Compliance Framework

Compliance Framework Document

Project: ~~Drop~~Bilko — ~~PSD2~~Balkan ~~Pass-Through~~Accounting ~~Payment App~~SaaS Version: 1.0 Date: 2026-02-23 Author: ~~Security~~Compliance Architect Status: Draft Reviewers: DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~Security~~Compliance Architect	Initial draft — ~~multi-jurisdiction~~three-country compliance mapping RS/BA/HR

1. Applicable Regulations

Compliance Owner: ~~CISO /~~ Compliance ~~Officer~~Architect (~~[email protected])~~[email protected]) External Auditor: To be engaged (Phase 2) Last ~~Audit:~~Review: 2026-02-~~12 (internal security audit)~~23 | Next ~~Audit:~~Review: 2026-~~Q3 (external pentest)~~08-23

Regulation	~~Applicability~~Country	~~Effective Date~~Applicability	Status
~~PSD2~~GDPR — ~~Betalingstjenesteloven~~Regulation (~~LOV-2018-11-23-85)~~EU) 2016/679	~~YES~~HR	Directly applicable — ~~core:~~EU ~~AISP/PISP payments~~member	~~In force~~	~~8% ready (BankID~~ Phase 2)1
~~GDPR — Personopplysningsloven (LOV-2018-06-15-38)~~	~~YES — processes personal data of all Norwegian users~~	~~May 25, 2018~~	~~15% ready (DPIA done, processing register pending)~~
~~AML — Hvitvaskingsloven (LOV-2018-06-01-23)~~	~~YES — payment service provider, remittance~~	~~In force~~	~~5% ready (procedures done, real KYC Phase 2)~~
~~IKT-forskriften (FOR-2003-05-21-630)~~	~~YES — financial enterprise IT security~~	~~In force~~	~~25% ready~~
~~DORA (EU) 2022/2554~~	~~YES — payment institutions (Norway EEA incorporation expected 2026 H2)~~	~~Jan 17, 2025 (EU); ~2026 H2 (NO)~~	~~Preparing~~
~~Finansforetaksloven (LOV-2015-04-10-17)~~	~~YES — governance, licensing~~	~~In force~~	~~0% licensed~~
~~Valutaregisterloven (LOV-2004-12-17-109)~~	~~YES — all cross-border remittance~~	~~In force~~	~~Not yet registered~~
~~Betalingssystemloven (LOV-1999-12-17-95)~~	~~YES — payment systems~~	~~In force~~	~~Monitoring~~
~~Finansavtaleloven (LOV-2020-12-18-146)~~	~~YES — consumer protection~~	~~2023~~	~~Draft vilkår exists~~

~~Source:~~ legal/drop-regulatory-map-v2.md, legal/drop-gap-analysis-v2.md

2. Norway — Finanstilsynet & Core Regulatory Compliance

2.1 Finanstilsynet Licensing

~~Applicable law:~~ ~~Betalingstjenesteloven (LOV-2018-11-23-85)~~

~~License Option~~	~~Requirement~~	~~Status~~
~~Begrenset betalingsforetak (§ 2-10c)~~	~~Max 6M NOK/month, simplified application~~	~~Target for Phase 1 launch~~
~~Ordinært betalingsforetak (§ 2-3)~~	~~125,000 EUR capital, EEA passport~~	~~Target for Scandinavia scaling~~
~~Agent model (§ 2-12)~~	~~Operate under licensed PSP — fastest route~~	~~Actively exploring partners~~

~~Current status:~~ ~~Not licensed. No live transactions until license or agent arrangement secured.~~

2.2 PSD2 / Betalingstjenesteloven Requirements

~~Requirement~~	~~Article/Section~~	~~Our Implementation~~
~~Strong Customer Authentication (SCA)~~	~~§ 4-28, Del. Reg. (EU) 2018/389~~	~~Phase 2: BankID OIDC (possession + knowledge)~~
~~Dynamic linking (amount + payee)~~	~~Del. Reg. Art. 5~~	~~Phase 2: Shown in BankID signing dialog~~
~~AISP — account information~~	~~§ 4-41~~	~~Phase 2: Open Banking AISP integration~~
~~PISP — payment initiation~~	~~§ 4-44~~	~~Phase 2: Open Banking PISP integration~~
~~No storing user bank credentials~~	~~§ 4-44(3)~~	~~✓ — Drop never stores bank login credentials~~
~~Pre-transaction fee disclosure~~	~~§ 3-23~~	~~Partial: fee shown in API, not pre-auth~~
~~Transaction receipt~~	~~§ 3-22 to § 3-26~~	~~Phase 1 prerequisite~~
~~Framework agreement (rammeavtale)~~	~~§ 3-1 to § 3-8~~	~~Draft exists:~~ `legal/brukervilkar.md`
~~Execution time D+1 (EEA) / D+4 (non-EEA)~~	~~§ 4-15~~	~~Dependent on PISP partner SLA~~

2.3 AML — Hvitvaskingsloven

~~Full procedures:~~ legal/hvitvaskingsrutiner.md

~~Requirement~~	~~Section~~	~~Our Implementation~~
~~Enterprise risk assessment~~	~~§ 6~~	~~Document:~~ `legal/risikovurdering-hvitvasking.md`
~~Written AML procedures~~	~~§ 8~~	~~Document:~~ `legal/hvitvaskingsrutiner.md`
~~Customer identification (KYC)~~	~~§ 12~~	~~BankID: name + fødselsnummer (Phase 2)~~
~~Electronic verification~~	~~§ 12(3)~~	~~BankID qualifies as electronic verification~~
~~PEP screening~~	~~§ 18~~	~~Integration: ComplyAdvantage / Refinitiv (Phase 2)~~
~~Sanctions screening~~	~~Sanksjonsforskrifter~~	~~Integration: EU/UN/Norwegian/OFAC lists (Phase 2)~~
~~Transaction monitoring~~	~~§ 24~~	~~Rules defined in hvitvaskingsrutiner.md~~
~~STR filing to EFE (Økokrim)~~	~~§ 26~~	~~Process documented; system Phase 2~~
~~No tipping off~~	~~§ 28~~	~~Policy: never inform customer of STR~~
~~Record keeping — 5 years~~	~~§ 30~~	~~Policy defined; technical implementation Phase 2~~
~~AML officer appointment~~	~~§ 8(4)~~	~~Required before licensing~~

