mail delivery. While it is possible to use ordinary e-mail addresses for the delivery of e-documents, it is beneficial to have secure encrypted access to administrative documentation. Countries such as Albania and Moldova have encrypted docu- ment storage as part of their e-services portal. As such, users can store and access documents necessary for e-service applications, such as for birth certificates, tax payment receipts, certifi- cates of good standing, and others. 67. Some RS institutions already have their own systems for electronic office business. These systems may have elements of Document Management Systems (DMS) or Workflow Manage- ment Systems (WMS), which are implemented using different technologies. Therefore, there is no data exchange between them. The lack of coordination of the RS institutions during the introduction of the DMS system may result in problems with integration of different DMS solu- tions with the future software module for electronic delivery of documents to citizens/busines- ses. Additonal integrations will also require more budget funds and change management acti- vities. At the state level, the procedure for the introduction of DMS is prescribed by the decision of the Council of Ministers of Bosnia and Herzegovina, but it is not applied in practice. Similar to RS, institutions at the state level usually implement their own DMS systems, with little or no coordinated approach to technical design and implementation of such systems. 45 This includes the electronic services of the RS Pension and Disability Insurance Fund, the RS Administration for Inspection Affairs, and the RS Agency for Intermediary, Informatic and Financial Services. 40 E-government Assessment in Republika Srpska 3.4.4 E-payment 68. Enabling payments (e-payments) for services at the point of service, such as through an online portal, is a key function of integrated service delivery platforms. It provides all users of the e-Government Portal with electronic payment functionality for all electronic services available on the portal that require payment of administrative or other fees. At present, there are no legal and technical preconditions that would enable electronic payment of taxes, fees and charges in the RS. This poses an obstacle to the development of all transactional electronic public services that require the payment of taxes, contributions, fines, court and administrative fees, concessions, and so on. Also, the RS does not have legal regulations regarding electronic money (hereinafter referred to as e-money).46 Similar legislative and technological barriers exist at other government levels regarding implementation of e-payment building block. 69. The e-payment platform would enable payments with the payment cards of all banks ope- rating in the financial market; this would occur via integration with electronic or mobile banking systems of those banks as well as with electronic money. The user of the electronic service will be offered pre-populated data on the online payment form (based on the informa- tion retrieved) from the Meta-register, the Treasury and other relevant information systems. This would be done before executing electronic payment. The total price of the service will be executed in one payment, which will be then distributed through the e-Payment platform to the amount ratios and entities to which it belongs, according to the applicable regulations (Box 7). Box 7: e-Services of the Tax Administration The Tax Administration of the RS has made significant efforts to provide citizens with high quality transactional e-Services. With the support of the United States Agency for Internati- onal Development (USAID), the Tax Administration recently launched the ”e-mailbox”, a new electronic service for taxpayers.47 The “e-mailbox” enables remote, two-way communication and exchange of documents between taxpayers and the RS Tax Administration. Taxpayers can receive certificates, overpayment notices, decisions, and other tax acts in the electronic inbox. They can also submit requests, complaints and other documents in electronic form, signed by an electronic certificate issued by the RS Tax Administration or qualified electronic certificate issued by the Certificate Authority MNRVOID. By establishing its own PKI infrastructure and e-mailbox, the RS Tax Administration is able to offer several e-services that enable interaction between taxpayers and the Tax Administration (for example, for submitting different requests, tax reports, specific notifications, and so on). Source: Authors notes and RS Tax Administration’s information on launching ”e-mailbox” (https:// poreskaupravars.org/poreska-uprava-rs-unaprijedila-svoje-elektronske-usluge-novom-i-moder- nom-funkcionalnoscu-elektronsko-sanduce-pusteno-u-funkciju 46 E-money is virtual money, a digital cash equivalent. It is housed on an electronic device or on a remote server that can circulate smoothly beyond national borders. A common form of e-money is the “electronic wallet.” It comes in the form of a smart card that houses a certain monetary value. As a rule, it is a relatively small amount. Then the e-money is stored on a mobile phone or account on the Internet. 47 https://poreskaupravars.org/poreska-uprava-rs-unaprijedila-svoje-elektronske-usluge-novom-i-modernom-funkcionalnoscu-elektronsko-sanduce-pu- steno-u-funkciju/. E-government Assessment in Republika Srpska 41 3.4.5 Interoperability Infrastructure to Facilitate Data Exchange and Integrated Service Delivery 70. Interoperability in the public sector is about enabling connections between ministries, departments, and agencies, both vertically and horizontally. Through interoperability plat- forms, the MDAs can share data, and access information systems and processes. Interopera- bility enables secure real-time data exchange to facilitate transactional level e-services and multi-sectoral, and in the case of BiH, cross-government level services (that may require data, data validation, or processes of other MDAs to deliver). Interoperability is one of the key enablers for a whole-of-government approach to digital transformation. Interoperability has several dimensions, including: legal, organizational, cultural, technical, and semantic.48 See Box 8 for definitions. Box 8: Defining Digital and Non-Digital Interoperability Layers Legal interoperability is about ensuring that organizations operating under different legal fra- meworks, policies, and strategies are able to work together, for example, by establishing specific agreements or putting in place new legislation. Organizational interoperability refers to the way in which the public administrations align their business processes, responsibilities, and expectations to achieve commonly agreed and mutu- ally beneficial goals. Cultural interoperability refers to the approach taken by individuals and or- ganizations to align their social and cultural differences and, if applicable, organizational cultural differences — all of which can be at the root of different responses to the same interoperability challenge. Semantic interoperability refers to the ability of different information technology systems and software applications to automatically interpret the information exchanged. This is done in a meaningful and accurate manner to produce useful results. This layer also covers syntactic in- teroperability, which is about describing the exact format of the information to be exchanged in terms of grammar, format, and schemas. Technical interoperability covers the applications and infrastructure linking systems and ser- vices, such as interface specifications, interconnection services, data integration services, data presentation and exchange, and secure communication protocols. Source: Adapted from World Bank (2022) and the European Commission, Directorate-General for Communications Networks, Content and Technology, Directorate-General for Informatics (2021), pp. 68-74; and European Commission, n.d. 48 World Bank, “Interoperability: Towards a Data Driven Public Sector.” EFI Insight (World Bank 2022). Available from: https://documents1.worldbank.org/ curated/en/099550101092318102/pdf/P1694820242a9c041083900346bab0910eb.pdf. 42 E-government Assessment in Republika Srpska 71. In line with the European Interoperability Framework (EIF), interoperability can be under- stood as encompassing both digital and non-digital aspects. Elements with a digital focus include semantics, systems, middleware, databases, and security. Non-digital elements include institutional and organizational factors, cultural factors, and legal factors.49 The immediate effe- cts of an interoperable public sector include increased connectivity of IT systems. In addition, governments can access, share, interpret and reuse data more easily and on a larger scale. 72. In 2018, the Council of Ministers of Bosnia and Herzegovina adopted the Decision on the adoption of the interoperability framework to ensure the compatibility of information systems and processes, and the provision of integrated and user-oriented services, thus accepting the recommendations and determinants of the European Interoperability Fra- mework 2.0. This was accomplished under the project led by the Public Administration Reform Coordinator’s Office at the state level that aimed to create a set of documents and standards related to the BiH interoperability framework. Supplemental information such as Implementing Guidelines and Standards for System Architecture and Application Development, Initial Data Dictionary and Data Dictionary Development and Maintenance Standards were also adopted as an Annex to the Decision on the adoption of the Interoperability Framework. The Ministry of Communications and Transport of BiH and the General Secretariat of the Council of Ministers of BiH are responsible for the implementation of the Decision on the Adoption of the Interope- rability Framework at the state level. 73. The Decision on the adoption of the BiH interoperability framework provides for the for- mation of two coordination bodies: Coordination for interoperability and Interdepartmental working group. The Coordination for interoperability group was designed to be an expert and advisory body of the Council of Ministers of Bosnia and Herzegovina for the area of implemen- tation of services under the competence of the Council of Ministers in order to achieve horizon- tal interoperability between the institutions at the state level. The interdepartmental working group is tasked with ensuring vertical interoperability between different administrative/gover- nment levels in Bosnia and Herzegovina as well as cooperation with the European Union. These coordination bodies were established by the Decision of the Council of Ministers in 2021. 74. The existence of the common component to facilitate a unified governmental service and data bus is essential for the successful development of a whole-of-government digital infrastructure. In Bosnia and Herzegovina, the Government Service Bus (GSB) or the Inte- roperability Information System (IIS) were implemented at the end of 2017 using a multiple Enterprise Service Bus (ESB) approach. It was based on brokered ESB integration architectu- re. It consists of four separate instances, one for each level of government (that is, BiH, the FBiH, the RS, and the Brcko District of BiH). Every GSB instance is used as an e-service hub by providing access to relevant data and business processes for specific institutions from that Government level. 75. The GSB is a secure basis for the exchange of data between various public registers, databases, and so on. The main purpose of such a system is to monitor and record all data exchanges, while also monitoring the correctness of data delivery. The exchange of data between the different levels of government (Cross government - Level Mediation Component50) is ensured through a separate component for mediating service requests between different GSB instances. (See Box 9). 49 Ibid. 50 It is based on a brokered ESB topology in which every GSB instance manages its own Universal Description, Discovery, and Integration (UDDI) namespa- ce of service endpoints offered. It also keeps full responsibility and authority for the governance, life cycle and management over the list of services offe- red to other governance levels. This dedicated UDDI namespace is replicated at the cross governance-level mediation component for every GSB instance. E-government Assessment in Republika Srpska 43 Box 9: GSB Benefits and Examples According to the GovTech Glossary (World Bank 2022a), a Government Service Bus (GSB) is a standards-based integration platform for automating secure data exchange among different government databases and applications. It supports government operations and the delivery of services. It also entails cross-boundary platforms for connectivity and interoperability of systems across ministries and agencies. Benefits of the functional GSBs include: • Secure and standardized data exchange between institutions of individual levels of gover- nment; • Secure and standardized data exchange between different levels of government; • Secure access to public registers; • Centralization of the information exchange mechanism; • Integration with existing systems; and • Increased access, use and reuse of available data, documents and information from various sources. According to the 2022 World Bank GovTech Maturity Index, 71 of 198 economies report having a GSB or interoperability platform in place. These include Albania, Jordan, Tanzania, Türkiye, the United Arab Emirates (UAE), the UK, and Uruguay, as well as EU member states, such as the Czech Republic, Slovenia, Spain, and others. In Albania, the Government Gateway launched in 2013 is managed by the National Agency on Information Society (AKSHI). The AKSHI manages and coordinates all of the Government of Al- bania’s activities in ICT and e-Government. The Gateway is the GSB that links all MDAs in Alba- nia, and it facilitates transactional e-services for citizens and businesses on the e-Albania portal. The Czech Republic GSB is part of the central service point (CMS - Centrálního místa služeb). The CMS is the only place to exchange data between different information systems from the public administration. Different entities can access the interface via web applications. In Slovenia, Tray technology is the backbone of the National Interoperability Portal (NIO). The National Interoperability Portal publishes the different standards and guidelines aligned to the Development Strategy for the Information Society (Digital Slovenia 2020). In BiH, a GSB was implemented at the end of 2017. It consists of four separate instances, one for each level of government (BiH, FbiH, RS and Brcko District of BiH). However, BiH and its entities have multiple autonomous IT systems that differ in quality and efficiency. The “silos” effect and lack of interoperability infrastructure limits data exchange both horizontally across agencies but also vertically across entities. Source: World Bank 2022(a); GovTech Maturity Index 2022 44 E-government Assessment in Republika Srpska 76. The RS has established a GSB, but it is underutilized. The GSB for the RS is hosted in the Data Center of the General Secretariat of the Government of Republika Srpska. The GSB is im- plemented using the Service-Oriented Architecture (SOA) implementation of Microsoft BizTalk, which complies with EIF 2.0 framework. Despite the fulfillment of the technological require- ments, the GSB platform at all government levels, including the RS, is underutilized, primarily because the legal framework of the RS/BiH does not enforce the usage of the GSB in data ex- change processes. Another reason is the fact that some institutions have not consolidated their decentralized information systems or electronic registers. 77. Some government institutions in the RS mention the lack of access to the GSB web service logs as a reason for not connecting to the GSB. Access to the GSB services from 3rd party systems is recorded in these logs. Therefore, many institutions create direct connections to its services, thus bypassing the GSB infrastructure. Access to these logs for representatives of these institutions is also security issue that should be regulated by the standards of the techni- cal interoperability at the level of Republika Srpska. This would be considered as an additional incentive for use of the GSB. 78. Existing information systems in the public administration bodies are the primary source of information for the GSB of the RS. So far, the usage of the GSB for data exchange between different administrative organizations is very limited. Currently, only three public administrati- on bodies in the RS have published their services on the GSB: the Agency for Intermediary, IT and Financial Services APIF (data on business entities); the Inspectorate of the RS (data on the inspection supervision); and the Pension and Disability Insurance Fund of the RS (data on em- ployees – beneficiaries of the pension and disability fund contributions). Also, many institutions have not yet established uniform registers that are published on the GSB via web services. 79. Currently, the GSB platform is used in a very limited capacity at other government levels as well. At BiH level, only IDDEEA has published its web services for authorized access to the re- gistry of fines, registry of residence and stay and unique personal identification numbers of BiH citizens, ID cards of BiH citizens and ID cards for foreigners. At the FBiH level, Federal Admini- stration for Inspection Affairs, Tax Administration of the FBIH, Federal Ministry of Agriculture, Water Management and Forestry and Federal Ministry of Justice have published web services to provide an access to some of the data collected, processed and stored under their respon- sibility. The BD Inspectorate, BD Finance Directorate and Basic Court in Brčko are connected to the GSB instance for the level of Brčko District of Bosnia and Herzegovina. The reasons for underutilization of other GSB instances at the aforementioned levels in Bosnia and Herzegovina are similar to the ones stated for the Republika Srpska. 80. Instead of publishing their registries on the GSB, public administration bodies build their own interoperability infrastructure, which is used for data sharing with other institutions. Systems in most institutions are not interconnected based on interoperability standards and infrastructure. This makes both maintenance and integration a challenge, adversely impacting the ability to create new convergent e-services (such as the creation of an API to every system). This approach is not in line with the key principles of the European Interoperability Framework, such as the reuse of data and ICT infrastructure and administrative simplification. In additi- on, this practice exacerbates the fragmentation of systems. European Commission’s document “The Sharing and Reuse Framework for IT Solutions document” provides generic recommenda- tions on how to reuse, share or jointly develop IT solutions that meet common requirements.51 51 European Commission, “The Sharing and Reuse Framework for IT Solutions, https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/sha- ring_and_reuse_of_it_solutions_framework_final.pdf E-government Assessment in Republika Srpska 45 81. One key challenge regarding the use of an interoperability platform and the development of downstream transactional e-services is the publication of registers. The publishing of electronic registers and services on the Government Service Bus has not been proclaimed man- datory by the legislation of the RS and other government levels in BiH. This is one of the key factors that has limited the number of e-services available on the interoperability platform. It also accounts for the low level of inter-institutional cooperation and data exchange, including the aim of streamlining processes and reusing data. 82. The Interoperability Framework of the RS52 is aligned with the constitutional competencies of the various levels of government in BiH. Such a system in the RS is still in its development phase. Its establishment is based on the European Interoperability Framework and the adopted BiH interoperability framework that proposes technical concepts, rules and standards for infor- mation systems architecture and application development. 83. The MNRVOID also plays a role of coordinator of the interoperability framework in the RS. However, to fully benefit from implementing the GSB as the cornerstone of technical interope- rability, the RS has to establish infrastructure of semantic interoperability and align with the BiH Interoperability Framework and its accompanying semantic interoperability documents. The management of metadata, master data and reference data (taxonomies, controlled voca- bularies, thesauri, code lists and reusable data structures/models) must be put in place to avoid fragmentation and duplication of data exchanged through the GSB and exploited for the provi- sion of e-government services. 