Compliance Framework

Compliance Framework Document

Project: Bilko — Balkan Accounting SaaS Version: 1.0 Date: 2026-02-23 Author: DPO / Compliance OfficerArchitect Status: Draft Reviewers: CTO,DPO, Legal CounselCounsel, (RS, BA, HR)CEO Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	DPOCompliance Architect	Initial draft — RS/BA/HR three-country compliance mapping

---

1. ComplianceApplicable ScopeRegulations

BilkoCompliance isOwner: aCompliance cloudArchitect accounting([email protected]) SaaSLast operatingReview: in2026-02-23 three| jurisdictions.Next EachReview: has distinct data protection, accounting, tax, and e-invoicing requirements.2026-08-23

graphTDsubgraphRS["




















































































Regulation
Country
Phase
GDPR — Regulation (EU) 2016/679
HR
Phase 1
Zakon o zaštiti podataka o ličnosti (ZZPL, Sl. glasnik RS 87/2018)
RS
Phase 2
Zakon o zaštiti ličnih podataka BiH (ZZLP, Sl. glasnik BiH 49/2006)
BA
Phase 3
Zakon o računovodstvu (Sl. glasnik RS 73/2019)
RS
Phase 2
Zakon o računovodstvu i reviziji FBiH (Sl. novine FBiH 83/2009)
BA (FBiH)
Phase 3
Zakon o računovodstvu i reviziji RS BiH (Sl. glasnik RS BiH 96/2005)
BA (RS entity)
Phase 3
Zakon o računovodstvu HR (NN 78/15, 120/16, 116/18)
HR
Phase 2
Zakon o PDV RS (Sl. glasnik RS 84/2004 et al.)
RS
Phase 2
Zakon o PDV BiH (Sl. glasnik BiH 9/2005 et al.)
BA
Phase 3
Zakon o porezu na dodanu vrijednost HR (NN 73/13 et al.)
HR
Phase 2
Zakon o elektronskom dokumentu RS (Sl. glasnik RS 51/2009)
RS
Phase 2
Opći porezni zakon HR (NN 115/16 et al.)
HR
Phase 2
Pravilnik o kontnom okviru RS (2021)
RS
Phase 2
FBiH Pravilnik o kontnom okviru (2022)
BA (FBiH)
Phase 3
RRiF Kontni plan HR
HR
Phase 2


2. Serbia (RepublikaRS) Srbija)"]— RS_DP["ZZPLRegulatory Compliance

2.1 Data Protection — Zakon o zaštiti podataka o ličnosti\nSl. glasnik RS 87/2018ličnosti (GDPR-aligned)"]ZZPL)
RS_ACC["Zakon
Full o računovodstvu\nSl. glasnik RS 73/2019"]
        RS_VAT["Zakon o PDV\n20% / 10% / 0%"]
        RS_SEF["SEF e-Invoice\nUBL 2.1 XML — B2B mandatory Jan 2023\nPenalty: 50K–2M RSD"]
        RS_APR["APR Filing\nJune 30 deadline"]
    end

    subgraph BA["Bosnia & Herzegovina"]
        BA_DP["ZZLP BiH —name: Zakon o zaštiti ličnih podataka\nSl. glasnik BiH 49/2006"]
        BA_FBiH["FBiH: Zakonpodataka o računovodstvuličnosti
iCitation: reviziji FBiH\nSl. novine FBiH 83/2009 + Pravilnik 2022"]
        BA_RSBA["RS entitet: Zakon o računovodstvu i reviziji RS BiH\nSl. glasnik RS BiH 96/2005"]
        BA_VAT["Zakon o PDV BiH\n17% / 0% — UIO authority"]
        BA_CPF["CPF e-Invoice\nPending ~2027"]
    end

    subgraph HR["Croatia (Hrvatska)"]
        HR_DP["GDPR — directly applicable (EU member)\nUredba (EU) 2016/679"]
        HR_ACC["Zakon o računovodstvu\nNN 78/15, 116/18, 42/20, 47/20, 114/22"]
        HR_VAT["Zakon o porezu na dodanu vrijednost\n25% / 13% / 5% / 0%"]
        HR_FISK["HR-FISK (eRačun B2G/B2B)\nFINA certificate — mandatory Jan 2026\nPenalty: up to EUR 500K"]
        HR_FINA["FINA RGFI\nApril 30 deadline"]
    end