~~Corridor risk classification:~~

~~Risikonivå~~	~~Land/korridorer~~	~~Tiltak~~
~~Lav~~	~~EU/EØS-land, Storbritannia~~	~~Standard CDD~~
~~Middels~~	~~Serbia (RSD), Bosnia-Hercegovina (BAM), Tyrkia (TRY)~~	~~Utvidet overvåking~~
~~Høy~~	~~Pakistan (PKR)~~	~~EDD obligatorisk~~
~~Sperret~~	~~FATF/EU sanksjonslister~~	~~Blokkert i system~~

~~See dedicated DPIA:~~ data-protection-impact-assessment.md~~. Full privacy notice:~~ legal/personvernerklaering.md.

~~Article~~	~~Requirement~~	~~Our Implementation~~
~~Art. 5~~	~~Data minimization, purpose limitation~~	~~Collect only necessary fields; defined purposes~~
~~Art. 6(1)(b)~~	~~Contract basis — core service delivery~~	~~Remittance, QR payments, account management~~
~~Art. 6(1)(c)~~	~~Legal obligation basis — AML/KYC~~	~~Hvitvaskingsloven §§ 4, 10-18~~
~~Art. 6(1)(a)~~	~~Consent basis — AISP balance access~~	~~User grants PSD2 consent for Open Banking~~
~~Art. 13~~	~~Privacy notice~~	`legal/personvernerklaering.md` ~~— Norwegian~~
~~Art. 28~~	~~Data processor agreements~~	~~DPAs required with BankID, cloud provider, Sumsub~~
~~Art. 30~~	~~Register of processing activities (behandlingsprotokoll)~~	~~Pending~~
~~Art. 32~~	~~Appropriate technical/organisational measures~~	~~See~~ `security-architecture.md`
~~Art. 33~~	~~72-hour breach notification to Datatilsynet~~	~~See~~ `data-breach-response-plan.md`
~~Art. 35~~	~~DPIA for high-risk processing~~	~~Document:~~ `legal/dpia-vurdering.md`
~~Art. 37~~	~~DPO designation~~	~~DPO contact: [email protected]~~

2.5 Valutaregisterloven

~~Requirement~~	~~Section~~	~~Our Implementation~~
~~Register with SSB as reporting entity~~	~~§ 3~~	~~To be completed before first cross-border transaction~~
~~Report all cross-border payments~~	~~§ 4~~	~~Monthly reporting to SSB~~
~~Transaction data: amount, currency, country, purpose code~~	~~§ 5~~	`recipients.country` ~~in DB schema~~
~~Retention — 5 years~~	~~§ 6~~	~~Policy defined~~

3. Serbia — Multi-Jurisdiction Compliance

3.1 Data Protection

~~Applicable law:~~ Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS ~~br.~~ 87/2018) RS GDPR-aligned — in force Nov 2018 Phase 2 Zakon o zaštiti ličnih podataka (~~Law~~ZZLP, onSl. ~~Personal~~glasnik BiH 49/2006, 76/2011) BA State-level data protection law Phase 3 Zakon o računovodstvu (Sl. glasnik RS 73/2019, 44/2021) RS Accounting law, double-entry, retention Phase 2 Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009, 56/2023) BA (FBiH) Accounting and audit law Phase 3 Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005) BA (RS) Accounting and audit law Phase 3 Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18) HR Accounting law, CFRS, retention Phase 2 Zakon o PDV (Sl. glasnik RS 84/2004 et al.) RS VAT law, 20%/10%/0% rates Phase 2 Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.) BA VAT law, 17%/0% rates, UIO Phase 3 Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.) HR VAT law, 25%/13%/5%/0%, ePorezna Phase 2 Zakon o elektronskom dokumentu (Sl. glasnik RS 51/2009) RS Legal validity of electronic records Phase 2 Opći porezni zakon HR (NN 115/16 et al.) HR General tax law framework Phase 2 Pravilnik o kontnom okviru RS (2021) RS Chart of accounts standard Phase 2 FBiH Pravilnik o kontnom okviru (2022) BA (FBiH) Chart of accounts standard Phase 3 RRiF Kontni plan HR HR Standard chart of accounts Phase 2

2. Serbia (RS) — Regulatory Compliance

2.1 Data Protection — Zakon o zaštiti podataka o ličnosti (ZZPL)

Full name: Zakon o zaštiti podataka o ličnosti Citation: Sl. glasnik RS br. 87/2018 In force: November 21, 2018 Description: Serbia's GDPR-aligned ~~legislation,~~personal indata ~~force~~protection ~~November~~law. ~~21,~~Mirrors ~~2018)~~GDPR structure and principles. Supervisory authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Commissioner for Information of Public Importance and Personal Data Protection) Website: https://www.poverenik.rs