3.4.6 Identity Management and Public Key Infrastructure in the RS 84. The Public Key Infrastructure (PKI) is a set of hardware, software, policies, processes and procedures required to create, manage, distribute, use, store and revoke qualified digital certificates and public keys. The MNRVOID has established a PKI, and it has become a quali- fied certification body in the RS. It provides services for issuing qualified electronic certificates in accordance with the Law on Electronic Signature of the RS. 85. The PKI governs the issuance of digital certificates. These certificates protect sensitive data, and provide unique digital identities for users, devices, and applications. They also secure end- to-end communications and service delivery. Many governments use PKI and digital certificates for: (i) national ID programs; (ii) single sign on (SSO) functions; (iii) encrypted communications and document/data exchange; and (iv) authentication tasks, such as digital signatures and ac- cess to online services. 86. The benefits of the PKI include improved facilities, networks, and application access throu- gh cryptography-based authentication. The PKI can close security gaps in user identification and authentication and reduce the possibility of data breaches that can result from using weak credentials, such as usernames and passwords. It also improves data integrity and security through the encryption of sensitive data. 87. The major components of the PKI are the Registration Authority, the Certificate Authority, the Certificate Directory, and the Archive (Figure 6). The Registration Authority processes 52 The Interoperability Platform has been established through the Investment Environment and Institutional Strengthening Project, implemented in coope- ration with the World Bank, and funded by the Swedish Development Agency. 46 E-government Assessment in Republika Srpska user requests, saves them in the user database, and confirms their identity. Certificate Autho- rities are responsible for creating digital certificates. They own the policies, practices, and pro- cedures for vetting recipients and issuing the certificates. The Certificate Authority also attests that the public key embedded in the digital certificate belongs to the particular entity, as stated in the certificate. In this regard, the Certificate Authority has the right to revoke a certificate, if necessary. The Certificate Directory manages and stores the user’s registration information and certificates for future reference. Finally, the Validation Authority is responsible for validating certificates and maintaining Certificate Revocation Lists. Figure 6: Overview of Public Key Infrastructure Public Key Infrastructure Issue Publish Certificate Certificate Directory Registration Download Certificate Request registration Confirm Identity Request Certificate Receive ID + Password Install Client SW + generate key pairs Source: Dener, Watkins, and Dorotinsky (2011). 88. The PKI of the RS is a hierarchically organized structure for issuing qualified digital certifi- cates. It consists of one self-signed certification body (CA MNRVOID) that issues certificates to subordinate bodies and signs lists of revoked certificates. It also has at least one subordinate certification body that issues qualified certificates to natural persons and legal entities, as well as to individuals representing legal entities. The PKI consists of several software and hardware components divided into security and operation zones that are protected at the network level by redundant firewalls. The registration authority of the CA MNRVOID provides the interface E-government Assessment in Republika Srpska 47 between the user and the certification authority, which accepts requests for issuance of the qu- alified electronic certificates. Physical persons or authorized representatives of the legal person must come to the nearest office of the Agency for intermediary, IT and financial services to file such requests. The registration authority has the role of pre-processor of the certification aut- hority, with a role of user identity verification in the process of request receiving for the issuance of a qualified electronic certificate, and when delivering certificates. The registration authority of the CA MNRVOID consists of: • The central registration authority located in the headquarters of the CA MNRVOID. It tasked with approving and forwarding data for the issuance of qualified electronic certifi- cates, as well as for requests for changing the status of certificates. • The local registration body is performed by the RS Agency for Intermediary, Informa- tion and Financial Services, which is authorized to receive applications for issuing qu- alified electronic certificates, verifying the identity of users, and forwarding corre- ctly completed applications after confirming personal identification of the applicant. 89. There are plans for the MNRVOID to issue qualified certificates to physical and le- gal persons. At the RS level, the MNRVOID’s Unit for Management of Digital Identities wi- thin the Sector for Information Society has not started mass issuance of qualified certifica- tes to physical and legal persons. However, The MNRVOID’s Certification Authority53 has already issued over 100 qualified certificates for users in the Tax Administration of the Re- publika Srpska and other strategic e-government projects in the RS, such as “e-baby” and “Online registration of businesses”. The Ministry has planned a procurement of another slot of 5,000 smart cards. However, the procurement has not been realized due to supply cha- in difficulties among international vendors of qualified signature or seal creation device (QSCD) smart cards. These cards are intended for public administration bodies to be used for electronic identification, authentication and digital signing/sealing of documents. Ci- tizens and business entities will bear the costs of fees for qualified electronic signatures or electronic seals (including smart cards) issued by the MNRVOID Certificate Authority. 90. The Agency for Information Society of the RS has become a certificate authority for public administration bodies, whereas the Ministry of Science and Technology performed admi- nistrative tasks related to enrollment of the certificate authorities in the CA registry in ac- cordance with the Law on Electronic Signature of the RS. With the reorganization of the RS Government in December 2018, the Agency ceased its work and became part of the Sector for Information Society within the MNRVOID. The MNRVOID’s certificate authority issues qualified electronic certificates to public administration bodies, as well as to natural and legal persons. However, the Register of qualified certificate authorities available on the MNRVOID’s website does not show any registered qualified certificate authority in the RS. Given that the qualified certification body can perform trust services on the basis of a license/permit issued by the Mi- nistry,54 it is not clear whether it has to certify itself as a qualified certification body in the sense of the Law on the Electronic Signature of the RS. 91. Closed PKI systems for issuing non-qualified electronic certificates have already been esta- blished by several institutions in the RS. These include the Ministry of Interior;55 the Tax Admi- 53 The MNRVOID is proclaimed as the certificate authority for public administration bodies, as well as for natural and legal persons by the RS Government Decree. 54 Article 22, para (1) of the Law on Electronic Signature of the RS. 55 Supported by the EU, the Ministry of Interior of the RS is establishing technical prerequisites to become a qualified trust service provider. In the future, the Ministry could issue qualified certificates for electronic identity cards (eIDs), enabling citizens to digitally present and digitally sign documents. 48 E-government Assessment in Republika Srpska nistration; the Agency for Intermediary, Informatic and Financial Services; the Ministry of Admi- nistration and Local Self-Government; and the Ministry of Health and Social Welfare. These PKI infrastructures were implemented within specific e-Government projects to provide electronic identification and authentication of users. They are used predominantly for the digital signing of documents in the respective information systems. Both the Ministry of Administration and Lo- cal Self-Government and the Tax Administration of the RS are listed in the Register of non-qu- alified certificate authorities available on the MNRVOID’s website. Thus, these institutions have become non-qualified certification bodies, subject to adherence to the procedures and require- ments set by the Law on Electronic Signature of the RS. Non-qualified certificate authorities do not require licenses/permits to start providing non-qualified trust services.56 Still, they are requ- ired to conform with technical and organizational measures that are prescribed for non-qualified trust service providers by the Law on Electronic Signature and its secondary legislation. 92. Public administration institutions in the RS use different identification and authentication ma- nagement systems for their internal users, employees and information systems. The RS Gover- nment General Secretariat has established Active Directory infrastructure that is used for authen- tication of employees. Few institutions that offer two-way interaction or transactional electronic services to citizens (such as the RS Tax Administration, which provides e-signature services with CA MNRVOID certificates) have deployed their own identity and authentication management systems to perform authentication and authorization processes for offered electronic services. 93. Currently, there is no central Identification and Authentication Platform (IAP) for the level of the RS that would be an aggregation point for e-identity verification, thus enabling access to electronic services offered by the RS public administration bodies. The platform should be managed by the MNRVOID, reusing the potential of its already established Certificate Authori- ty as the primary identity provider. Such a platform would also enable the use of multiple types of identification, as well as means of different assurance levels issued by various identity and authentication service providers registered in accordance with the Law on Electronic Signature of the RS and other respective laws regulating electronic identification and trust services in Bosnia and Herzegovina. The platform would act as an intermediary between e-service users, e-service providers, and identity and authentication service providers integrated with the Plat- form. In this way, citizens will be able to choose from the list of the identity and authentication service providers available on the IAP. They would choose a provider whose assurance level corresponds to that required by the e-service that the citizen wants to access. Existing PKI in- frastructures established in the RS do not support more user-friendly methods for user authen- tication and digital signing, such as virtual smartcards in mobile apps and remote signing in the cloud. This can be included in the next phase of development. RS level IAP should be fully in- teroperable with similar platforms, once established at other levels in Bosnia and Herzegovina. 3.4.7 Data Center Infrastructure 94. The RS has a Government Data Center under the RS Government General Secretariat for data processing, storage, redundancy, data backup and business continuity. The Government Data Center provides shared services to the ministries and other public administration bodies at the level of the Republika Srpska. Infrastructure and networking services provided by this data center have accelerated the implementation of several e-services, such as the one-stop shop for the registration of businesses and entrepreneurs, and the SOTAK information system for social 56 Article 19, para (1) of the Law on Electronic Signature of the RS. E-government Assessment in Republika Srpska 49 welfare institutions, which connects institutions from geographically dispersed locations throu- ghout the RS. It also hosts critical Internal Government Business Support Systems, such as the Treasury Management System and Centralized Payroll Calculation System for civil servants and employees of the public administration bodies and institutions in the RS. A detailed overview of the shared services provided or hosted in the Government Data Center is in Annex 3. 95. Several other public administration institutions57 have their own data centers with data processing, storage and backup systems. The MNRVOID has not yet established a registry of data processing facilities within the RS public administration. A comprehensive assessment has not been performed to analyze compliance and classification of data processing facilities into specific tiers. There is no inventory of available hardware and software resources/assets and services supported by each data processing facility. Hardware resources in the data centers of other public administration institutions serve exclusively to run the IT infrastructure and ele- ctronic services of these respective institutions. It is likely that hardware resources in all these institutions are not utilized to the optimal level, as network and logical interoperability for the interconnection of these data centers has not been achieved. 96. A comprehensive assessment of the data centers has not been performed, so the resilien- ce level of the existing centers is currently unknown. Although it is an optional exercise, the assessment would analyze compliance and classification of data-processing facilities into spe- cific tiers. The tiers would reflect a four-level classification rating that measures the availability, redundancy, and resiliency of the data centers. The levels are Tier 1: Basic Capacity; Tier 2: Redundant Capacity; Tier 3: Concurrently Maintainable; and Tier 4: Fault Tolerant58. The factors determining the tier include power, cooling, maintenance protocols, redundancy and fault tole- rance. These can be used to determine the estimated annual downtime. The ratings are techno- logy agnostic, meaning that they are applicable to all systems by all vendors. 97. The state and FBiH level have data centers that usually host common shared services such as Active Directory, e-mail, GSB, web hosting, e-government portal, etc. These data cen- ters are managed by the IT Departments within General Secretariat of the Council of Ministers (for the state level) or the General Secretariat of the Government of the FBiH (for the FBiH level). However, a comprehensive assessment of the data centers is needed at the BiH and FBiH level as well since many other institutions from these levels run and maintain own data centers. These centers are used for hosting information systems and IT infrastructure services, that in many cases duplicates established shared services at their respective government level. 98. Cloud solutions such as public, hybrid, or government clouds are growing in their adoption of digital government. Cloud computing can present advantages for the RS and other gover- nment levels in BiH, such as cost savings, scalability, and high availability, thus accelerating digital transformation and data management. Cloud storage can reduce data redundancy by allowing ministries to collect, store and make available copies of important documents, key databases, and other essential data off-site. Cloud solutions, such as cloud-based digital signa- tures, can support the provision of transactional e-government services to the public. 99. One consideration and challenge may be the development of a data classification scheme to enable secure access, use and protection of data in the center or cloud. What is stored in the clo- ud will depend on whether it is private, public, or a hybrid of the two. This scheme categorizes data by sensitivity, such as public, official, secret and top secret. As such, it helps to determine data risks 57 These include the RS Ministry of Interior, the RS Inspectorate, the RS Tax Administration, the RS Administration for Geodetic and Property Affairs, the RS Health Insurance Fund, the RS Pension and Disability Insurance Fund, and so on. 58 More details can be found at the Uptime Institute Journal at https://journal.uptimeinstitute.com/explaining-uptime-institutes-tier-classification-system/ 50 E-government Assessment in Republika Srpska and potential impacts related to security breaches (See Table 1). Such a scheme would classify di- fferent government data and personally identifiable information (PII)59 of citizens that governments and their contractors handle. This would be based upon the (CIA) security objectives60. Table 1: Sample of Data Classification Levels and Potential Impact on CIA Security Objectives Data Impact Impact Description Classification Level The loss of confidentiality, integrity, or availability could be expected to have a Public Low limited adverse effect on organizational operations, organizational assets, and/or individuals. The loss of confidentiality, integrity, or availability could be expected to have a Official Moderate serious adverse effect on organizational operations, organizational assets, and/or individuals. The loss of confidentiality, integrity, or availability for Secret Data could be ex- Secret High pected to have a severe or catastrophic adverse effect on organizational opera- tions, organizational assets, and/or individuals. The loss of confidentiality, integrity, or availability for Top Secret Data could be expected to have an exceptionally Top Secret High grave adverse effect on organizational operations, organizational assets, and/or individuals. Source: Adapted from World Bank (2023) “Data Classification Matrix and Cloud Assessment Framework.” Most countries already have a government-wide data classification scheme based upon the 100. CIA requirements, including all EU countries61, Australia, the United Arab Emirates, the Uni- ted Kingdom, and the United States. The UK has adopted a principles-based and sensitivity/ risk-based approach to data classification, focusing on CIA principles. By avoiding specificity and focusing on outcomes, the UK classification system allows for the adaptation for each par- ticular category or classification of government data and its use, as deemed appropriate by the governmental department’s specific contractual requirements.62 The BiH law on Protection of Classified Data defines four data classification levels (top 101. secret, secret, confidential and internal). It authorizes senior legislative, judicial, and executive officials and heads of institutions responsible for relevant sectors at different government le- vels to classify data as internal, confidential, or secret. Hence, the Minister of the MNRVOID is provided with such authorizations. Only a few senior state-level officials and presidents and vice-presidents of the FBiH and the RS are authorized to classify data as top secret63. 59 PII is defined as is any piece of information that confirms an individual’s identity. A person’s PII can include their address; National Insurance Number or Social Security Number; driver’s license; financial information, including bank accounts; and medical records. See: https://www.isms.online/iso-27002/ control-5-34-privacy-and-protection-of-pii/. 60 World Bank, “Institutional and Procurement Practice Note on Cloud Computing.” (World Bank, 2023). 61 The EU classified information categories include Top Secret, EU Secret, EU Confidential, and EU Restricted. For more information: https://www.consilium. europa.eu/en/general-secretariat/corporate-policies/classified-information/ 62 See pages 36-38 in the Data Ecosystem Report for a detailed description of the UK classification model. 63 Articles 13 and 14, the Law on Protection of Classified Data, BiH Official Gazette 54/05, 12/09 E-government Assessment in Republika Srpska 51 3.4.8 Security of ICT Infrastructure 102. Following the legal requirements, the MNRVOID has taken steps to identify critical infrastru- cture in the areas of its responsibility. The MNRVOID is responsible for proposing and managing the critical infrastructure in the sectors of information and communications infrastructure and public services. In line with the methodology for the identification of critical infrastructure adop- ted by the Ministry of Interior (MoI), the MNRVOID has started to identify the facilities and com- ponents of critical infrastructure and their governing bodies in these two sectors. This process is still underway. Once completed, the MNRVOID will be required to conduct the mandatory risk assessment and develop a security plan. The MNRVOID has also appointed a security coordinator and deputy from among its staff. Once the critical infrastructure facilities have been defined, per- sons directly responsible for the management and protection of such facilities will be appointed. The relevant components of critical infrastructure will also be put in place. 