/account,GET

Requirement	~~Law~~ZZPL Article	~~Our~~Bilko Implementation
Lawful basis for processing	~~ZZPL~~ Art. 12	Contract ~~performance~~(Art. 12 st. 1 tač. 2) — accounting service delivery
Data minimization	Art. 5 st. 1 tač. 3	Collect only email, name, tax ID (PIB/JMBG) — required for ~~remittance; legal obligation for AML~~invoicing
Data subject rights (access, erasure, portability)	~~ZZPL~~ Art. 26-41	~~Via~~Endpoints: ~~DPO~~GET ~~process~~/account/data, atDELETE ~~[email protected]~~
~~Data transfer outside Serbia~~	~~ZZPL Art. 64-65~~	~~Drop's servers in Norway/EEA — transfer covered by adequacy assessment~~
~~Notification to Poverenik~~	~~ZZPL Art. 56~~	~~72-hour breach notification to Commissioner for Information of Public Importance and Personal Data Protection~~/account/export
Register of processing activities	~~ZZPL~~ Art. 50	~~Pending~~Internal processing register — required
Security of processing	Art. 50	TLS 1.3 + AES-256 + bcrypt + RBAC
Breach notification to Poverenik	Art. 56	Within 72 hours of becoming aware
Cross-border data transfer	Art. 64-65	Railway EU West — within ZZPL scope

~~Transfer~~Breach ~~mechanism~~notification ~~— Norway → Serbia:~~contact:

~~Norway~~Authority: isPoverenik ~~EEA~~za ~~but~~informacije ~~not~~od EU;javnog ~~Serbia~~značaja ~~has~~i nozaštitu EUpodataka ~~adequacy~~o ~~decision~~ličnosti
~~Transfer~~Address: ~~basis:~~Bulevar ~~Standard~~kralja ~~Contractual~~Aleksandra ~~Clauses~~15, 11000 Belgrade

Email: [email protected]

Deadline: 72 hours from awareness (~~SCCs)~~ ~~per~~ ZZPL Art. ~~65 + GDPR Art. 46(2)(c)~~

~~Transfer Impact Assessment (TIA): Required — assess Serbian law on government data access~~

~~Minimal data transferred: Only avsender's name (lawpålagt) + mottaker's name/IBAN + amount~~56)

3.2.2 AMLAccounting Law — Zakon o računovodstvu

~~Applicable~~Full ~~law:~~name: Zakon o ~~sprečavanju~~računovodstvu ~~pranja novca i finansiranja terorizma (ZoPNFT,~~Citation: Sl. glasnik RS br. ~~113/2017, 91/~~73/2019, ~~153/2020)~~44/2021 ~~(Law~~Description: onDefines ~~Prevention~~accounting ofobligations ~~Money~~for ~~Laundering~~all ~~and~~legal ~~Terrorism~~entities ~~Financing)~~in Serbia.

Requirement	~~Our~~Bilko ~~Role~~Implementation
~~Correspondent~~Double-entry ~~bank~~bookkeeping ~~in Serbia performs CDD on recipients~~mandatory	~~Correspondent~~Prisma ~~bank~~schema ~~responsibility~~enforces debitAccountId + creditAccountId — debit = credit validated
~~Drop~~Chart ~~provides~~of ~~complete~~accounts: ~~sender~~Pravilnik ~~information~~o ~~per~~kontnom ~~FATF~~okviru ~~Recommendation~~(2021) 16— 10 class system (0-9)	✓Serbian —CoA ~~name,~~seed ~~account,~~data ~~reference~~with standard 3-digit accounts
~~Serbian~~Financial ~~NBS~~statements required: Bilans stanja (~~Narodna~~Balance ~~banka~~Sheet), ~~Srbije)~~Bilans ~~oversight~~uspeha of(Income ~~payment systems~~Statement)	~~Via~~Report ~~correspondent~~generation ~~bank~~module (Phase 2)
Large entities: Izveštaj o novčanim tokovima (Cash Flow), Napomene (Notes)	Phase 2
Filing institution: APR (Agencija za privredne registre) — https://www.apr.gov.rs	PDF export in Serbian format
Annual filing deadline: June 30	Filing reminders in app
Document retention: 10 years	Soft delete — financial records never hard deleted

3.2.3 PaymentVAT ServicesLaw — Zakon o PDV

~~Applicable~~Full ~~law:~~name: Zakon o ~~platnim~~porezu ~~uslugama~~na (dodatu vrednost Citation: Sl. glasnik RS br. ~~139/2014,~~84/2004, ~~44/2018)~~86/2004, 61/2005 et al. (~~Law~~consolidated) ~~on Payment Services —~~Description: Serbia's ~~PSD2-equivalent)~~VAT law.

Rate	Description	Application
20% (opšta stopa)	Standard rate	General goods and services
10% (snižena stopa)	Reduced rate	Food, medicines, utilities
0%	Zero rate	Exports, international transport

VAT registration threshold: 8,000,000 RSD annual turnover Return frequency: Monthly (>50M RSD) or Quarterly (<50M RSD) Filing deadline: 15th of following month Portal: ePorezi — https://www.poreskauprava.gov.rs Penalties: 50,000 – 2,000,000 RSD for SEF non-compliance

2.4 E-Invoice — SEF (Sistem e-Faktura)

Platform: https://efaktura.gov.rs Mandatory since:

B2G (suppliers to government): May 2022

B2B (business-to-business): January 2023

Format: UBL 2.1 XML Integration: API available — @bilko/country-rs package (Phase 2) Penalties: 50,000 – 2,000,000 RSD for non-compliance

2.5 Electronic Document Law

Full name: Zakon o elektronskom dokumentu, elektronskoj identifikaciji i uslugama od poverenja u elektronskom poslovanju Citation: Sl. glasnik RS br. 94/2017 Description: Legal validity of electronic documents and digital signatures.