103. The management and security of critical infrastructures in the RS, including the use of prote- cted data, is regulated by the Law on Security of Critical Infrastructures in the RS64 . The Law defines critical infrastructure as the systems, networks and facilities of special importance, whose destruction or endangerment could negatively affect security and interrupt operations of RS bodies, among other things. The law authorizes the RS Ministry of Interior to determine the critical infrastru- cture in the sectors defined by the law, based on a proposal of the administrative body responsible for a particular sector, and in line with the methodology adopted by the MoI. The law provides the responsible bodies with several mechanisms for the management of critical infrastructure, including conducting mandatory risk analysis; developing and implementing security plans to ensure the con- tinuous functioning of critical infrastructure; and appointing persons responsible for security and management of critical infrastructure. The law also stipulates that classified data related to critical infrastructure should be managed in line with applicable regulations and international standards. This includes, among other things, the BiH Law on the Protection of Classified Data. 64 Law on Security of Critical Infrastructures in RS, RS Official Gazette no. 58/19. 52 E-government Assessment in Republika Srpska 3.5 Resource Management for a Sustainable Digital Transformation A primary challenge to public sector modernization and digitization concerns the adequate 104. resources to design, implement and monitor systems, services and solutions. These include human, financial, and technical resources. In the RS, these resources are limited, thus constrai- ning the potential for sustainable digital transformation and digital service delivery. This section outlines key findings regarding resource management that impact digitization efforts. 3.5.1 Human Resources The public administration in the RS faces challenges in ICT human resources and skills to 105. manage day-to-day operations and the digital transformation. This section will discuss HRM challenges as they relate IT specialists, and the civil and public service workforce at large. HRM challenges in the IT cadre The RS is faced with a shortage of various IT-related professionals. This includes bu- 106. siness analysts, enterprise architects, software developers, network and system engi- neers, database developers/ administrators, cybersecurity experts, and so on. There has been a persistent trend of an insufficient number of human resources, as well as an outflow of ICT human resources. In addition, there has been a lack of the necessary ICT knowled- ge and skills among the existing human resources. Interviews illuminated several challen- ges with the hiring and retention of key ICT staff across government agencies, including the status of ICT staff, salary requirements, and level of skills. Also, it is difficult to establi- sh the exact number of adequately trained staff because a significant number of employees are engaged in ICT jobs, although they do not have the appropriate formal education. 107. The current shortage of ICT personnel burdens existing IT staff with additional tasks and responsibilities, but without additional compensation. This becomes a demotivating factor that usually accelerates their decision to leave the public administration bodies and seek jobs in the private IT sector. This further exacerbates the issue of IT staff retention. These challenges are not relegated to the RS alone; indeed, are nearly universal (See Box 10). E-government Assessment in Republika Srpska 53 Box 10: Challenges in Strengthening HRM for IT specialists65 Compensation The most common explanation for the difficulty in attracting and retaining IT specialists is the higher compensation for their skills in the private sector. Most countries opt to add bonuses to IT specialist jobs in order to make these positions more attractive to the labor market. In Latvia, for example, a ’market coefficient’ is available for positions that are in high demand in both the public and the private sectors (such as IT personnel). Eligible positions are determined through regulations. They have to be shown by private sector market research to be a priority for both private and public sector employers. In addition, there is a set maximum for this coefficient66. In the United States, an agency may pay a ’recruitment incentive’ to a newly appointed employee if it has determined that the position is likely to be difficult to fill. This incentive may be as much as 25 percent of the employee’s annual rate of basic pay.67 It is important to note that compensation, although very important, is not the whole picture. Work-life balance, learning and an entrepreneurial atmosphere, and a culture of innovation are often top priorities as well. In Argentina, for example, the Secretariat of Modernization attri- buted high employee turnover within its digital and innovation agencies to the more alluring opportunities and salaries in the private sector, as well as to the private sector’s more agile and innovation-driven mindset and culture (OECD Argentina). Similarly, The United States Digital Corps targets early career technology talent with a two-year fellowship program. The fellowship includes a dedicated learning and development curriculum and mentorship. Education and Training Given the shortage of IT skills on the labor market, one attractive way of increasing digital skills — apart from recruitment — is through training of existing staff (’upskilling’). Developing or im- proving skills can help staff to perform their current roles more effectively. In addition, it can help them to progress to a higher-level or more complex role in the future. Organizations will need to assess what training and development options they are best placed to deliver, as well as which skills or qualifications may need to be delivered by external training sources. The quality of these training sources is critical. However, creating an appropriate training strategy, and equiping the relevant teams with the necessary capacity to provide training is not easy task. Also, increasing skills through training takes time. To this end, the Australian government has created a Public Service Modernisation Fund to make funding available to support innovative approaches within the public service. Image and Reputation It is critical that public sector organizations develop strategies to attract and retain staff, as well as to consider the image and branding of the public sector as an employer. Apart from the public sector image as underpaying and ’stuffier’, on the positive side, it does provide stability, and better socioeconomic benefits (vacation days, work-life benefits). In addition, the public sector offers a unique opportunity for potential employees to contribute to projects and work that can make a difference to the lives of citizens. However, public sector organizations need to more clearly communicate this, together with the other benefits that public sector employment offers. 65 World Bank. ”Tech Savvy : Advancing GovTech Reforms in Public Administration.” Equitable Growth, Finance & Institutions Insight. (Washington, DC: World Bank, 2022). https://openknowledge.worldbank.org/handle/10986/37311 66 Based on interviews with civil servants. 67 For more information, see https://www.opm.gov/policy-data-oversight/pay-leave/recruitment-relocation-retention-incentives/fact-sheets/recrui- tment-incentives/ 54 E-government Assessment in Republika Srpska 108. Interviews with agencies confirm that there are challenges with hiring and retaining IT talent in the public administration. Specific capacity gaps were noted in cybersecurity, data administration, system administration, network management and data center management, and monitoring and reporting. The greatest challenge is the status of the IT cadre and the ability to attract a sufficient number of IT personnel who are capable of maintaining the system. IT staff in some public administration bodies are not civil servants. As such, they are subject to different rules and salary scales, which negatively impact on the retention and hiring of qualified IT staff. Specifically, the existing legal framework for determining the sta- tus and salaries of employees in public administration bodies, as well as limited budgetary resources, do not provide motivational working conditions and remuneration of employees with specialized skills and proven results records in the digital transformation field. 109. IT staff are seen as a support function, not a core function of administration. The ICT units in most of other public administration68 institutions are relatively small. They are primarily res- ponsible for infrastructure management, network management, client support, desktop ma- nagement and occasional application support. Most of the application support is outsourced to private companies. Staff have limited incentives to build skills through training, as salaries will not increase commensurately. Box 11 provides an example of how other countries have professionalized their digital workforce. Box 11: Professionalising the Digital Workforce of the Australian Government69 Australia established a specific Public Service Modernisation Fund to finance innovative appro- aches within the public service. Part of this Fund was used to improve the digital workforce of the Australian Public Service (APS), including: • The Leading Digital Transformation Program, aimed at senior executives, sought to im- prove their digital understanding and capabilities. • The expansion of the APS entry-level programs to include specialist digital capability, such as cyber security. • The development of 18 learning standards for specialist digital capabilities, providing a basis for establishing a shared understanding of digital roles, as well as support for com- mon approaches to specialist digital training. • The design and prototyping of digital career pathways, linking roles, skills and classifica- tion levels across a digital career in the APS. • Research and a pilot of skills and an aptitude assessment regarding digital roles. Career pathways for digital practitioners Career pathways are intended to provide a clear definition of digital job descriptions and their associated skills, knowledge and experience. In addition, they clearly link various roles within 68 Except for the RS Ministry of Interior and RS Tax Administration. 69 Richard Bartlett, ”Enhancing civil service capability: emergence of the professions model.” Asia Pacific Journal of Public Administration, 42:4, 262-273, (2020). DOI: 10.1080/23276665.2020.1787184 E-government Assessment in Republika Srpska 55 and across digital disciplines. This will create a common framework to better understand digital capabilities (through gap analysis and measurement) across the APS. It will also help to facilitate capability development and mobility. For the individual IT specialist, they will be able to see how their current skills could be applied to digital roles, including the digital career paths they could pursue, and the new skills they would need to develop. Given some of the main reasons why people opt to choose a career in the private sector, or choose to leave the public sector, this is expected to enhance the attraction and retention of digital professionals. 110. The RS also lacks qualified professionals and experts in the field of cybersecurity. This is partially attributable to inadequate representation of this topic in higher education insti- tutions in the RS and BiH more broadly. Some cybersecurity training programs are offered to professionals working in different sectors, but these programs appear to be conducted on an ad hoc basis. Also, they are not recognized as a professional qualification by govern- ments. Within public institutions, the training of IT staff and other employees dealing with the topic of cybersecurity is not the result of a broader curriculum. Rather, it is usually ini- tiated by individual managers or through capacity-building projects in the public sector. 111. The MNRVOID has no clear overview of all human resources involved in the IT affairs and digitization processes in the public administration bodies; likewise, it lacks suffi- cient knowledge about the competences and specific knowledge they possess. Therefo- re, a thorough analysis will have to conducted to identify exact baseline information about missing human resources and competences. However, it is also necessary to identify staff in the public administration bodies that do possess specific competences and knowledge (including cybersecurity, agile project management, enterprise architecture design, and so on.). Such skills and knowledge can be reused by the MNRVOID and the RS Government General Secretariat in the digital transformation projects, especially while establishing hori- zontal building blocks. The results can be used to develop a HR strategy, including a proper plan for recruitment, the development of the specific HR measures and compensation poli- cies for attraction and retention of high-skilled IT staff, professional training, and so on. HRM challenges in the general workforce 112. An additional challenge concerns the digital literacy and skills of the general civil and public servants. Whereas the previous section focused on HRM issues related to IT personnel, it is im- portant to note that the digital skills of non-IT personnel are becoming increasingly important as well. Interviews with the MDAs revealed the need for training plans, as well as the implementation of training to strengthen ICT capacity to further digitization efforts. In addition to training for the digital transformation and impacts, specific needs included training on advanced Microsoft appli- cations, business analytics, and system administration. This section will further elaborate on how the digital skills of the general workforce of the RS government can also be improved. 113. Although not engaged in systems development, computational science, or system main- tenance, virtually every civil servant uses IT hardware and software for their day-to-day work and/or as end-users. Thus, they are pertinent to cybersecurity. It is thus essential for the RS Government to have a strategy of increasing and retaining its digital skills pool among the general workforce. This can be done through measuring skills needs, skills supply, as well as investing in training, and either ‘buying’ or ‘borrowing’ digital skills. 56 E-government Assessment in Republika Srpska 114. Increasingly, civil servants implement what are called ‘digital-enabled work tasks’, or ‘di- gital-dependent work tasks’.70 Digital-enabled tasks are improved by digital tools, but could, in theory, still be performed without them. Examples of this include accounting, finance, or procurement. Given the universality of emails and online work platforms, most of the core civil service jobs would fall within this category. Digital-dependent work tasks are simply unable to be performed without digital tools, for example, social media or call center workers. However, with the rise of work-from home, more and more civil servant jobs could be categorized under this nomenclature. Thus, increasing the digital savviness of the average civil servant is critical for any government trying to implement a digital transformation, such as the RS. 115. In the 21st century, every civil servant needs to be in command of digital skills to perform their duties. The European Commission (EC) has created a Digital Competence Framework, which describes different digital competencies for the modern labor market. This framework, presented below in figure 7, can also be applied to non-ICT personnel in the civil service. The European Digital Competence Framework showcases the range of digital competencies that citizens and the average employee will need to master in order to function in an advanced di- gital society. Figure 7: European Digital Competence Framework (DigComp 2.2)71 Information and • Browsing, searching and filtering data, information and digital content • Evaluating data, information and digital content data literacy • Managing data, information and digital content • Interacting through digital technologies • Sharing information and content through digital technologies Communication and • Engaging in citizenship through digital technologies • Collaborating through digital technologies collaboration • Netiquette • Managing digital identity • Developing digital content Digital content • Integrating and re-elaborating digital content creation • Copyright and licenses • Programing • Protecting devices • Protecting personal data and privacy Safety • Protecting health and well-being • Protecting the environment • Solving technical problems • Identifiyng needs and technological responses Problem solving • Creatively using digital technologies • Identifying digital competence gaps Source: European Commission, “Digital Competence Framework for Citizens” (EC, 2022). 70 World Bank.“Tech Savvy: Advancing GovTech Reforms in Public Administration.” (Washington, DC. World Bank, 2022). 71 R. Vuorikari, S. Kluzer, and Y. Punie. “DigComp 2.2: The Digital Competence Framework for Citizens - With new examples of knowledge, skills and atti- tudes.” EUR 31006 EN, (Publications Office of the European Union, Luxembourg, 2022), ISBN 978-92-76-48883-5, doi:10.2760/490274, JRC128415. E-government Assessment in Republika Srpska 57 116. For the RS government to properly equip its workforce with the relevant digital skills, the first steps start at workforce planning. Workforce planning can help to identify where there are skills and competency gaps. It can also determine the difference between the skills-de- mand through organizational goals, and the skills-supply through an analysis of the current skills among the workforce. The identified gaps can then be attempted to be filled by building, buying, or borrowing skills. 117. Building skills refers to the training of the existing workforce, to gain new, additional and/ or improved digital skills. Some of the main advantages of training the existing staff in digital skills is that it can lead to sustained gains in employee productivity and performance. Further- more, increased training opportunities can positively affect employee motivation and engage- ment. On the downside, training can take a long time to reap rewards, and the current training system (strategy, capacity, budget) is most likely not up to the challenge of improving all digital skills that need improvement. Finally, the effectiveness of the training is largely dependent on the right design and implementation of training methods and modalities. Interviews condu- cted for this project confirm that training for the general workforce in specialized software (such as specific legal or accounting programs) could be of great value to different organiza- tions. This training would also include an increase in advanced knowledge of Microsoft Offi- ce software, or improving the knowledge of remote working environment software. 118. Buying skills implies the recruitment of new skills from outside the organization. The most immediate advantage of buying rather than building digital skills is that it can take significantly less time, assuming that the organization can find the right candidate. As with building digital skills, there is a good likelihood that buying digital skills will have a long-term effect on the digital skills base of the organization, as long as the organization is able to retain the staff member. The difficulty in recruiting digital skills is the competitiveness of the labor market and the fiscal costs that come along with increasing staffing numbers. Finally, it is important to note here that buying skills does not only refer to hiring IT specialists. Indeed, it also refers to increasing the digital skills requirements for any new recruit. This means changing job profiles, job descriptions and recruitment practices (for example, by including a digital skills test to the recruitment exam) for any new recruitments in the future. 119. Borrowing skills “can include directly engaging temporary staff or contracting a firm to provide the digital skills that are needed for a specified time.”72 In addition, it can im- ply transferring existing staff with particular skills to other organizations in order to com- plete a particular project for a specific period of time. The key advantages of this approa- ch are speed and the lack of a long-term, adverse financial impact. However, the key disadvantage is that there is not a sustained increase in the digital skills base of the orga- nization. By definition, the added skill is set to leave after a specific amount of time. 120. This overview showcases the different strategies the RS Government can apply to increase the digital skills of its general workforce. Which strategy, or (more likely) which particular mix of strategies, is right for the Government, depends on a number of factors. The outcomes of the skills needs and skills supply, that is, the skills gap assessment, will be the first input into which strategy would be most appropriate. The fiscal space available and the immediacy of the needs are other important factors. 121. In addition to HRM, skills and capacity challenges, there is a limited understanding among RS civil servants of the potential value of digitization of the public services. Some em- 72 World Bank. “Tech Savvy: Advancing GovTech Reforms in Public Administration.” (Washington, DC. World Bank, 2022) p. 66. 58 E-government Assessment in Republika Srpska ployees view the digitization process as a threat that will result in the elimination of their working posts. This is a common challenge. In many countries, there are significant efforts to conduct change management to shift the culture toward innovation and modernization, the- reby increasing the buy-in of the civil service and front-line service providers. The MNRVOID has already initiated activities aimed at achieving a better understanding of digital transforma- tion processes and benefits by organizing an ICT retraining program in cooperation with the Innovation Center of Banja Luka. 3.5.2 Financial Resources 122. Digitizing the public administration requires significant financial investments to cover upfront and recurrent costs. The digitization of services is a long-term reform, requiring si- gnificant investments in hardware, software, and skills. Capital and operating expenditures may include recurrent costs, such as annual subscriptions (for example, for cloud solutions). In- terviews revealed that financial resources are the biggest challenge for the MDAs. One exam- ple is the needed resources for IT hardware upgrades, software licenses and updates. 123. Two critical issues impact the financial management of the e-Government: first, limi- ted funding, and second, knowledge of IT budgets by individual bodies. The budget of the RS has very limited funds for capital investments in IT. This includes hardware, sof- tware and security management. In this context, the ICT staff in most of the public admi- nistration bodies — except for the MNRVOID, the RS Government General Secretariat, the Ministry of Interior and Tax Administration — are not familiar with their ICT budget and processes. Thus, they are unable to make requests and/or manage it. Currently, the- re is no standard or tool to track ICT costs; however, an information system for ICT proje- cts and regulation management is in development. At present, it is hard to derive the real costs of providing ICT services at the department, agency, ministry or government level. 124. The impact of budget limitations can be seen in the effectiveness of the information se- curity management system. Limited financing is hindering the implementation of cyberse- curity solutions. Although investments in cybersecurity pay off in the long run, initial inves- tments are usually seen as a financial burden in the short term. Thus, the financing of the IT and information security solutions is even less represented at the entity budget level. 125. To better manage resources, the RS Government determined the obligation to obtain the opinion of the MNRVOID for the implementation of ICT projects across government en- tities73. Namely, all the institutions in the Republika Srpska are obligated to submit laws and other general acts, development strategies and projects to the MNRVOID for obtaining the official opinion. Once the MNRVOID issues a positive opinion the law, strategy or project are submitted to the relevant committee (Committee for Social Activities in case of ICT projects) for review, before it is submitted to the Republika Srpska government. The Republika Srpska government is responsible for final approval of all ICT projects implemented within the Re- publika Srpska ministries and institutions. However, this is a regular procedure that applies to all ministries for adoption of policies/strategies and approval of projects from within their jurisdiction. The effectiveness of such legal provision could not be assessed since MNRVOID has not provided information on the number of provided opinions, especially for ICT projects. A systematic approach to the management and approval of ICT projects and investments 73 Article 17 of the Rules of Procedure of the Government of Republika Srpska, RS Official Gazette, No. 123/18. E-government Assessment in Republika Srpska 59 in all public administration bodies should be established by the Law on e-Government and specific bylaws to clearly define procedures and responsibilities of the bodies involved in the process of aligning ICT projects with strategic objectives, adopted standards and inte- roperability framework. The information system for ICT projects and regulation management, which is in the final stages of implementation, can become a valuable tool for monitoring the effectiveness of projects and procurements related to e-Government and its IT infrastructure. 126. By centralizing procurement responsibility within one public administration body, it is easier to achieve standardization of the IT infrastructure and ensure the integration and compatibility of information systems and information security solutions. Standards such as interface specifications, interconnection services, data integration services, data presentati- on and exchange, and secure communication protocols represent the technical foundation of interoperability. This approach is used in other countries, such as Albania, Moldova, and the UK. It can support the effective coordination of IT projects. Looking to the future, this coor- dination and standardization may lead to the fulfillment of certain principles of the European Interoperability Framework (such as openness, transparency, reusability, security and privacy). Standardization also has positive effects on optimizing costs of capital and operational expen- ditures related to digital service infrastructure, including improving their reliability, performan- ce and security. 127. The country-wide legislation provides a framework for transparent public procurement. Public procurement is regulated by a single, country-wide legal framework, which is compri- sed of the BiH Public Procurement Law (PPL) and accompanying bylaws74. The PPL regulates issues relating to public procurement based on principles of non-discrimination, transparency, equal treatment, and active competition. The legal framework includes a number of provisions as follows: (i) it outlines the minimum requirement for transparency and public disclosure; (ii) it prescribes certain information to be made available to interested bidders; (iii) it prohibits dis- crimination; (iv) it establishes a minimum criterion for the qualification of candidates/bidders and bid evaluation; and (v) it specifies requirements for the opening of public bids. The PPL Amendments from August 2022 have led to a better alignment of the PPL with EU Acquis. However, further reforms in public procurement are required to fully align the legal framework with the EU Directives.75 128. The PPL prescribes open procurement procedures as a default; however, it also envisages exceptions. The PPL provides for several types of procurement procedures. Open and Restri- cted Procedures are transparent in nature, and they are defined as basic and regular procedu- res. Negotiated Procedure with or without Publication of a Notice, Competitive Dialogue and Design Contest can be applied as an exception, which is in line with the clear requirements and criteria established by the legislation. The Competitive Request for Quotations and Direct Agreement are defined as procedures for so-called ‘small-value’ contracts. These can be used only for procurements of estimated values below the thresholds specified by the PPL76. The PPL also defines the types of contracts whose award is subject to a ‘special regime’77. Such contracts can be awarded using the procedures established by relevant bylaws. Finally, the 74 BiH Public Procurement Law, BiH Official Gazette, No. 39/14 and 59/22. 75 This refers to the alignment with Directive 2014/24/EU of the European Parliament and of the Council of February 26, 2014, concerning public procu- rement, and repealing Directive 2004/18/EC; Directive 2014/25/EU of the European Parliament and of the Council of February 26, 2014, concerning procurement by entities operating in the water, energy, transport, and postal services sectors, as well as repealing Directive 2004/17/EC, and Directive 2014/23/EU concerning concessions. 76 PPL, Article 87. Competitive Request for Quotations can be used for procurements of supplies and services for estimated values below Bosnian Mark (BAM) 50,000 (approximately US$ 29,400), and the procurement of works for an estimated value below BAM 80,000 (approximately US$ 47,000). Direct Agreement can be used for contracts with an estimated value below BAM 6,000, up to BAM 10,000 per year (approximately US$ 3,500 to 5,000). 77 These include contracts for social and other special services, contracts in the areas of defense and security, and contracts awarded by diplomatic and consular missions of the BiH. 60 E-government Assessment in Republika Srpska PPL prescribes procurement that is exempted from its application.78 129. Among other things, the ‘special regime’ procurement procedure applies to defense and security contracts which involve the use of classified data79 . The PPL envisages a special procurement regime for: (i) security-sensitive equipment (including any part, composition and/ or assembly thereof); (ii) works, goods and services directly related to such equipment, for any and all of its elements; and (iii) security sensitive works and services. Operational details rela- ted to such procurements are further defined in the Rulebook on the Procedure for Awarding Contracts in the Areas of Defense and Security80. The Rulebook defines security-sensitive equipment, works and services as “equipment, works and services for security needs, which include, require and/or contain data the disclosure of which could harm the interests of secu- rity and which are classified as ‘confidential’ or ‘internal.’” 81 130. The Rulebook provides several mechanisms for the protection of classified data. 82 If a con- tract award or contract execution requires the disclosure of classified data, then the contra- cting authority is required to pose additional requirements to the bidders and suppliers in the procurement process to ensure the protection of such data. Hence, bidders and subcontractors are obliged to apply security measures and standards as required by the BIH Law on the Pro- tection of Classified Data. In particular, the contracting authority that discloses to bidders and their subcontractors the data classified as ‘confidential’, or ‘internal’ must request that bidders and subcontractors provide a facility security clearance. Prior to contract award, employees of the selected bidder and its subcontractors are required to provide a security clearance, which would enable access to data classified as ‘confidential’. Furthermore, they can access such data only if the data is subject to the contract or subcontract. It must also be necessary for the employees to perform their work. Only suppliers that pass the security clearance process and obtain a facility security clearance are allowed to access the bidding documents that contain security-sensitive data. 131. The Rulebook is outdated and requires revisions. The practical application of the Rulebook proved to be cumbersome, as experienced by several contracting authorities that apply it83. Therefore, in 2019, changes and amendments were initiated with the aim of better aligning it with the BiH Law on the Protection of Classified Data and other relevant BiH legislation, as well as with the relevant EU Directives84. However, this process was never completed. 132. The recent PPL amendments have introduced exemptions from its application for procure- ments that include security aspects, and for which adequate protections of classified data cannot be ensured by applying other measures. First, procurement that includes defense or security aspects is exempted if the application of PPL and regulations that govern procure- ment in the areas of defense and security would oblige BiH to disclose data, the disclosure of which is against the BiH’s essential security interests85. Such procurement is also exempted if the protection of the essential security interests cannot be secured through the application of other measures, such as by setting requirements to bidders for data confidentiality prote- 78 These include contracts awarded according to international agreements, concessions and public-private partnerships contracts, special exemptions in the field of electronic communications, contracts between public sector entities, contracts involving defense or security aspects, contracts that aim to protect essential security interests, and special exemptions for contracts which are declared as secret or those requiring special security measures. 79 Article 8 of the PPL. 80 Rulebook on the procedure for awarding contracts in the field of defense and security, BiH Official Gazette no. 60/2015. 81 Article 2 of the Rulebook on the procedure for awarding contracts in the field of defense and security, BIH Official Gazette no. 60/2015. 82 Article 6 of the Rulebook on the procedure for awarding contracts in the field of defense and security, BiH Official Gazette no. 60/2015. 83 Such as the BiH Ministry of Defense, the BiH Ministry of Security, BiH Intelligence and Security Agency, and the State Investigation and Protection Agency. 84 DIRECTIVE 2009/81/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 July 2009 on the coordination of procedures for the award of certain works contracts, supply contracts and service contracts by contracting authorities or entities in the fields of defense and security, and amending Directives 2004/17/EC and 2004/18/EC. 85 Article 10.d. of PPL. E-government Assessment in Republika Srpska 61 ction by a contracting authority86. Second, contracts that are declared to be secret/classified, or contracts requiring special security measures according to the BiH Law on Protection of Classified Data, are also exempted — provided that BiH has determined that the essential security interests cannot be protected by applying other such measures87. These exemptions were introduced through the PPL Amendments in August 2022 in an attempt to better align the PPL with the EU Directive. Similar solutions are envisaged by public procurement legisla- tion of some countries in the region88. 133. The legal practice has yet to show the effectiveness of these provisions. The PPL amen- dments have somewhat expanded the scope of eligible exemptions. However, the requests for clarifications filed by contracting authorities and bidders to the BiH Public Procurement Agency point to difficulties in their interpretation89. Given that these provisions were in force for less than a year, legal practice has yet to show effectiveness. 86 Article 10.e of PPL 87 Article 10.f of PPL 88 See, for example, the Law on Public Procurement of Croatia, Articles 41-44 and 46-47 and related Decree on Public Procurement in the Area of Defense and Security, and the Law on Public Procurement of Serbia, Articles 20-21. 89 See ‘Framework explanation of application of specific provisions of the Law on Changes and Amendment to the Law on Public Procurement’, BiH Public Procurement Agency, 2023, https://cms-ajn.azureedge.net/documents/e845d61a-7bef-4a5d-9d01-f1947a107ab5.pdf. For example, for the definition of ‘essential security interests’, the PPL refers to BiH Law on Defense and other relevant regulations. The BiH Public Procurement Agency clarifies that ‘es- sential security interests’ and responsibilities for the classification of data related to essential security interests are defined by the BiH Law on Protection of Classified Data. This further refers to that law, as well as the Law on Defense and other relevant regulations. 62 E-government Assessment in Republika Srpska 4. Recommendations 134. Based on this assessment, including the five aspects covered, this section provides an over- view of recommendations. The recommendations are informed by the assessment, as well as the key principles of working, as well as lessons from similar reforms (See Box 12). Where possible, recommendations include prioritization and time horizons in the form of short-, me- dium- and long-term activities. A reform matrix is provided at the conclusion of the section. Box 12: Principles of Working and Lessons from Similar Reforms • Develop a clear vision and problem statement to drive reforms and employ purpose-dri- ven technology. Communicate this widely to foster whole-of-government ownership. • Engage stakeholders including governmental and non-governmental entities, as well as the public, to better understand needs and preferences to build ownership for a who- le-of-government approach. • Define and assess the key technical and non-technical barriers to implementing the ena- blers of digital government. • Use EU regulations to guide the design and development of legal and regulatory instru- ments to contribute to future compliance. • Apply a digital by default service strategy with extensive citizen motivation and engage- ment. • Apply a programmatic or phased approach to reform. Be flexible and adaptive to the context of the RS. Adopting an incremental approach and being pragmatic can result in tangible impacts. • Consider practical lessons learned from similar countries, such as Albania, Croatia and Serbia, that have implemented similar reform efforts. Although there is no one-size-fits- all approach to digital government, other countries experiences and solutions can support the RS in leapfrogging its way toward digital government. • Build partnerships globally and locally to maximize impact and sustainability. This inc- ludes collaborating with other countries, the private sector, academia, non-governmental organizations (NGOs) and civil society organizations (CSOs) to foster innovation, build local capacity, and sustain reforms. • Promote ongoing capacity building and change management to build buy-in and im- prove the uptake of digital services. Consider both supply- and demand-side activities to sensitize both to new ways of working. Source: Adapted from World Bank, ”GovTech Launch Report and Short Term Action Plan”, Washington, DC: World Bank, 2020. E-government Assessment in Republika Srpska 63 1/ Develop a long-term whole-of-government digital transformation strategy 135. The key high priority recommendation is to develop a new seven-year strategy 90 to pro- vide a vision for digital government to guide the process of modernization and migration to digital service delivery. While the RS is working in tandem on a sectoral strategy, creating a new strategy or updating the existing strategy is necessary to accommodate new tech- nologies and a whole of government approach. A whole of government approach promotes systems thinking and focuses on development of integrated approaches for policymaking and service delivery. The coordination is necessary to reduce fragmentation and silos, but can be complex, needing organizational incentives, skills, and capacities to realize. It would further set the tone for the next phase of reforms, highlighting transparency and accountability. The strategy should consider the overall objectives of the RS government. It should also outline plans to overcome key challenges. This strategy would be accompanied by a time-bound and costed action plan with key performance indicators to manage, monitor and report on imple- mentation. This strategy would also serve as a roadmap for future reform agendas and reso- urce planning. 