~~Drop~~Bilko-generated ~~operates~~invoices asand areports ~~foreign~~constitute ~~PSP~~valid ~~transferring~~electronic ~~funds~~documents towhen:

~~Serbia~~

~~via~~

Generated ~~correspondent~~by ~~banking.~~certified ~~Direct~~accounting ~~license~~software

~~from~~

Stored ~~NBS~~immutably ~~not~~with ~~required~~audit trail

Exportable in PDF/XML format

2.6 APR Filing

All Serbian legal entities must file annual financial reports with APR (Agencija za privredne registre). Bilko generates reports in APR-compatible format for ~~outbound~~export. ~~remittance~~API ~~from~~integration ~~Norway.~~planned ~~Correspondent~~(Phase ~~bank in Serbia holds required NBS license.~~3).

4.3. Bosnia and& Herzegovina (BA) — Multi-JurisdictionRegulatory Compliance

Complexity: BiH has two entities (FBiH and Republika Srpska) with parallel legislation. VAT is unified at state level via UIO. Direct taxes are administered separately per entity.

4.3.1 Data Protection — Entity-LevelZakon Regulationo zaštiti ličnih podataka BiH

~~Bosnia~~Full ~~and Herzegovina has~~ ~~two entities~~ ~~with separate data protection legislation:~~

~~Federation of BiH (FBiH):~~

~~Applicable law:~~name: Zakon o zaštiti ličnih podataka ~~(ZZLP~~Bosne ~~BiH,~~i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/~~2011)~~2011 ~~(Personal~~Description: ~~Data~~State-level ~~Protection~~personal ~~Law~~data —protection ~~state-level,~~law. ~~administered~~Pre-GDPR bybut aligned in principles. Supervisory authority: Agencija za zaštitu ličnih podataka —Bosne i Hercegovine (AZLP)

Website: https://www.azlp.ba

~~Republika~~The ~~Srpska:~~

~~Same~~same state-level law applies across both ~~entities~~FBiH ~~for~~and ~~personal~~Republika ~~data protection~~

~~AZLP (Agency for Personal Data Protection of BiH) is the supervisory authority for the entire country~~

Srpska.

Requirement	~~Law~~ZZLP Article	~~Our~~Bilko Implementation
Lawful basis for processing	~~ZZLP~~ Art. 4	Contract (accounting service delivery) + legal obligation (tax records)
~~Security~~Data security measures	~~ZZLP~~ Art. 14	TLS 1.3,3 + AES-~~256,~~256 + bcrypt + RBAC
~~Data~~Cross-border transfer ~~to third countries~~	~~ZZLP~~ Art. 18	~~Norway is not in~~Railway EU West — ~~adequacy~~outside ~~assessment per ZZLP +~~BiH; SCCs mechanism
Breach notification to AZLP	~~ZZLP~~Art. 14 + GDPR practice	~~72-hour~~72 ~~notification~~hours
Data subject rights	Art. 5-10	Same endpoints as RS

~~Transfer~~Breach ~~mechanism~~notification ~~— Norway → BiH:~~contact:

NoAuthority: ~~adequacy~~Agencija ~~decision~~za ~~for~~zaštitu ~~BiH~~ličnih ~~from~~podataka ~~EU/Norway~~Bosne i Hercegovine (AZLP)
~~Transfer~~Address: ~~basis:~~Hamdije ~~SCCs~~Čemerlića +2/VI, ~~TIA~~71000 Sarajevo
~~Minimal~~Email: ~~data:~~[email protected]

~~sender~~

Deadline: ~~name~~72 +hours ~~recipient~~(following ~~name/IBAN/BAM~~GDPR ~~amount~~best practice)

4.3.2 AMLFBiH — Accounting Law

~~Applicable~~Full ~~law:~~name: Zakon o ~~sprečavanju pranja novca~~računovodstvu i ~~finansiranja~~reviziji ~~terorističkih~~Federacije ~~aktivnosti~~Bosne ~~(ZSPNFiTA~~i ~~BiH,~~Hercegovine Citation: Sl. ~~glasnik~~novine ~~BiH~~FBiH br. ~~47/2014,~~83/2009, ~~46/2017)~~56/2023 ~~(Law~~Description: onAccounting ~~Prevention~~and audit law for Federation of ~~Money Laundering and Financing of Terrorist Activities — BiH)~~

~~Supervisory authority:~~ ~~Ured za sprečavanje pranja novca (USPN) — FATF/MONEYVAL member~~BiH.

Requirement	~~Our~~Bilko ~~Role~~Implementation
~~Complete~~Double-entry ~~sender information on transfers~~bookkeeping	✓Enforced —by ~~FATF Rec. 16 compliant~~schema
~~Correspondent~~Chart ~~bank~~of ~~performs~~accounts: ~~beneficiary~~FBiH ~~CDD~~Pravilnik (2022) — 10 class system (0-9)	~~Correspondent~~BiH ~~bank~~CoA ~~responsibility~~seed data
~~BAM~~Financial ~~corridor~~statements: ~~classified~~Bilans asstanja, ~~"Middels"~~Bilans ~~risk~~uspeha	~~Higher~~Report ~~monitoring~~generation ~~thresholds~~module ~~apply~~(Phase 3)
Filing institution: Agency of Financial Information (FBiH)	PDF export
Annual filing deadline: March 31	Filing reminders
Document retention: 10 years	Immutable storage

4.3.3 PaymentRepublika ServicesSrpska (BiH Entity) — Accounting Law

~~Applicable~~Full ~~law:~~name: Zakon o ~~platnom prometu (FBiH); Zakon o platnim transakcijama (RS)~~ ~~Regulator:~~ ~~Centralna banka Bosne~~računovodstvu i ~~Hercegovine~~reviziji ~~(CBBH)~~

Republike

~~Drop~~Srpske ~~transfers~~Citation: toSl. glasnik RS BiH ~~via~~br. ~~correspondent~~96/2005, ~~banking;~~74/2016 noDescription: ~~direct~~Accounting ~~CBBH~~and ~~license~~audit ~~required~~law for ~~Norwegian~~Republika ~~outbound~~Srpska ~~remittance.~~

entity

5. Croatia — Multi-Jurisdiction Compliance

5.1 Data Protection

~~Croatia is an EU member state — GDPR applies directly.~~BiH.