2/ Strengthen the Legal and Regulatory Framework for Digital Government 136. The RS has established some of the key legal and regulatory instruments to enable e-Government development. However, there remain certain legal gaps. Despite signi- ficant improvements, some provisions of the GAPA law still prevent digitization of specific steps or actions in the administrative procedures, thus preventing full implementation of e-services. Some sector-specific laws are still not aligned with information society legisla- tion and the GAPA. Building on the existing framework, the following recommendations aim to strengthen and liberalize the framework to enable integrated digital services. 137. Examine and define additional gaps in the Government’s specific legislation vis-a-vis di- gital governance, adhering to the distinct state-level legislative frameworks, that is, to the extent they exist. Also, it is important to adhere to EU requirements to enable longer term compatibility. This rapid assessment is not a comprehensive legal gap analysis. Therefore, ad- ditional work is needed to define the key gaps and recommend additional laws and regulations (including omnibus legislation) that can facilitate and expedite the transition to digital services. This includes tools that mandate the use of the GSB, as well as amending the digital signature law, the data protection law, the information/cyber security law, as well as e-payments and accessibility. Preliminary activities include: • Harmonize other laws and regulations with the GAPA to enable legally valid e-servi- ces. The GAPA includes the principle of subsidiarity application in all those matters that are not regulated separately by a special law. Certain special laws do not envisage electro- nic communications with parties, or the usage of electronic documents in the administrati- ve procedures regulated by these special laws. All clauses in the special laws that prevent digital case processing and electronic communications need to be identified and replaced or amended to enable implementation of transactional e-services. The use of electronic documents needs to be enshrined to ensure all e-services are legally recognized as valid. At the BiH level, additional efforts will be needed to ensure electronic documents instead of paper based documents are accepted for citizens and businesses to obtain services.91 90 In the new Law on Strategic Documents Development of the RS, the mandatory duration of the strategy is 7 years. 91 Measure BiH E-Administration Assessment 2018. Available from: https://www.measurebih.com/uimages/MEASURE-BiH20E-Governance20E-Admini- stration20Assessment20Final20Report2012Dec2018.pdf 64 E-government Assessment in Republika Srpska • Amend the RS Law on Electronic Documents to adopt a much broader definition of the electronic document, as stipulated by the eIDAS. The current RS law has much stricter definitions and requirements concerning the form and content of the electronic document, which still serve the ultimate purpose of achieving equal validity of the electronic document in the administrative or judicial proceedings as the paper one. The electronic document is defined as a complete set of data created using computers and/or other electronic devi- ces, that is sent, received, or stored on electronic, magnetic, optical and/or other media. It contains features that allow for the identification of the author of the document, thereby validating its authenticity and determining the time of its creation. This law prescribes that every electronic document shall comprise: (i) content, including the name of the intended recipient; (ii) one or more e-signatures, the time of creation, and other documentational features (for example, the time of dispatch/receipt of the document). According to eIDAS, an ‘electronic document’ means any content stored in electronic form, in particular, text or sound, or a visual or audiovisual recording. State-of-the-art regulation, such as eIDAS, tends to liberalize the rules about the use of electronic documents to the extent possible. It regulates them within the same Act as electronic identification. The broader definitions permit the use of a variety of e-documents without being limited by form or content. This can support new electronic forms as they are developed. • Provide the legal basis for e-payment use for government to person (G2P) and person to government (P2G) payments. Amendments of the Law should be introduced to ena- ble different means of electronic payment of administrative fees (via Mobile or Internet Banking, bank cards, and so on). It will also be important to amend all relevant laws and secondary legislation regulating administrative and court fees, taxes and fines, thus ena- bling different means of electronic payments of these obligations (via Mobile or Internet Banking, bank cards, and so on). Future amendments should also precisely prescribe the moment of occurrence of the tax obligation for electronically submitted payments. Furt- hermore, e-payment solutions will have to be designed and implemented in such a way as to exchange data with Government e-treasury or other backend information systems so that public administration entities have real-time information regarding the executed e-payment. • Draft and adopt a Law on e-Government92 and implement Acts that would regulate the following: o The rights, obligations and responsibilities of competent public sector bodies related to the establishment, development, project management and operational manage- ment of the RS digital services infrastructure and horizontal building blocks (govern- ment cloud, networks, GSB, e-services portal, Meta Register, semantic interoperabili- ty infrastructure, and so on). o Mandatory publishing of electronic registries concerning the interoperability platform and re-use of such data retrieved via the interoperability platform as a prerequisite for the building of advanced electronic services. o General rules about the filing and delivery of electronic documents in e-services via e-delivery and the e-mailbox. o Procedures and responsibilities of different bodies concerning the planning and 92 This Law is included into the Legislative Plan of the National Assembly of the RS for 2023. E-government Assessment in Republika Srpska 65 approval of budgets for IT capital and operational expenditures in a cost-effective and transparent execution of budgets. This would be achieved through the organization of centralized procurement of hardware and generic software solutions. o Procedures and responsibilities of relevant institutions concerning the adoption and updating of standards for the IT infrastructure, information systems, information se- curity and service management, as well as the control of adherence to these standar- ds by individual public administration bodies. o Procedures and responsibilities of relevant institutions concerning the establishment of a uniform process of support (service desk function) to internal users within public administration systems and the establishment of customer relationship management, that is, support to external users of e-services (citizens, businesses, and entities) and vendor management. • Draft and adopt the Law on Network and Information Systems Security at the BiH level and RS level that are harmonized with the NIS 2 Directive.93 • Adopt the Law on the Electronic Identification and Trust Services for Electronic Tran- sactions at the state level, maintain and publish single node with national eID scheme and trust list for Bosnia and Herzegovina in accordance with eIDAS provisions. 138. Draft and adopt a framework for e-signature at RS, FBiH and BiH levels that aligns with eI- DAS to simplify e-services, reduce administrative burden, and ease processing of e-service applications. Lawmakers at all levels in Bosnia and Herzegovina should work collaboratively on codifying and harmonizing the legislative framework so that their laws on e-identification and trust services could be identical or very similar to one another. This would lower the risk of proliferation of divergent systems for regulation, certification, operation and supervision of trust service providers in Bosnia and Herzegovina. See Annex 1 for more details. 139. The laws regulating electronic identification and trust services at all levels in Bosnia and Herzegovina should envisage mutual recognition of trust services provided by all trust service providers at the different levels for online services offered anywhere in BiH. This is done in the EU by the introduction of the cross-border mutual recognition of electronic identification means. A national eIDAS node should be established at the level of Bosnia and Herzegovina for exchanging electronic eID schemes with EU member states, thus ensuring cross-border interoperability and recognition of qualified certificates issued by BiH trust ser- vice providers (including the RS) in the EU member states. Efforts should be made to ensure that many trust service providers are certified so that trust services could be offered in a com- petitive environment, thus fostering quality and reducing costs. 3/ Strengthen the Institutional Framework for Whole-of-Government Coordination 140. Although the RS has assigned the mandate for a single entity to oversee and coordinate e-government with the MNRVOID, there remains room to strengthen its convening and coordinating power to champion the reform. Political commitment and leadership at the highest level of government are needed to drive a comprehensive public sector digital tran- sformation to coordinate and ensure a long-term commitment to the reforms. 93 This Law is included in the Legislative Plan of the National Assembly of the RS for 2023. 66 E-government Assessment in Republika Srpska 141. As the e-Government agenda is at its heart a reform agenda for public administration, increasing coordination with the MPALSG is recommended. The existing PAR strategy de- fined the strategic directions and guidelines for activities needed during the implementation of e-government. Implementing e-Government, as outlined in this assessment, may require changes in the legal and regulatory framework, human resource management, financial mana- gement, and procurement — all of which are core public administration functions. Partnering with the MPALSG may increase the political will and sustainability of the reform efforts. 142. To improve the whole-of-government coordination for digital transformation, the RS Go- vernment should consider establishing an overarching Council for e-Government Deve- lopment and Implementation. This Council would consist of the MNRVOID and represen- tatives of other line ministries providing citizen- and business-facing services. MNRVOID will need to coordinate with stakeholders in all service-oriented ministries, departments and agencies to implement a whole of government approach. This body (an entity-level admini- strative unit) could provide the necessary decisionmaking support, guidance and space for consultations to transform the government, establish user-centric e-services and promote a data-driven culture in the administration. The establishment of such a Council would fo- ster collaboration across all ministries and other public administration bodies to implement a shared services model and user-centric e-services, maximize the value of ICT investments, and ensure alignment with the government’s strategic priorities. However, the C o u n - cil should be assigned with decision-making role so it adds value to the digitization effort. 143. This new Council can help the MNRVOID to coordinate activities for shared services and com- municate the benefits across bodies. The MNRVOID could use this Council to better communi- cate its vision of the overall enterprise architecture, gather feedback about the priority areas, and improve the interaction between the MNRVOID and the line ministries or agencies. This entity would ideally facilitate organizational coordination to achieve whole-of-government interope- rability for integrated service delivery. By including private or semi-private organizations in the new central council entity, the RS could leverage the private sector experience, skills, and solu- tions to support public sector modernization (which is seen in other countries such as Germany, Jordan, and the UK). It can also facilitate the development of public-private partnerships. 144. At the MDA level, assign coordinators for the digital transformation of the public admini- stration bodies. To implement a whole-of-government approach, each institution has a con- tributing role to play. Each MDA should appoint its responsible person or coordinator for digital transformation. This person will work closely with the MNRVOID, as well as interact with the Council, to ensure a consistent and uniform approach to digital transformation. Although this has been implemented in past projects, these coordinators should have a full view and un- derstanding of all relevant ICT projects, including their MDA or government at large. This role should belong to the work post, that is, the senior civil servant within the public administration body. This senior civil servant should possess the appropriate authority, professional qualities and assigned responsibilities and powers to enable the effective implementation of e-govern- ment policies in a particular institution. 145. At the BiH level, additional institutional coordination bodies or working groups can be created on topics of interoperability, identification and trust services, e-signature, and cybersecurity. Lawmakers at all levels in BiH should work collaboratively on codifying and harmonizing the legislative frameworks with requirements of the EU Acquis. To support coor- dination and systematic implementation of activities, it is necessary to appoint and establish competent bodies in Bosnia and Herzegovina for the security of information and communica- E-government Assessment in Republika Srpska 67 tion systems, which include key sectors and services according to the NIS directive. To ensure the smooth and secure functioning of e-identification, BiH should build a functioning supervi- sory infrastructure in accordance with eIDAS, including supervisory body/bodies, conformity assessment bodies and a national accreditation body. 4/ Develop ICT Infrastructure for Integrated e-Service Delivery 4/1 Focus on e-Srpska Functionalities 146. The e-Srpska Portal has the potential to provide innovative, integrated transactio- nal-level services to the public, and it could serve as the single point of contact for ser- vice information. To realize this potential, a number of recommendations are presented to increase capabilities and functionalities. Based on global experience, adopting a modu- lar approach to infrastructure and the horizontal building blocks that focus on reusabili- ty is recommended for the RS. This approach would be based on an enterprise architectu- re, and it would be centered on standards for systems interoperability, information sharing, and information security and privacy controls across the public administration system. 147. A modular approach includes reusable aspects and technologies that can be used by the GoRS in e-service delivery. This approach is particularly useful when developing horizontal building blocks for the e-Srpska. Countries including Albania, Jordan, Moldova, and the UK employ shared services and reusable modules, such as e-sign, e-document, e-payment and e-notify (e-mailbox). 148. The complete establishment of a single Document Management System (DMS) as a sha- red service at the RS level. This system should be based on the principles of open spe- cifications, protocols and standards. It will enable the integration with the future softwa- re module for electronic delivery, which is as an integral part of the GSB for the RS level. This shared service would be implemented in several phases. Firstly, it would be reused by public administration institutions that do not have e-registry or DMS systems. At a la- ter stage, a plan should be put in place to migrate data and documents from the existing DMS systems of public administration institutions into the DMS shared service. 149. Enable electronic payments for service delivery. Establish a single e-payment plat- form that would be integrated with other key re-useable modules, such as e-docu- ment and e-signature. The e-payment platform should comply with the requirements set by the EU Payment Services Directive (PSD 2)94, which regulates payment services. 150. Establish an “e-mailbox” platform as the building block and integrate it with the e-Srpska por- tal, the IAP and the GSB. This e-Mailbox would act as a single, virtual place for the reception of notifications and messages to citizens and business entities originating from different administrative procedures, as handled by the electronic services. The e-mailbox should be designed using technical specifications developed on the basis of the Organization for the Advancement of Structured Infor- mation Standards (OASIS) and the European Telecommunications Standards Institute (ETSI) stan- dards. E-mailbox could be supplemented by short message systems or OTT applications gateways/ connectors for transmission of simple notifications to citizens and business entities (e.g., change in the status of case in the administrative proceedings, upcoming expiry of the ID card, etc.). The E-ma- ilbox should be compatible for use at the RS level and support automatic exchange of notifications for citizens who are registered at the e-mailboxes of other government levels. 94 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366. 68 E-government Assessment in Republika Srpska 151. Establish eForms platform for easy creation of accessible online forms for e-Srpska por- tal. This platform would facilitate quick design and building of accessible online forms, easy use by portal users and quick processing on the e-Government portal. The eForms platform would gradually replace inaccessible PDF or other document-based forms. Neighboring coun- tries can provide guidance and solutions for development of this platform, such as Moldova. 152. Create an RS level identification and authentication platform (IAP) to enable access to ele- ctronic services offered by the RS public administration bodies. The platform should be ma- naged by the MNRVOID, reusing the potential of its already established Certificate Authority as the primary identity provider. Such a platform would also enable the use of multiple types of identification means of different assurance levels issued by different identity and authenti- cation service providers registered in accordance with the Law on Electronic Signature of the RS and other respective laws regulating electronic identification and trust services in Bosnia and Herzegovina. The platform would act as an intermediary between e-service users, e-ser- vice providers and identity and authentication service providers integrated with the platform. In this way, prior to being granted access to specific electronic service, citizens will be able to choose (from the list of the identity and authentication service providers available on the IAP) their provider, whose assurance level corresponds to the assurance level required by the e-service that the citizen wants to access. Identification and authentication platform could be added a single sign-on functionality in the future to provide citizens and business with access to multiple e-services from e-Srpska portal with single logon. RS level IAP should be fully in- teroperable with similar platforms, once established at other levels in Bosnia and Herzegovina. 153. Create a user-centric authentication process that is mobile and cloud-compliant. Building on the PKI and the IAP, it is necessary to build a secure sign on system that can identify and authenticate the users. This is particularly important for users needing to access the e-Srpska portal, as well as for those who wish to obtain administrative services that include sensitive information, such as taxes, fines, fees, and test results or credentials. The authentication pro- cess should be designed so that the user can sign on to the platform easily, quickly, anywhere and without mandatory requirements for special hardware. A mobile app (the mobile app is the possession element) with a built-in PIN code (the knowledge element), is much more user friendly than those requiring special hardware components, such as a dongle. 154. The aforementioned building blocks should be designed in such a way that they can be replicated and reused at other government levels in Bosnia and Herzegovina. In order to benefit from the “economy of scale”, preferred option is to implement these building blocks at all government levels simultaneously. This would also support cross government interopera- bility and functionality, such as being able to bring data from a central registry to entity level service windows. 