Requirement	~~Our~~Bilko Implementation
~~GDPR~~Double-entry ~~(Regulation (EU) 2016/679) directly applicable~~bookkeeping	~~Full~~Enforced ~~GDPR~~by ~~compliance required — see §2.4~~schema
~~AZOP~~Filing institution: Tax Administration of RS (~~Agencija~~BiH ~~za zaštitu osobnih podataka) as supervisory authority~~entity)	~~Breach~~PDF ~~notification within 72h to AZOP~~export
Annual filing deadline: March 31	Filing reminders
Document retention: 11 years	Maximum retention applied across entities

3.4 VAT — Zakon o PDV BiH

Full name: Zakon o porezu na dodanu vrijednost Bosne i Hercegovine Citation: Sl. glasnik BiH br. 9/2005, 35/2005, 100/2008 et al. Description: Unified VAT law administered at state level. No reduced rates. Administering authority: UIO — Uprava za indirektno oporezivanje (Indirect Taxation Authority) Portal: https://www.uino.gov.ba

Rate	Description
17% (opća stopa)	Standard rate — all goods and services
0%	Exports

Registration threshold: 100,000 BAM annual turnover Return frequency: Monthly Filing deadline: Check UIO portal

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not yet published Law adopted: January 2026 (FBiH only) Expected availability: ~2027

Bilko decision: Do NOT implement CPF integration until technical specs are published. Monitor UIO and FBiH government portals for updates. BiH is Phase 3 launch.

3.6 Corporate Income Tax

Entity	CIT Rate	Filing Deadline
FBiH	10%	March 31
RS (BiH entity)	10%	March 31

Bilko provides CIT calculation support — separate fields for FBiH vs RS entity in organization settings.

4. Croatia (HR) — Regulatory Compliance

Note: Croatia is an EU member state. GDPR applies directly without separate national transposition law.

4.1 Data Protection — GDPR

~~Transfer mechanism — Norway → Croatia:~~

~~Croatia is EU —~~ ~~no restriction~~ ~~on EEA→EU data transfer~~

~~Drop (Norway/EEA) → Croatia (EU): Free flow under GDPR Chapter V + EEA Agreement~~

~~No SCCs required; no TIA required~~

5.2 AML

~~Applicable law:~~ ~~Zakon o sprečavanju pranja novca i financiranja terorizma (ZSPMFT, NN 108/2017, 39/2019, 151/2022)~~ ~~(Law on Prevention of Money Laundering and Terrorist Financing — Croatia)~~

Supervisory authority: ~~Ured~~AZOP — Agencija za ~~sprječavanje~~zaštitu ~~pranja~~osobnih ~~novca~~podataka ~~(USPM)~~Website: ~~— FATF member as EU state~~https://azop.hr

~~name,~~ ~~thresholds~~

Requirement	~~Our~~GDPR ~~Role~~Article	Bilko Implementation
~~Complete~~Lawful ~~sender information — EU Wire Transfer Regulation (2015/847) applies~~basis	✓Art. —6	Contract ~~IBAN,~~(6.1.b) ~~reference~~for service; legal obligation (6.1.c) for tax
~~Croatian~~Data ~~bank performs beneficiary CDD~~minimization	~~Correspondent~~Art. ~~bank~~5(1)(c)	Collect OIB (Croatian ~~HNB-licensed~~tax ~~institution)~~ID), name, email only
~~Croatia~~Right ~~corridor:~~to ~~EUR — EU/EEA — Low risk~~access	~~Standard~~Art. ~~CDD~~15	GET /api/v1/account/data
Right to erasure	Art. 17	DELETE /api/v1/account (PII anonymized; financial records retained per law)
Right to portability	Art. 20	GET /api/v1/account/export (JSON)
Security of processing	Art. 32	TLS 1.3 + AES-256 + bcrypt + RBAC
Breach notification to AZOP	Art. 33	Within 72 hours
DPIA	Art. 35	This document covers accounting data
DPA with processors	Art. 28	Required with Railway, Vercel, Cloudflare, SendGrid

Breach notification contact:

Authority: AZOP — Agencija za zaštitu osobnih podataka

Address: Selska cesta 136, 10000 Zagreb

Email: [email protected]

Portal: https://azop.hr/prijavapovrede

Deadline: 72 hours from awareness (GDPR Art. 33)

5.34.2 PaymentAccounting ServicesLaw — Zakon o računovodstvu

~~Applicable~~Full ~~law:~~name: Zakon o ~~platnom~~računovodstvu ~~prometu~~Citation: (NN ~~66/2018~~78/15, —120/16, 116/18, 42/20, 47/20 Description: Croatian ~~PSD2~~accounting ~~implementation)~~law, ~~Regulator:~~aligns ~~Hrvatska~~with ~~narodna banka (HNB)~~

EU ~~Wire~~Accounting Transfer Regulation (2015/847) applies directly. Drop must include complete originator information on all transfers to Croatia. No direct HNB license required for Norwegian outbound remittance via correspondent banking.Directive.