4/2 Adopt a User-Centric Approach to e-services Design and Delivery 155. Adopting a user-centric approach to service reform implies focusing the design and delivery of services around the needs and preferences of the user. Oftentimes, services are reformed from the perspective of the ministry, which can negatively impact uptake and satisfaction with e-services, thus reducing the value of the reform investment. However, redesigning services focusing on users’ experiences and needs — meeting their preferences, capabilities, and acce- ssibility requirements — can increase citizen or business satisfaction with service delivery. Ta- king a user-centric approach includes consultations with citizens, businesses, and other users of services to determine challenges, needs and preferences for services. This includes consulting a E-government Assessment in Republika Srpska 69 diverse body of users, such as women, the elderly, persons with disabilities, and others. In addi- tion, these consultations should include front-line service providers to identify potential areas of improvement, as they have implicit knowledge about business processes and procedures. Prioritization of e-services for Re-engineering and Digitization 156. Digitizing services is only one aspect of the service reform process. Therefore, additional efforts are needed to simplify processes and procedures to enable user-centric services that are efficient and of high quality. Employing ICT can achieve efficiencies and time savings, but these are multiplied when paired with service reforms in the back offices. These reforms may include a reduction of document requirements, a reduction of approvals, automating data va- lidation tasks, and others. 157. The first step is to develop a comprehensive service inventory that includes all citizen-fa- cing services from all MDAs. There is already a comprehensive inventory for business-facing services at the business single point of the contact website (https://pscsrpska.vladars.net/sr). An inventory for citizen-facing services could be used to: (i) prioritize services to be digitized; (ii) identify redundant services; (iii) map life journeys; and (iv) provide level 1 informational services on the e-Srpska portal. 158. Develop more granular criteria for the prioritization of digitization of e-services. Digitiza- tion of services entails a long-term reform process, and it is often done in clusters or batches. The GoRS needs to prioritize services that will be completed first. The selection criteria can include the complexity of the service, the readiness for digitization, the demand or number of transactions, and the existence of IT staff in the relevant MDA to support the process.95 159. Greater efficiency gains occur through redesigning processes and procedures augmented by technology, often referred to as business process re-engineering or simplification. Re- forming services can reduce the time to deliver services. For example, this can be achieved by: (i) removing document requirements; (ii) reusing of data via the interoperability platform; (iii) streamlining of approvals; (iv) the linking of parallel processes; (v) applying technology; and (vi) automating information processing. Interoperability platforms, catalogues, and frameworks can enable real-time data exchange, verification, and validation that can significantly cut the amount of time to deliver services. This is already in progress, but it can be expanded to inclu- de all citizen- and business-facing services. 160. Using a single Business Processing Modeling (BPM) platform would facilitate the mapping and documenting of business processes. All subsequent changes in business processes co- uld later be incorporated in a simpler way into the application solutions of electronic public ad- ministration services — without the need to change the program code. The application of BPM software tools would enable business analysts and the management structure of the public administration bodies to define changes in business processes and rules, as well as simulate and test their effectiveness in real time. A single BPM platform would be in line with the EIF Recommendation 28.96 Both the ArchiMate language and a BPM can be used for modeling business processes. 95 World Bank Group. “Service Upgrade: The GovTech Approach to Citizen Centered Services,” (Washington, DC: World Bank, 2022). Available from: https://thedocs.worldbank.org/en/doc/c7837e4efad1f6d6a1d97d20f2e1fb15-0350062022/service-upgrade-the-govtech-approach-to-citizen-cente- red-services. 96 Recommendation 28 of the European Interoperability Framework: Document your business processes using commonly accepted modelling techniques and agree on how these processes should be aligned to deliver a European public service. https://ec.europa.eu/isa2/sites/default/files/eif_brochure_final.pdf. 70 E-government Assessment in Republika Srpska 161. Develop an institutional change management strategy and action plan. Utilizing new tech- nology in the day-to-day work of the MNRVOID and the government at large requires training and adapting to new ways of doing things. Communicating changes and sensitizing staff to the reforms and new technology can reduce the resistance to the reform. Migrating to e-ser- vices can be challenging politically, culturally, and administratively. Focusing on change mana- gement can reduce the stress on front-line service providers, inform them of the benefits of digitization, and foster a sense of ownership over the reform effort. 162. Develop key performance indicators (KPIs) to monitor the impact of the reforms and use of e-services. The monitoring of the KPIs is included as one of the functionalities of the afo- re-mentioned information system for ICT projects. Specific KPIs could include the time to de- liver, the percentage of services completed, the abandon rate, and citizen satisfaction, among others.97 An example of the measurable outcome could be “reduced cost of specific business process or working procedure by 50 percent” or “time needed for business entity registration is up to 7 days”. 163. Engage citizens, businesses, and other stakeholders throughout the reform process. Citi- zen engagement and outreach is of utmost importance to raise the awareness of the reform and service availability. Citizens need to be informed of available services. Oftentimes, they also require information about how to use them. Migrating to digital services has a cultural aspect for the beneficiary, and change management is important on both the supply and de- mand sides. As part of the process of monitoring delivery, citizen engagement or civictech tools should be deployed to gather real-time data on user feedback. This feedback can identify good practices, as well as the remaining challenges. As such, it should be used to adapt the service reform model. 4/3 Achieve Whole-of-Government Interoperability 164. As noted, there are different aspects of interoperability that call for varying acti- ons to achieve whole-of-government integration. At present, the key recommen- dations focus on developing strategies, action plans, assessments and standards to further this initiative and enable transactional level e-services in the medium term. 165. Design a data governance strategy to enable interoperability, promote evidence-based po- licymaking, and support decision making. This strategy would need to cover the interope- rability aspects of data governance, use, reuse and sharing, data semantics, digital base regi- stries availability, data protection, data analytics, data security and extension of the open data sources. This strategy would need to be forward looking. It should also outline the process for connecting the new MDAs and other institutions. 166. While there is an overarching interoperability framework for BiH, it is unclear whether the state level framework complies with the EIF. 98 Republika Srpska should coordinate the establishment of technical and semantic aspects of its interoperability framework with other government levels in BiH. This approach would create prerequisites for the exchange of data from databases and electronic registers and the creation of electronic services that include administrative procedures from multiple levels of government. 97 Ibid. Project №BG05SFOP001-¬2.001-0009: “Implementation of the Principle of the Shared Services in the Organization and Functioning of the Central Administration,” funded by Operational Program Good Governance, co-funded by the European Union through the European Social Fund, ICT Report, March 2018. 98 https://www.vijeceministara.gov.ba/elektronska_vlada/Akti/OdlukaSl53_18.pdf E-government Assessment in Republika Srpska 71 167. Additional assessments are needed to determine the specific needs and functionalities for ICT and the interoperability infrastructure. These include a data center functionality and resilience assessment; a cloud readiness assessment; an assessment of current digital regi- sters; and a PKI functionality assessment. These would provide additional data to support investments in ICT, the selection of GSB platforms, and other considerations related to an operational interoperability system. 168. Fully implement the requirements stemming from the RS Law on Critical Infrastructure. This includes: (i) defining the critical infrastructure in the sectors of information and communi- cations and public services; (ii) performing risk assessments; (iii) developing security plans for the protection of such infrastructure; and (iv) appointing responsible persons for the mana- gement of critical infrastructure facilities. This process should also help to identify which data related to critical infrastructure in these sectors should potentially be treated as classified. 169. Develop telecommunication and network standards, including Wide-Area Network (WAN) technology, and protocols for the connection of public administration institutions throu- ghout the RS. This entails the specification of different aspects of telecommunication and network standards, as well as the protocols, such as the use of wide-area network technology and architecture, virtual private networks, routing, minimum network security controls, and so on. In the process of drafting the aforementioned standards, it is advisable to conduct a study of the technical feasibility and financial cost-effectiveness of using new WAN architectures, such as Software Defined WAN99 in relation to the traditional WAN technologies. This could be done in a sample of several institutions that have a larger number of WAN locations. 170. Build interoperability capacity within the MNRVOID and across the GoRS. Considering the levels and dimensions of the requirements of interoperability, namely the political, legal, orga- nizational and semantic dimensions, the MNRVOID should strengthen its technical and orga- nizational capacities in each of these areas. It should also make those capacities available to other bodies involved in the digitization process. 171. Create strong incentives for the public institutions to use GSB for G2C and G2B digital services or legally mandate the use of GSB. A key challenge in some countries is that it is not required to exchange data via a GSB. Exchanging data bilaterally through other means can result in data redundancies and inaccuracies. This further fragments and hinders the integra- tion of systems. These incentives could encompass legal, economic, and other mechanisms. In tandem with incentives, the MNRVOID should develop Service-Level Agreements with the various MDAs to ensure the availability of critical e-service components. Finally, it will be im- portant to plan internal and external communication and outreach campaigns concerning the benefits of the GSB and attendant impacts on governments, businesses, and citizens. 4/4 Data Storage, Backup and Recovery 172. Ensuring secure and redundant data storage, backup and recovery is critical to the resi- lience and business continuity of government in the case of crises, such as the COVID-19 pandemic. Therefore, it is necessary to make a strategic decision about whether to centralize management for data hosting (consisting of the primary data center in the RS Government General Secretariat and separate disaster recovery location) or to invest in multi-nodal cloud 99 A Software-defined (SD)-WAN simplifies the management and operation of wide-area networks by separating network hardware from its software management layer. A key benefit of the SD-WAN is enabling organizations to build wide-area networks with higher performance using cheaper and commercially available Internet access, thereby allowing them to partially or completely replace more expensive WAN technologies, such as the Multi- protocol Label Switching (MPLS). 72 E-government Assessment in Republika Srpska infrastructure. This cloud infrastructure could be private (government owned and operated, and likely hosted in at least two data centers with support for business continuity and load balancing), public (such as Amazon Web Services, Microsoft Azure, Google Cloud Platform or other solution) or a hybrid model. A hybrid model usually entails processing and storage of sensitive data on private cloud and running publicly oriented infrastructure components such as web servers and storing public data in the public cloud. It would be important that the cloud infrastructure take a network approach of several interconnected data centers that can serve the whole of government. A multi-nodal cloud could also serve as a form of data redun- dancy to support business continuity. 173. Migrating to cloud solutions spanning over two or three data centers would enable better management and optimization of resources, as well as future innovation. The government Cloud — combining virtualization, cloud orchestration and containerization of applications — would enable the alignment of the infrastructure with the needs of the applications and services of several different institutions (multi-tenant platforms). It would also provide infra- structural prerequisites for migrating from older system to cloud native and microservices architecture-based information systems. Such infrastructure would be capable of supporting different cloud computing service models (such as Software as a Service, Infrastructure as a Service and Platform as a Service approaches), more demanding applications, such as Data Warehouse / Business Intelligence / Big Data and High-Performance Computing Services for Artificial Intelligence projects. Building a private cloud for the government would also improve and rationalize IT security investments regarding infrastructure, information systems, and ele- ctronically stored data in general. 174. Whether the cloud is a viable solution, it should be noted that the migration process of data, information systems, and virtual machines is a demanding task. Migration can be costly finan- cially, but also in terms of time. Planning is necessary to avoid downtime and other negative im- pacts on the functioning of the public administration. To support decision-making and planning, the RS could conduct a cloud readiness assessment to examine the necessary resources, securi- ty aspects, strategy, and governance in place to launch cloud solutions in the RS. 5/Strengthen Key Capacities to Implement, Monitor and Report on Modernization 175. The strengthening of key capacities can be achieved by empowering existing units; for- ming new organizational units, project teams and working bodies of the MNRVOID; and building digital skills across the public administration. 176. To support implementation, the MNRVOID’s Sector for Information Society should become the central Project Management Office (PMO) for e-government projects. Building on the mandate of the MNRVOID, this PMO could be capacitated to ensure that projects are delivered on time, on budget, at the required level of quality, and at the acceptable level of user satis- faction. It would also be in line with the strategic objectives and interoperability framework. This body could also deliver ICT project support to the public administration bodies and their coordinator by providing guidance and mentoring as part of the project management proces- ses and methodologies. 177. Centralizing IT procurements through the MNRVOID would benefit the interoperability and compatibility of new purchases, while also taking advantage of economies of scale. In the domestic context, it should be noted that the GoRS has implemented a unified procu- rement of Microsoft licenses for the use in the RS ministries. This practice could be extended E-government Assessment in Republika Srpska 73 to other public administration bodies and digital technology vendors, as it would allow for additional savings in the procurement of software licenses, ICT equipment and services. This recommendation is in accordance with the e-Government Strategy. 178. Revise the country-level Rulebook concerning the Procedure for Awarding Contracts in the Areas of Defense and Security so that it is better aligned with the BiH Law on Protection of Classified Data and other relevant regulations in this area, including the EU Directive100 and recent PPL amendments. The Rulebook should also align with the EU Interoperability and IT Security Framework and relevant regulations in the area of IT security at the various BiH go- vernmental levels. Such a regulation is still not in place in the FBiH entity or at the level of the BiH Institutions, which would be beneficial. Given the complexity of these regulatory changes and their multi-sectoral and country-wide impact, this process will need to be carefully mana- ged and highly consultative in nature. 179. Leveraging private sector expertise can further foster the development of e-services and other platforms. Private companies develop, place on the market, and implement various sof- tware and hardware solutions for the core government operations. This includes infrastructure and software for the protection of IT systems and data. In addition, private companies develop and offer integrated or consulting cybersecurity services. For example, the RS can leverage this expertise through the creation of a private sector working group that could advise on available technologies and solutions. The MNRVOID may consider outsourcing the digitiza- tion of a small number of services to the private sector as a demonstration or pilot program. It could also consider the secondment of staff from the private sector in a twinning approach to build capacity. The RS is developing cybersecurity expertise in the private sector through global partnerships and services, such as Managed Security Service Provider (MSSP). The MNRVOID should also intensify its established cooperation with the academic community to gain capacity and experience in different aspects of research concerning user centricity, user experience, accessibility, and cybersecurity. 180. As human resources were noted as a key challenge, conducting a needs assessment could identify baseline information about human resources and competences of staff across the public administration. The assessment can identify staff in public administration bodies that possess specific competences and knowledge about key ICT topics (such as cybersecurity, agile project management, enterprise architecture design, and so on) to support digital tran- sformation projects. The competencies could be redeployed across the administration. 181. Strengthening capacity is not only achieved through hiring. Other options include: (i) conti- nuous training or retraining of existing human resources; (ii) the redeployment of existing staff; (iii) the integration of certain ICT services within the public administration system; (iv) and/ or the external provision (outsourcing) of ICT services. This “build, borrow or buy” approach provides different solutions for different needs. When choosing one of these options, it will be necessary to take into consideration the short and long-term needs of the individual public administration body, as well as the needs of the public administration system as a whole, inc- luding the costs and benefits of each option.101 182. The motivation of the existing IT staff in the public administration bodies could be revived by the introduction of more flexible mechanisms in the legislation regulating the labor sta- tus and salaries of employees in the public administration bodies. Revising the wage packa- 100 Directive 2009/81/EC. 101 RS Government, Electronic Government Development Strategy of Republika Srpska for the period 2019 - 2022, p.57. 