6. Cross-Border Data Transfer Summary

Bilko Enforced HR CFRS-compliant Report FINA ~~flow~~

~~From~~Requirement	To	~~Mechanism~~	~~TIA Required~~	~~DPA Required~~	~~Notes~~Implementation
~~Norway~~Double-entry ~~(EEA)~~bookkeeping	~~Serbia~~	~~SCCs~~by ~~(2021) + TIA~~	~~Yes~~	~~Yes~~	~~No adequacy decision~~schema
~~Norway~~Chart of accounts: RRiF standard — 10 class system (~~EEA)~~0-9)	~~BiH~~	~~SCCs~~CoA ~~(2021)~~seed ~~+ TIA~~	~~Yes~~	~~Yes~~	~~No adequacy decision~~data
~~Norway~~Accounting standards: CFRS (~~EEA)~~for SMEs) or IFRS (PIEs)	~~Croatia~~	~~EEA→EU free flow~~	No	~~N/A~~	~~EU member state~~reports
~~Norway~~Financial ~~(EEA)~~statements: Bilanca, Račun dobiti i gubitka, Izvještaj o novčanim tokovima	~~Turkey~~	~~SCCs~~generation module (~~2021)~~Phase ~~+ TIA~~	~~Yes~~	~~Yes~~	~~No adequacy decision; higher risk~~2)
~~Norway~~Filing via RGFI (~~EEA)~~Registar godišnjih financijskih izvještaja)	~~Pakistan~~	~~SCCs (2021) + TIA + supplementary measures~~	~~Yes~~	~~Yes~~	~~High-risk jurisdiction~~filing
~~Norway~~Filing ~~(EEA)~~institution: FINA — Financijska agencija — https://www.fina.hr	~~Poland~~
Annual filing deadline: April 30	~~EEA→EU~~Filing ~~free~~reminders
Document retention: 11 years	NoImmutable storage

4.3 General Tax Law — Opći porezni zakon

Full name: Opći porezni zakon Citation: NN 115/16, 106/18, 121/19, 32/20 et al. Description: Framework tax law governing all Croatian taxes, including penalties for VAT non-compliance.

Relevant to Bilko: Defines document retention (11 years), electronic record acceptance, and obligations for digital accounting systems.

4.4 VAT Law — Zakon o porezu na dodanu vrijednost

Full name: Zakon o porezu na dodanu vrijednost Citation: NN 73/13, 148/13, 143/14 et al. Description: Croatian VAT law implementing EU VAT Directive. Portal: ePorezna — https://www.porezna-uprava.hr

Rate	Description	Application
25% (opća stopa)	~~N/A~~Standard rate	General goods and services
13% (srednja stopa)	Intermediate rate	Certain foods, water supply, accommodation, newspapers
5% (snižena stopa)	Reduced rate	Books, baby food, prescription medicines
0%	Zero rate	Exports, intra-EU ~~member state~~supply

Registration threshold: 60,000 EUR annual turnover Return frequency: Monthly Filing deadline: Last day of following month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr Operator: FINA — Financijska agencija Status: Mandatory since January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS (Croatian Implementation User Specification) Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required

Integration: @bilko/country-hr package (Phase 2) — FINA API integration required Penalties: Up to 500,000 EUR for non-compliance (severe) Archive requirement: 11 years

4.6 FINA Reporting

All Croatian legal entities file annual financial reports via FINA RGFI portal. Bilko generates FINA-compatible XML/XBRL reports for export. Deadline: April 30.

4.7 HNB (Hrvatska narodna banka)

For organizations with foreign currency transactions, HNB reporting may apply. Bilko supports EUR (Croatia's official currency since January 2024), with historical HRK support for data migration.

5. Cross-Country Compliance Matrix

Requirement	Serbia (RS)	Bosnia & Herzegovina (BA)	Croatia (HR)
Data ~~minimization~~protection law	ZZPL (GDPR-aligned, 2018)	ZZLP BiH (state-level, 2006)	GDPR (directly applicable)
Supervisory authority	Poverenik	AZLP	AZOP
Breach notification deadline	72 hours	72 hours (best practice)	72 hours (GDPR Art. 33)
Double-entry bookkeeping	✅ Mandatory	✅ Mandatory	✅ Mandatory
Standard VAT rate	20%	17%	25%
Reduced VAT rate	10%	None	13% and 5%
VAT return frequency	Monthly/Quarterly	Monthly	Monthly
VAT filing deadline	15th of next month	TBD (UIO)	Last day of next month
E-invoice platform	SEF (mandatory since Jan 2023)	CPF (pending ~2027)	HR-FISK (mandatory since Jan 2026)
E-invoice format	UBL 2.1 XML	TBD	UBL 2.1 XML (HR-CIUS)
Annual report filing	APR — June 30	Agency of Financial Info / Tax Admin RS — March 31	FINA RGFI — April 30
Chart of accounts	Pravilnik (2021)	FBiH Pravilnik (2022)	RRiF standard
Document retention	10 years	10 years (FBiH) / 11 years (RS entity)	11 years
Currency	RSD	BAM	EUR
Corporate income tax	15%	10% (both entities)	18% (10% if revenue <1M EUR)

Bilko retention policy: Apply maximum retention across all markets — 11 years for all ~~transfers:~~financial records. Financial data is never hard-deleted.

~~Sender: Full name only (lawfully required per FATF/EU 2015/847)~~

~~Recipient: Name + account/IBAN only~~

~~Never transferred:~~ ~~fødselsnummer, IP address, device ID, transaction history~~

7.6. Data Classification Scheme

Level	Label	~~Description~~	Examples	Controls Required
L1	Public	~~Intended for public access~~	Exchange rates, fee schedule, privacy policy	None
L2	Internal	~~Internal~~Aggregated ~~use only~~	~~Internal wikis,~~analytics, non-PII ~~analytics,~~ logs ~~(masked)~~	Access control
L3	Confidential	~~Sensitive personal or business data~~	User ~~names, phone,~~ email, ~~transaction~~name, ~~history,~~organization ~~KYC~~data, ~~status~~invoice amounts	Encryption + access control + ~~logging~~audit log
L4	Restricted	~~Highest~~Tax ~~sensitivity,~~IDs ~~regulatory implications~~	~~Fødselsnummer,~~(PIB/JMBG/OIB/JIB), bank account numbers, ~~KYC~~TOTP ~~documents, JWT_SECRET, BankID certificates~~secrets	~~Field-level~~Encryption ~~encryption~~+ RBAC + MFA + ~~strict access +~~ audit + 5-10-year retention

Tax

(Poreski

identifikacioni

broj)

—

digits;

JMBG

matični

građana)

digits

BiH:

JIB

(Jedinstveni

payloads

~~Consent~~9 ~~Type~~	~~Purpose~~	~~Legal~~(Jedinstveni ~~Basis~~	~~Collection~~broj ~~Point~~	~~Withdrawal~~— ~~Method~~
~~Open~~identifikacioni ~~Banking~~broj) ~~AISP~~— 13 digits Croatia: OIB (Osobni identifikacijski broj) — 11 digits All tax IDs treated as L4 Restricted data. Stored with access	~~Read~~logging. ~~bank~~Never ~~balance via PSD2~~	~~Consent Art. 6(1)(a)~~	~~Per balance-read request~~	~~Revoke~~included in ~~app~~JWT ~~settings~~
~~Marketing communications~~	~~Email/push marketing~~	~~Consent Art. 6(1)(a)~~	~~Registration opt-in~~	~~App Settings > Notifications~~
~~Analytical cookies~~	~~Product analytics~~	~~ePrivacy + Consent~~	~~Cookie banner on getdrop.no~~	~~Cookie settings page~~

-- Immutable consent records — append-only
CREATE TABLE user_consents (
    id TEXT PRIMARY KEY,  -- cons_<hex16>
    user_id TEXT NOT NULL REFERENCES users(id),
    consent_type VARCHAR(100) NOT NULL,  -- 'aisp_balance', 'marketing', 'analytics'
    granted BOOLEAN NOT NULL,
    version VARCHAR(20) NOT NULL,  -- Policy version consented to
    ip_address TEXT,
    user_agent TEXT,
    created_at TEXT NOT NULL DEFAULT (datetime('now'))
);

logs.

9.7. Data Subject Rights — Implementation

~~data~~

Right	Endpoint ~~/ Process~~	SLA	~~Automated?~~Notes
Access (~~SAR)~~Art. 15 GDPR / ZZPL Art. 26 / ZZLP Art. 8)	~~[email protected]~~GET →/api/v1/account/data	30 days	Returns user + org + invoices + expenses
Rectification (Art. 16)	PATCH /api/v1/account/profile	Immediate	Email, name
Erasure (Art. 17)	DELETE /api/v1/account	30 days	PII anonymized; financial records retained per law
Portability (Art. 20)	GET /api/v1/account/export	30 days	~~Partial~~JSON export
~~Rectification~~Restriction (Art. 18)	~~App Settings → Edit Profile~~[email protected]	~~Immediate~~30 days	Manual process
Objection (Art. 21)	[email protected]	30 days	Not applicable for contract processing

Erasure exception: Financial records (invoices, expenses, transactions) are retained for the legally required period (10-11 years depending on country) even after user account erasure. Only PII (email, name, password hash) is anonymized.

8. Third-Party Data Processors

~~retention exceptions)~~

Processor	Service	Data Shared	Region	DPA Required
Railway	PostgreSQL hosting	All accounting data	EU West (Frankfurt/Paris)	Yes — sign before launch
Vercel	Frontend hosting	None (static only)	Global (EU edge for EU users)	Yes
~~Erasure~~Cloudflare	~~[email protected]~~CDN, →WAF, ~~anonymize~~R2 ~~job~~storage	30IP ~~days~~addresses, file attachments	~~Partial~~EU ~~(AML~~region	Yes
~~Portability~~SendGrid	~~Data~~Transactional ~~export (JSON/CSV)~~email	30Email ~~days~~addresses, invoice PDFs	~~Planned~~
~~Restriction~~region	~~Support request → compliance flag~~	~~30 days~~	~~No (manual)~~
~~Objection~~	~~[email protected]~~	~~30 days~~	~~No (manual)~~
~~Automated decision opt-out~~	~~Fraud detection manual review request~~	~~30 days~~	~~Partial~~Yes

~~Identity~~DPA ~~verification~~status: All DPAs must be signed before first paying customer. Railway EU West region must be explicitly configured to ensure EU data residency.

9. Compliance Roadmap

Phase 1 — Pre-Launch (GDPR baseline)

User consent mechanism at registration

Data deletion workflow implemented and tested

Data export endpoint implemented

DPAs signed with Railway, Vercel, Cloudflare, SendGrid

Railway EU West region confirmed

Breach notification process documented

Phase 2 — Serbia Launch (3-6 months)

Legal review by Serbian lawyer (računovodstveno pravo + ZZPL)

Serbian CoA seed data (Pravilnik 2021)

VAT calculation at 20% / 10%

SEF XML export (UBL 2.1)

SEF API integration for ~~rights~~B2B ~~requests:~~e-invoicing

~~BankID~~

~~verification~~APR financial report export (~~same~~Bilans asstanja, ~~login).~~
Bilans uspeha)

ZZPL processing register documented

Phase 2 — Croatia Launch (concurrent or shortly after)

Legal review by Croatian lawyer (Zakon o računovodstvu + GDPR)