74 E-government Assessment in Republika Srpska ge to ensure competitive pay for IT staff is a good first step. However, it would have broader HRM impacts. Other mechanisms could include the allocation and re-allocation of working time, teleworking, overtime pay, or the opening up possibilities for additional engagements of IT staff that do not constitute a conflict of interest, and so on. 183. Building digital skills across the public administration is necessary to ensure that in- vestments meet their potential and are used in day-to-day operations. New systems, processes and procedures, such as those emerging from service re-engineering, requ- ire training of front-line service providers and back-office employees, among others. Once the needs assessment is completed, the MNRVOID can build a curriculum of com- pulsory and continuous training for public administration officials on the topics of ICT and digital government. In the mid- to long-term, the measures could include core di- gital competencies in job descriptions, as well as conditions for employment. 184. Education plans should evolve and be continuously updated to meet specific needs for di- fferent groups of civil servants and employees. They should also be flexible and adapted to new technology and digital governance trends and models. The training could include topics such as principles and benefits of digital transformation of public services; methods of citi- zen centricity; data governance and protection; and cybersecurity, among others. The courses should be practical and relevant to public administration tasks and systems. They should inc- lude tests to verify progress and confirm the understanding of key concepts. Implementing a learning management and collaboration platform for all public administration bodies in the RS could significantly reduce costs and provide flexibility in the education process (employees can access educational content when and where it is most convenient for them). 185. Create mandatory cybersecurity awareness courses for civil servants in Republika Srpska. These programs must become part of regular and continuous education of managers and civil servants in the public service. IT companies, university professors or civil society organizations specialized in providing cybersecurity trainings and raising awareness campaigns should be consulted in the process of preparation and organization of mandatory cybersecurity courses for public servants. 186. The MNRVOID should establish a framework for support, such as a service desk function, to manage inquiries and provide the necessary support to internal and external users. The functions should be available to internal users within the public administration systems, as well as to external users of e-services (citizens, and business entities). Modern ICT solutions, such as customer relationship management and service desks, can contribute to the provision of quality and proactive education and support to all users. These systems should be integrated with a single contact center that incorporates different channels (such as e-mail, telephone, social networks, and web forms) to match the preferences and capabilities of different users. Financial Resources 187. Undertaking a digital government reform requires sustainable financial resources. Budget allocations were noted as a barrier to transformation by the interviewed MDAs. In this regard, there are avenues for the RS to obtain supplemental funding for hardware, software and te- chnical assistance. These include public-private partnerships, donor funding and specialized EU funds (such as the IPA, and Horizon 2020102). These can be utilized to support the digital 102 https://research-and-innovation.ec.europa.eu/funding/funding-opportunities/funding-programmes-and-open-calls/horizon-2020_en E-government Assessment in Republika Srpska 75 transformation. Once additional transactional services are available, a cost-sharing or cost-re- covery model could be evaluated. 188. Projects funded by different international donors could also be leveraged to provide solu- tions, services, and the transfer of knowledge. The MNRVOID should be actively involved from the very beginning in the preparation of such donor projects. This will help to precisely identify the organizational and technical capacity-building needs, appropriately communica- ting them to international donors. This can be achieved by exercising an effective donor co- ordination role through regular meetings chaired by the MNRVOID, including the presence of all relevant international donors that support digital transformation projects. Providing the minutes of these meetings to all interested donors and development partners may increase interest in this area. Regular monitoring of progress regarding the digital transformation process 189. In order to measure the progress of public sector modernization, an overarching moni- toring and evaluation framework with key performance indicators (KPIs) is needed. Building on the first recommendation, having key performance indicators that can tric- kle down through the different MDAs can support monitoring and evaluation of progre- ss, including impacts, on the whole-of-government transformation. To manage monito- ring and reporting, specialized software solutions should be introduced to support the effective management and monitoring of the implementation of ICT projects. 190. Project managers from the MNRVOID, digital coordinators from public administration in- stitutions and their supervisors should have defined KPIs to measure, monitor and issue reports. These KPIs will enable the measurement of the effects of the digitization process in the institutions, as well as among the users of their services. Consequently, each employee in the public administration body should have defined targets that would be linked with her/his role in the digital transformation process. 191. Employing standards across processes of planning, development, delivery and maintenance of e-services can support monitoring and evaluation. They can contribute to the accelerated development of the e-services, and standards can support the accountability and transparency of e-service delivery. Having service standards — such as a consistent look and feel, time to deliver, cost and redress mechanisms (such as those used in the UK and other countries) — aligns with a user-centric approach. It can also raise the overall efficiency of the public administration. 192. There are existing solutions, lessons, and systems for the RS to utilize and draw from to leapfrog forward into advanced digital government. Establishing partnerships and bilateral cooperation with neighboring countries,103 as well as with countries that have long-lasting socioeconomic cooperation with Bosnia and Herzegovina and the RS, is another opportunity to gather best practices about methodologies used to design, implement and monitor success in digital transformation of the public sector and services. 103 According to RS Electronic Government Development Strategy for the period 2019 – 2022, the first steps have already been made by signing the Me- morandum of Cooperation with the Government of the Republic of Serbia in the field of e-Government development. 76 E-government Assessment in Republika Srpska Annexes ANNEX 1: ALIGNMENT OF THE LAW ON ELECTRONIC SIGNATURE TO THE EU EIDAS Bosnia and Herzegovina strives to harmonize its legislation in the area of e-identification with eIDAS. The only Bosnia and Herzegovina instrument that fully corresponds to eIDAS is the Draft Law on the Electronic Identification and Trust Services for Electronic Transactions at the state level, which has been in Parliamentary procedure since March 2019. The State, the two entities and BD claim to have autonomy to regulate this area in accordance with their constitutional competences. While authorities at the state level claim to have this power in accordan- ce with Article III of the Constitution of Bosnia and Herzegovina, according to which central Government is competent for affairs related to establishment and operation of domestic and international communication facilities, entity-level authorities base their competence on Article III 3) of the Constitution of Bosnia and Herzegovina, according to which entity-level Governments have competence in all those fields that are not expressly assigned to the state level, as well as relevant Articles of RS/FBiH Constitutions. The basis of Brčko District of Bosnia and Herzegovina competence to regulate this area is Article 22 of the Brčko District Statute. As a result, the regulatory framework has been developing at an uneven pace, with some levels of authority still not having their laws on electronic identification in place. Moreover, the rules at the different levels are not harmonized in a way that would ensure their interoperability. The lack of harmonization and interoperability of the rules on electronic identification and trust services was noted in the EC 2022 Progress Report for Bosnia and Herzegovina. As stated in the report: “No progress was made in the adoption of the law on electronic identity and trust services for electronic transactions with a single supervisory body for the whole country in line with the EU acquis. Also, no progress has been made in ensuring the interoperability of the electronic signature system throughout the country.”104 The state-level (BiH) Office for Supervision and Accreditation of Certification Authorities105 carries out both ex-ante supervision (voluntary certification of certification bodies issuing se- cure electronic signatures) and ex-post supervision in accordance with the existing BiH Law on Electronic Signature. Although the BiH Law on Electronic Signature was adopted 14 years ago, this supervisory body was established as the organizational unit within the Ministry of Communica- tions and Transport of Bosnia and Herzegovina only in 2017. eIDAS requires Member States to designate a supervisory body responsible for the supervisory tasks under the Regulation. The two principal tasks of supervisory body are: (i) ex-ante supervisi- on, i.e. granting of qualified status to trust service providers and ensuring that all the prerequisites for the provision of services are in place, and (ii) ex-post supervision of both qualified and non-qu- alified trust service providers, i.e. various kinds of assessments and inspections to ensure that trust service providers act in conformity with the law.106 EIDAS regulation defines the eIDAS nodes that each Member State is obliged to implement in order to facilitate interoperability among MS for cross border eID usage (identification and 104 Bosnia and Herzegovina 2022 Report Accompanying the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, p. 84. 105 Article 20, para 1 and Article 23 of the BiH LES. 106 Article 17, eIDAS. E-government Assessment in Republika Srpska 77 authentication). EU Member States have the obligation, under eIDAS, to establish, maintain and publish trusted lists of qualified trust service providers and the services provided by them. A trust service provider and the trust services it provides will be qualified only if it appears in a trusted list. The lists are to be published in a secured manner, electronically signed or sealed in a format suita- ble for automated processing. In order to allow access to the trusted lists of all Member States, the Commission makes available to the public, through a secure channel to an authenticated web ser- ver, the trusted lists as notified by Member States, in a signed or sealed form suitable for automated processing. Users, including citizens, businesses and public administrations, will benefit from the legal effect associated with a given qualified trust service only if the latter is listed as qualified in the trusted lists. Qualified trust services in Bosnia and Herzegovina, including Republika Srpska will not be re- cognized as qualified in the EU according to the eIDAS regulation as long as there is no Law on the Electronic Identification and Trust Services for Electronic Transactions adopted and single trust list established at the state level within the Office for Supervision and Accreditation of Certification Authorities. The Law on Electronic signature of the RS is still not fully aligned with the EU Regulation (EU) No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market (eIDAS).[1] Specifically, the definition of what constitutes electronic signature in the EU (eIDAS) is broader than that of BiH and the RS. The eIDAS recognizes three types of electronic signature, namely, ele- ctronic signature, advanced electronic signature, and qualified electronic signature. In essence, the eIDAS definition of electronic signature means that even the simplest electronic statement, such as an e-mail with the name of the sender at the bottom, is considered electronically signed with a simple e-signature.[2] This is the lowest level of security. The next level is the advanced e-signature, which entails higher security by necessitating the use of certificates, cryptographic keys, and similar forms of secure login. Finally, a qualified e-signature meets the requirements of an advanced one. It is based on a qualified e-signature certificate issued by a qualified trust service provider. The eIDAS stipulates that an e-signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds of it being in electronic form, or not meeting the requirements for a qualified e-signature. This means that public and private entities in member states are free to determine the legal effects of the simple and the advanced e-signature in their relationships. Go- vernments are also free to recognize electronic identification means with lower identity assurance levels.[3] Additionally, the eIDAS allows public sector bodies in member states to provide e-services based both on qualified and advanced e-signatures.[4] The definition of the qualified e-signature provided in the RS Law on Electronic Signature seems to cover approximately the requirements for the qualified signature under the eIDAS. However, the definition of the ordinary e-signature seems to encompass both the simple e-signature and the advanced e-signature under the eIDAS. The eIDAS regulates two types of trust service providers: qualified and non-qualified ones. Qualified trust service providers (that is, the entities issuing qualified certificates for electronic si- gnatures) should be certified by a designated supervisory body in the respective EU member sta- te. However, the requirements for non-qualified trust service providers (such as those that issue advanced electronic signatures) are not so strict. State supervision over the activity of non-qualified trust service providers should be subject to a “light touch”, and ex-post supervisory activities should be justified by the nature of their services. Therefore, the supervisory body has no general obligati- 78 E-government Assessment in Republika Srpska on to supervise non-qualified service providers. As such, it should only act when it is informed that a non-qualified trust service provider does not comply with the eIDAS requirements.107 For qualified trust service providers, the RS Law on Electronic Signature introduces a certifica- tion regime, similarly to the eIDAS. This means that an entity wishing to issue qualified certificates would first need to obtain permit and become enrolled in the record of the qualified certification authorities in the RS. As for non-qualified trust service providers, the RS Law on Electronic Signa- ture is stricter then the eIDAS. Specifically, this law requires a provider of trust services that issues non-qualified electronic certificates to communicate to the MNRVOID the commencement of ele- ctronic certification services at least 14 days in advance. The supervisory authority is also obliged to keep a registry of trust service providers. The Agency for Information Society of the RS has become the certificate authority for public administration bodies. The Ministry of the Science and Technology performs the administra- tive tasks related to enrollment of the certificate authorities in the CA registry in accordance with the Law on Electronic Signature of the RS. With the reorganization of the RS Government in December 2018, the Agency ceased its work, and it became a part of the Sector for Informati- on Society within the MNRVOID. The MNRVOID’s certificate authority issues qualified electronic certificates to public administration bodies, as well as to natural and legal persons. However, the Register of qualified certificate authorities available on the MNRVOID’s website does not show any registered qualified certificate authority in the RS. Given that the qualified certification body can perform trust services on the basis of a license/permit issued by the Ministry, it is not clear whether it has to certify itself as a qualified trust service provider in the sense of the Law on the Electronic Signature of the RS. At the RS level, the MNRVOID’s Unit for Management of Digital Identities within the Sector for Information Society has not yet started the mass issuance of qualified certificates to physical and legal persons. However, the MNRVOID’s Certification Authority has already issued over 100 qualified certificates for users in Tax Administration of the RS, as well as other strategic e-govern- ment projects in the RS (such as “e-baby” and the “Online registration of businesses”). The Ministry has planned the procurement of another slot of 5,000 smart cards, but the procurement has not been realized due to supply chain difficulties among international vendors of qualified signature or seal creation device (QSCD) smart cards. These cards are intended for public administration bodies, and they are to be used for electronic identification, authentication and digital signing/seal of docu- ments. Citizens and business entities will bear the costs/ fees for qualified electronic signature or electronic seal (including the smart card) issued by the MNRVOID Certificate Authority. Bosnia and Herzegovina Law on the Electronic Identification and Trust Services for Electronic Transactions should be adopted to establish, maintain and publish single node with national eID scheme and trust list for Bosnia and Herzegovina in accordance with eIDAS provisions. Lawmakers at all levels in Bosnia and Herzegovina should work collaboratively on codifying and harmonizing the legislative framework so that their laws on e-identification and trust services could be identical or very similar to one another. This would lower the risk of proliferation of divergent systems for regulation, certification, operation and supervision of trust service providers in Bosnia and Herzegovina. To ensure the smooth and secure functioning of e-identification, Bosnia and Herzegovina sho- uld build a functioning supervisory infrastructure in accordance with eIDAS, including supervi- sory body/bodies, conformity assessment bodies and national accreditation body/bodies. Ide- 107 eIDAS, Preamble (36). E-government Assessment in Republika Srpska 79 ally, there should be one supervisory body for the entire country108, conducting both ex-ante and ex-post supervision of trust service providers. If several different systems continue to operate in Bosnia and Herzegovina, the individual laws should enable mutual recognition of certificates issued by trust service providers at the different government levels, like this is done for certificates from EU member states. Regardless of whether a single supervisory body or several ones operate on the territory of Bosnia and Herzegovina, efforts should be made to ensure that many trust service providers are certified so that trust services could be offered in a competitive environment, thus fostering quality and a competitive cost. 108 The state-level (BiH) Office for Supervision and Accreditation of Certification Authorities 80 E-government Assessment in Republika Srpska ANNEX 2: G2C, G2B AND G2G109 SERVICES Type of Service Life/Business Services Responsible Published Publicly Service Description Maturity Event (G2C, G2B, Institution on the GSB Available Level G2G) e-Dnevnik - Management of electronic pedagogical documentation in primary schools. Ministry of Yes (for Primary G2C Enhanced Education of No registered Education Web application (for parents, pupils, Culture users) teachers) – 200,000 users and mobile app – 300,000 users e-Dnevnik and EDUKOM - Management of electronic pedagogical documentation in Ministry of Yes (for Secondary G2C secondary schools. Enhanced Education of No registered Education Culture users) Web application (for parents, pupils, teachers) – 20,000 users. e-Nastava (Learning Management System). It enables teachers and Primary and students to access and share Ministry of Yes (for Secondary G2C educational digital services and Enhanced Education of No registered Education content. Culture users) 50,000 users Access to digital interactive contents of elementary school textbooks Ministry of Yes (for Primary G2C created by the Institute for Enhanced Education of No registered Education Textbooks and Teaching Aids of the Culture users) RS – 10,000 users. “Guide for choosing your occupation” It enables ninth grade Yes students and their parents to Ministry of (restricted Secondary G2C check the enrollment plan for all Enhanced Education of No access for Education secondary schools in the RS, as well Culture registered as job descriptions - Android app users) 10,000 users. Missing Electronic register of missing Ministry of G2C, G2G Enhanced No Yes Persons persons. Interior Warrants of Electronic register of Interpol Ministry of G2C, G2G Enhanced No Yes Persons international warrants. Interior Minor offense registered by radar. The service enables the viewing of photos of minor offenses registered Ministry of Minor Offense G2C Enhanced No Yes by devices for controlling vehicle Interior speed, including radar devices - 251,391 users. 