Croatian CoA seed data (RRiF standard)

VAT calculation at 25% / 13% / 5%

FINA certificate acquisition for HR-FISK

HR-FISK API integration (mandatory for all invoices Jan 2026+)

FINA RGFI report export

AZOP processing register documented

Phase 3 — BiH Launch (12-18 months)

Legal review by BiH lawyer (FBiH + RS entity distinction)

BiH CoA seed data (FBiH Pravilnik 2022)

VAT calculation at 17% (UIO)

Monitor CPF technical specs publication (~2027)

FBiH vs RS entity distinction in org settings

AZLP breach notification process confirmed

10. AuditRisk Schedule & MethodologyAssessment

GDPR/ZZPL

implementation

SEF

integration

before

Serbia

B2B

Phase

HR-FISK

backups,

audit

~~Audit Type~~Risk	~~Frequency~~Likelihood	~~Scope~~Impact	~~Owner~~	~~Last Done~~	~~Next Due~~Mitigation
~~Internal~~GDPR/ZZPL ~~access~~data ~~review~~breach fine	~~Quarterly~~Low (if compliant)	~~All~~High ~~user~~(GDPR ~~accounts~~up +to ~~permissions~~€20M / ZZPL up to RSD 2M)	~~Security~~Full ~~team~~	~~2026-02-13~~	~~2026-05-13~~before first customer
~~Vulnerability~~SEF ~~assessment~~non-compliance (Serbia)	~~Quarterly~~Medium (if not integrated)	~~External~~High ~~attack~~(RSD ~~surface~~2M fine)	~~Security~~Phase /2 ~~external~~	~~2026-02-12~~	~~2026-05-12~~
~~Penetration test~~	~~Annual~~	~~Full scope~~	~~External firm (TBD)~~	~~Not yet done~~	~~2026-Q3~~
~~AML program review~~	~~Annual~~	~~Full AML program~~	~~Compliance + external~~	~~Draft only~~	~~Pre-~~launch
~~GDPR~~HR-FISK non-compliance ~~review~~(Croatia)	~~Annual~~High (if not integrated)	~~All~~Critical ~~processing~~(EUR ~~activities~~500K fine)	~~DPO~~	~~2026-02-12~~2 ~~(DPIA)~~	~~2027-02-12~~integration — mandatory
~~DORA~~Financial ~~readiness~~data ~~review~~loss	~~Annual~~Low	~~ICT resilience~~Critical	~~CISO~~30-day +Railway ~~external~~	~~Not~~immutable ~~yet~~	~~2026-Q4~~trail
~~Third-party~~Tax ~~risk~~calculation ~~review~~error (VAT)	~~Annual~~Low	~~BankID,~~High ~~cloud~~(penalties ~~provider,~~+ ~~Sumsub~~reputational)	~~Compliance~~Configurable tax rates per country, Zod validation
BiH CPF delay	~~Not yet~~Medium	~~Pre-~~Low (launch delayed)	Phase 3 planned, not blocking Serbia/Croatia

DPIA:
Breach

data-breach-response-plan.md

../../products/Bilko/docs/security/COMPLIANCE.md

Serbia

Regulatory:

~~Training~~	~~Audience~~	~~Frequency~~	~~Format~~
Security ~~awareness~~Architecture: +security-architecture.md ~~phishing~~	~~All~~data-protection-impact-assessment.md ~~staff~~	~~Annual~~Response +Plan: ~~onboarding~~	~~Online~~ Bilko +Compliance: ~~simulation~~
~~GDPR~~../../products/Bilko/docs/regulatory/RS/README.md BiH Regulatory: ../../products/Bilko/docs/regulatory/BA/README.md ~~personopplysningsloven~~ Croatia ~~fundamentals~~	~~All~~../../products/Bilko/docs/regulatory/HR/README.md ~~staff handling personal data~~	~~Annual~~	~~Online~~
~~AML / hvitvaskingsloven — Grunnkurs~~	~~All staff~~	~~At employment + annual~~	~~Online~~
~~AML / hvitvaskingsloven — Avansert~~	~~Compliance, operations~~	~~Annual~~	~~Workshop~~
~~PEP og sanksjoner~~	~~Compliance, operations~~	~~Annual~~	~~Online~~
~~Secure coding~~	~~Engineering~~	~~Annual~~	~~Workshop~~
~~Incident response tabletop~~	~~Engineering + Management~~	~~Annual~~	~~Tabletop exercise~~

12. Critical Vendor Compliance Register

~~Vendor~~	~~Service~~	~~Tier~~	~~Requirements~~	~~DPA Status~~
~~BankID Norge AS~~	~~Norwegian eID authentication~~	~~Critical~~	~~SOC 2, ISO 27001~~	~~Required — databehandleravtale~~
~~AWS App Runner~~	~~Application hosting~~	~~Critical~~	~~SOC 2 Type II, ISO 27001, PCI-DSS~~	~~Standard AWS DPA~~
~~Cloudflare~~	~~WAF + DDoS + CDN~~	~~Critical~~	~~SOC 2 Type II, ISO 27001~~	~~Cloudflare DPA~~
~~Sumsub~~	~~KYC/AML identity verification~~	~~Critical~~	~~SOC 2, ISO 27001, GDPR~~	~~Required — DPA~~
~~Sentry~~	~~Error monitoring~~	~~High~~	~~SOC 2~~	~~Sentry DPA~~
~~BetterStack~~	~~Uptime + log monitoring~~	~~High~~	~~SOC 2~~	~~BetterStack DPA~~

Approval

Role	Name	Date
Author	~~Security~~Compliance Architect	2026-02-23
DPO
~~CISO~~
Legal Counsel
CEO ~~/ Management~~