109 Government-to-Government E-government Assessment in Republika Srpska 81 Personal Status check of invalid documents – Ministry of G2C Enhanced No Yes Documents 16,852 users. Interior It allows for the checking of the Personal current status of a document/ Ministry of G2C Enhanced No N/A Documents request for the issuance of a new Interior documents. The service is intended for Enhanced/ Corruption reporting suspected corruption and Ministry of G2C Trans- No Yes Prevention other irregularities in the public Interior actional administration. Enhanced/ Crime Ministry of G2C Anonymous crime reporting. Trans- No Yes Reporting Interior actional Ministry of The electronic register of incentives Economy Economy and G2B, G2C (planned, approved and realized) at Enhanced No Yes Incentives Entrepreneur- the RS and local levels. ship The service enables a quick and Ministry of Economy efficient way of submitting requests Economy and G2B, G2C Enhanced No Yes Incentives from business entities for incentives Entrepreneur- to increase the wages of employees. ship Ministry of Business Entity Information on administrative Economy and Registration G2B, G2C procedures for business registration Enhanced No Yes Entrepreneur- and Operations and operations. ship Ministry of Scientific and Technological Development, Registration of new-born children Higher in the hospital after birth, replacing Education and Personal eight previously required contacts, G2G Enhanced Information No No Citizen Status thereby significantly reducing the Society / time involved in completing the Hospitals / documents. Ministry of Administration and Local Self- Government Ministry of Scientific and Technological The E-CRIS system includes Yes (for Scientific Development, G2C databases on research organizations Enhanced No registered Research Higher and researchers in the RS. users) Education and Information Society 82 E-government Assessment in Republika Srpska Ministry of Electronic register for student Scientific and scholarships collects all relevant Technological Student data on students applying for the Development, Scholarships G2C Enhanced No Yes MNRVOID scholarships in the Higher and Grants academic year for which they are Education and applying. Information Society Ministry of Scientific and Register of student representative Technological Higher bodies and student organizations Development, G2C Enhanced No Yes Education established at the higher education Higher institutions in the RS. Education and Information Society Ministry of Scientific and Register of higher education Technological institutions. A higher education Higher Development, G2C, G2G institution can start working and Enhanced No Yes Education Higher perform higher education activities Education and after joining the Register. Information Society Electronic registers of: - Manufacturers and importers of chemicals Emerging Ministry of Health G2C, G2B - Inventory of chemicals – Informa- Health and No Yes - Pharmacies and specialized shops tional Social Care - Manufacturers of medical devices - Drug wholesalers - Certified health care institutions RS The Central Address Register is the Yes (for G2C, G2B, Administration Spatial Data electronic database of all addresses Enhanced No subscribed G2G for Geodetic and on the territory of the RS. users) Property Affairs The register of real estate prices for RS Yes (for G2C, G2B, market price monitoring, with the Administration Real Estate Enhanced No subscribed G2G aim of assessing the market value of for Geodetic and users) real estate. Property Affairs The Register of Spatial Units shows the borders of different spatial units of the RS (territories of RS, RS Yes (for G2C, G2B, cities, municipalities, cadastral Administration Spatial Data Enhanced No subscribed G2G municipality, populated places, for Geodetic and users) statistical circles, census circles) - Property Affairs 200 Virtual Private Network (VPN) users. RS G2C, G2B, e-Katastar – Public access to Administration Real Estate Enhanced No Yes G2G cadastral data. for Geodetic and Property Affairs E-government Assessment in Republika Srpska 83 RS e-Stanovi - Electronic register of Yes (for G2C, G2B, Administration Real Estate signed contracts for apartments, Enhanced No subscribed G2G for Geodetic and business premises and garages. users) Property Affairs RS Geoportal RS – access point for Yes (for G2C, G2B, Administration Spatial Data displaying geospatial data, including Enhanced No subscribed G2G for Geodetic and review, modification and search. users) Property Affairs Geodedic SRPOS provides for the possibility and property RS of global positioning in the entire Yes (for affairs Global G2C, G2B, Administration territory of the RS, with special Enhanced No subscribed Navigation G2G for Geodetic and emphasis on applications in the field users) Satelite System Property Affairs of surveying and cadastre. (GNSS) Yes (limited data scope available to public It provides up-to-date information users; to decision-makers and citizens RS enhanced Civil Protection about exposure to floods, G2C, G2B, Administration data Disaster Risk landslides, and earthquakes with Enhanced No G2G for Civil available to Analysis the aim of changing the approach Protection registered to disaster risk reduction in the RS users from and BiH. public admini- stration bodies). Service for reporting illegal work of legal entities, individuals and persons employed in the RS Administration for Inspection RS Affairs. This is done via the website Administration Inspection G2C Enhanced No Yes of the RS Administration for for Inspection Inspection Affairs (by completing Affairs a text form or by voice message). Reports and complaints can be anonymous or signed. Submission of applications for foreign trade inspection supervision. A service that enables RS the submission of requests for Yes (for Administration Inspection G2B goods control by inspectors at Enhanced No registered for Inspection border crossings and customs users) Affairs offices through the website of the RS Administration for Inspection Affairs. Register of inspection checks - Web service that natural and RS legal entities or other public G2G, G2C, Administration Inspection administration bodies can access Enhanced Yes Yes G2B for Inspection and view. It contains the checklists Affairs that inspectors use during inspection supervision. 84 E-government Assessment in Republika Srpska Enables taxpayers to view data from tax records collected by the Tax Yes (for Administration of the RS, including RS Tax Direct Taxes G2C, G2B Transactional No registered electronic submission of different Administration users) tax applications, and receipt of notifications. An integrated system for registration, control, and collection Employee RS Tax G2B, G2C of employee contributions Enhanced No Yes Contributions Administration (pensions, disabled persons, health insurance). Yes (for System for managing the training of RS Civil Service Certification G2C Enhanced No registered public administration personnel. Agency users) This register is composed of two segments: the client (accountant) Intermediary and the processor/con-troller G2C, G2B, Agency for IT Financial Data (Agency). Clients submit electronic Enhanced No Yes G2G and Financial financial reports through a custom Services application and a controller checks the correctness of the entered data. Intermediary G2C, G2B, Creditworthi-ness register that Agency for IT Financial Data Enhanced No Yes G2G keeps data of all business entities. and Financial Services Intermediary The central registry for all business Business G2C, G2B, Agency for IT entities registered in the territory of Enhanced Yes Yes Entities G2G and Financial the Republika Srpska. Services Intermediary The central register of Business G2C, G2B, Agency for IT entrepreneurs in the territory of the Enhanced No Yes Entities G2G and Financial Republika Srpska. Services Intermediary The register contains data on all Business G2C, G2B, Agency for IT public companies in the Republika Enhanced No Yes Entities G2G and Financial Srpska. Services Intermediary Contains data on registered Business G2C, G2B, Agency for IT commercial and non-commercial Enhanced No Yes Entities G2G and Financial farms. Services Contains data on registered apartment accommoda-tions Intermediary of natural persons who provide Business G2C, G2B, Agency for IT catering services in the countryside, Enhanced No Yes Entities G2G and Financial as well as service providers in Services apartments, holiday homes and rooms for rent. Enables participants in the securities market to submit the required data RS Securities Securities G2B, G2G Enhanced No Yes to the Securities Commission of the Commission Republika Srpska. E-government Assessment in Republika Srpska 85 The register contains data on authorized participants in the securities market, namely: G2C, G2B, stockbrokers, custody banks, RS Securities Securities Enhanced No Yes G2G the stock exchange, the Central Commission Registry, natural persons with broker certificates, and investment managers and advisors. The register contains data on G2C, G2B, RS Securities Securities investment fund management Enhanced No Yes G2G Commission companies and funds. G2C, G2B, The register contains data on RS Securities Securities Enhanced No Yes G2G factoring companies. Commission Register of securities contains a list G2C, G2B, of all issuers that issue securities RS Securities Securities Enhanced No Yes G2G in accordance with the Securities Commission Market Act. Yes (for Register of persons vaccinated RS Public Health Health G2C Enhanced No registered against COVID-19. Institute users) Systematized database of all locations available for investors, RS Development Investments G2B with a detailed display of Enhanced No Yes Agency infrastructure, ownership status, land type, and so on. Portal intended for those who want to start their own business, as well as for existing companies RS Development Investments G2C Enhanced No Yes and entrepreneurs in the Republika Agency Srpska who want to develop and improve their businesses. The “Consultant Database” register is primarily intended for business RS Development Investments G2C Enhanced No Yes entities that need support for Agency development and growth. Investor base intended to attract foreign investments doing business with municipalities and cities, as well as with the companies RS Development Investments G2C, G2B Enhanced No Yes themselves — which were Agency interested in becoming even more visible to potential international and domestic customers and investors. Register of employees – RS Pension Insurance G2C, G2B beneficiaries of the pension and Enhanced and Disability Yes Yes disability insurance Insurance Fund The information center of the RS Insurance Agency is used in order RS Insurance Insurance G2C to efficiently and quickly resolve Enhanced No Yes Agency compensation claims based on damages caused in traffic accidents. 86 E-government Assessment in Republika Srpska G2C, G2B, Register of authorized insurance RS Insurance Insurance G2G Enhanced No Yes companies based in the RS. Agency G2C, G2B, Register of branches of insurance RS Insurance Insurance G2G Enhanced No Yes companies from the FBiH Agency G2C, G2B Register of authorized insurance RS Insurance Insurance Enhanced No Yes representatives - natural persons. Agency G2B Register of Insurance RS Insurance Insurance Enhanced No Yes Representation Companies Agency Register of authorized insurance RS Insurance Insurance G2C, G2B Enhanced No Yes intermediaries - natural persons. Agency Register of insurance brokerage RS Insurance Insurance G2C, G2B Enhanced No Yes companies Agency RS Insurance Insurance G2B Register of Authorized Actuaries Enhanced No Yes Agency Register of private pension fund RS Insurance Insurance G2B management(non-compulsory Enhanced No Yes Agency pension funds) Register of private pension RS Insurance Insurance G2B, G2C funds (non-compulsory pension Enhanced No Yes Agency funds). Provides information to road managers about licensed natural RS Traffic Safety Traffic G2B, G2C Enhanced No Yes and legal persons for traffic safety Agency checks and audits. Calculation and payment of the Child rights of beneficiaries of child RS Child G2C Enhanced No Yes Protection protection under the Law of Child Protection Fund Protection E-government Assessment in Republika Srpska 87 ANNEX 3: SHARED SERVICES PROVIDED BY THE GOVERNMENT DATA CENTER Government Data Center provides five types of shared services to the ministries and other public administration bodies at the level of the Republika Srpska: • Virtualized server and storage infrastructure - Ministries and public administration bodies are provided virtual machines for hosting their specific applications. The General Secretariat of the Government of the Republika Srpska is responsible for administration, upgrading, scaling and maintaining of the data center virtualization infrastructure, whereas ministries and public ad- ministration bodies are responsible for administering and maintaining operating systems and applications hosted within provided virtual machines . Data center also provides an option of the colocation of the physical servers owned by public administration bodies in the Government data center. • Networking services - local area network access to ministries and institutions located in the bu- ilding of the Administrative Seat of Republika Srpska, Metropolitan Area Network connectivity to the Ministry of Interior and other public administration bodies located near the administrative seat as well as access to Internet. • Identity management (Active Directory) and information security services for ensuring confi- dentiality, integrity and availability of the data center infrastructure. • E-government building blocks: Interoperability Information System – Government Service Bus and e-Srpska Portal. • Shared business support solutions and services such as E-mail, Video Conferencing, Electronic management of Government sessions, internet portal www.vladars.net. 88 E-government Assessment in Republika Srpska ANNEX 4: REFERENCES BiH Public Procurement Agency (2023). Framework explanation of application of specific provisions of the Law on Changes and Amendment to the Law on Public Procurement. Council of Ministers of Bosnia and Herzegovina (2005). The Law on Protection of Classified Data, BiH Official Gazette 54/05 and 12/09. Articles 13 and 14, Council of Ministers of Bosnia and Herzegovina (2008). The Law on the Agency for Identification Documents, Registers and Data Exchange of Bosnia and Herzegovina – IDDEEA, Official Gazette of Bosnia and Herzegovina” No. 56/08, Article 8, paragraph 2 and 6 Council of Ministers of Bosnia and Herzegovina (2014). Decision on Interoperability Framework of BiH. Official Gazette, No. 53/2014 Council of Ministers of Bosnia and Herzegovina (2014). Public Procurement Law, BiH Official Gazette, No. 39/14 and 59/22. Council of Ministers of Bosnia and Herzegovina (2015). Rulebook on the procedure for awarding contracts in the field of defense and security, BiH Official Gazette no. 60/2015. Article 2 and 6 Dener, C. Watkins, J.A. and Dorotinsky, W.L (2011). Financial Management Information Systems. European Commission (2010). EUROPE 2020 A strategy for smart, sustainable and inclusive growth European Commission (2014). Directive 2014/24/EU of the European Parliament and of the Council concerning public procurement, and repealing Directive 2004/18/EC; European Commission (2014). Directive 2014/25/EU of the European Parliament and of the Council concerning procurement by entities operating in the water, energy, transport, and postal services sectors, as well as repealing Directive 2004/17/EC, and Directive 2014/23/EU concerning concessions. European Commission (2017). “The Sharing and Reuse Framework for IT Solutions European Commission (2022). Commission staff working document Bosnia and Herzegovina 2020 Report Accompanying the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions 2020 Communication on EU Enlargement Policy European Commission (2022). Digital Competence Framework for Citizens. European Commission, Directorate-General for Neighborhood and Enlargement Negotiations (2021), Commission staff working document Bosnia and Herzegovina 2021 Report European Commission, Directorate-General for Neighborhood and Enlargement Negotiations (2022), Commission staff working document Bosnia and Herzegovina 2022 Report. European Commission, Directorate-General for Neighborhood and Enlargement Negotiations (2020), Commission staff working document Bosnia and Herzegovina 2020 Report European Union (2008). Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. European Union (2009). Directive 2009/81/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the coordination of procedures for the award of certain works contracts, supply contracts and service contracts by contracting authorities or entities in the fields of defense and security, and amending Directives 2004/17/EC and 2004/18/EC. European Union (2014). Regulation No. 910/2014 of the European Parliament and of the Council on Electronic Identification and Trust Services for Electronic Transactions in the European Internal Market European Union (2015). Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/ E-government Assessment in Republika Srpska 89 EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC European Union (2017). New European Interoperability Framework. European Union (2022). Directive 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union Government of Republika Srpska (2015). Law on Electronic signature, RS Official Gazette, No. 106/15 Article 22, para 1, Article 19, para 1 Government of Republika Srpska (2018). Law on RS Administration, RS Official Gazette, No. 115/18. Government of Republika Srpska (2018). Rules of Procedure of the Government of Republika Srpska, RS Official Gazette, No. 123/18. Article 8, 10, 17 and 87 Government of Republika Srpska (2019). Law on Security of Critical Infrastructure in RS, Official Gazette of RS, 58/19. Government of Republika Srpska (2019). Electronic Government Development Strategy of Republika Srpska for the period 2019 – 2022, p. 57 Government of Republika Srpska (2021). Law on Strategic planning and development management of the RS, RS Official Gazette, No. 94/2021 Government of Republika Srpska (2022), Exposé of the Prime Minister Radovan Viskovic. OECD SIGMA (2022) Monitoring report: The Principles of Public Administration Bosnia and Herzegovina May 2022. p. 127 R. Vuorikari, S. Kluzer, and Y. Punie (2022). DigComp 2.2: The Digital Competence Framework for Citizens - With new examples of knowledge, skills and attitudes Regional Cooperation Council (2018). A NEW VIRTUAL BATTLEFIELD - How to prevent online radicalization in the cyber security realm of the Western Balkans Richard Bartlett (2022). Enhancing civil service capability: emergence of the professions model. USAID (2018). Assessment of BiH e-governance and e-administration World Bank (2020). GovTech Launch Report and Short-Term Action Plan. The World Bank, Washington, DC. World Bank (2021). World Development Report: Data for Better Lives. The World Bank Washington, DC. World Bank (2022), Service Upgrade: A GovTech Approach to User Centric Services. The World Bank, Washington, DC World Bank (2022). GovTech Maturity Index, 2022 Update: Trends in Public Sector Digital Transformation. World Bank, Washington, DC. World Bank (2022). Interoperability: Towards a Data Driven Public Sector. The World Bank, Washington, DC World Bank (2022). Service Upgrade: The GovTech Approach to Citizen Centered Services. The World Bank, Washington, DC. World Bank (2022). Tech Savvy: Advancing GovTech Reforms in Public Administration. Equitable Growth, Finance & Institutions Insight. The World Bank Washington, DC. World Bank (2023). Data Classification Matrix and Cloud Assessment Framework. The World Bank Washington, DC. World Bank (2023). Institutional and Procurement Practice Note on Cloud Computing. The World Bank, Washington, DC World Bank, (2022). GovTech Maturity Index, 2022 Update: Trends in Public Sector Digital Transformation. World Bank, Washington, DC.