---

2. Data Protection Compliance

2.1 Applicable Laws

2018

Jurisdiction	Law	Supervisory Authority	Penalty
Serbia	ZZPL (Sl. glasnik RS br. 87/2018)	In force: November 21, 2018 Description: Serbia's GDPR-aligned personal data protection law. Supervisory authority: Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti	Up to 2M RSD (legal entity)
Bosnia & Herzegovina	ZZLP BiH (Sl. glasnik BiH 49/2006)	Agencija za zaštitu ličnih podataka (AZLP)	Up to 10K BAM
Croatia	GDPR Uredba (EU) 2016/679	Agencija za zaštitu osobnih podataka (AZOP)	Up to €20M or 4% global turnover

2.2 Legal Basis for Processing

Data Category	Legal Basis	Jurisdiction
Account email, name	Contract performance (Art. 6(1)(b) GDPR / Art. 12(1)(b) ZZPL)	All
Tax IDs (PIB, JMBG, OIB, JIB)	Legal obligation — accounting/tax law	RS, BA, HR
IBAN, bank accounts	Contract performance	All
IP address, session logs	Legitimate interest — security	All
Financial transaction data	Legal obligation — accounting/tax law	All

2.3 Data Subject Rights Implementation

Right	GDPR Article	ZZPL Equivalent	Status
Access	Art. 15	Art. 26	Planned — /api/gdpr/export endpoint
Rectification	Art. 16	Art. 27	In-app edit functionality
Erasure ("Right to be forgotten")	Art. 17	Art. 28	Blocked by legal retention requirements
Portability	Art. 20	Art. 30	Planned — JSON/CSV export
Restriction	Art. 18	Art. 29	Planned — account suspension flow
Objection	Art. 21	Art. 31	Via support ticket

Note on Erasure:Website: Financial data cannot be erased during mandatory retention periods (10 years RS, 10-11 years BA, 11 years HR). Account can be anonymized (name/email) but transaction records must be kept.https://www.poverenik.rs

2.4 Cross-Border Data Transfers

• Host: Railway EU West (Amsterdam / Frankfurt) — within EEA
• HR → Railway: No transfer mechanism needed (EU to EU)
• RS → Railway: Serbia is on GDPR adequacy list (European Commission Decision 2023/1485)
• BA → Railway: No EU adequacy decision for BiH. Rely on Standard Contractual Clauses (SCC 2021/914) with Railway as processor.

2.5 DPA Requirements

Data Processing Agreements must be signed with:

• Railway (primary database host)
• Cloudflare (WAF, CDN — processes IP addresses)
• Sentry (error tracking — processes stack traces with potential PII)
• Any email service provider

---

3. Accounting & Tax Compliance

3.1 Serbia (RS)

ZZPL legally bcrypt,hours

Requirement	Law	DetailsArticle	Bilko Implementation
ChartLawful ofbasis Accountsfor processing	PravilnikArt. o kontnom okviru (Sl. glasnik RS 3/2020)12	StandardContract Serbian(Art. CoA12 st. 1 tač. 2) — 9accounting classes	RS-specific CoA template preloaded on org creationservice
VATData ratesminimization	ZakonArt. o5 PDVst. (Sl.1 glasniktač. RS 84/2004 + amendments)3	20%Email, standard,name, 10%PIB/JMBG reduced,only 0%where exempt	VAT rate selector on invoice line itemsrequired
FinancialData statementssubject rights	ZakonArt. o računovodstvu26-41	BilansGET stanja/account/data, +DELETE Bilans/account, uspehaGET (BS format)	Export to APR-compliant XML/PDF
Mandatory e-invoicing	Zakon o elektronskom fakturisanju (Sl. glasnik RS 44/2021)	B2B mandatory since Jan 1, 2023 (≥4.5M RSD)	SEF API integration (UBL 2.1 XML)
APR filing deadline	Zakon o računovodstvu Art. 33	June 30 (full-year entities), March 31 (other)	In-app reminder + /account/export
RetentionProcessing periodregister	Zakon o računovodstvu Art. 2650	10Internal yearsprocessing forregister financial statements and documentation	Delete-prevention lock on records >0 days oldrequired
PausalSecurity regimeof processing	ZakonArt. o paušalnom oporezivanju50	<6MTLS RSD1.3, annualAES-256, income	Simplified invoice mode for pausal firmsRBAC
PIO/healthBreach contributionsnotification to Poverenik	ZakonArt. o doprinosima56	AppliedWithin to72 salaries	Future:of payroll moduleawareness

SEFBreach Integration:notification: [email protected] | Bulevar kralja Aleksandra 15, 11000 Belgrade

• Portal: efaktura.mfin.gov.rs
• Format: UBL

  2.1 XML (HR-CIUS compatible subset)

• Authentication: API key per organization
• Mandatory fields: seller PIB, buyer PIB, invoice number, date, amounts, VAT breakdown

3.2 BosniaAccounting &Law Herzegovina— (BA)Zakon o računovodstvu

Full name: Zakon o računovodstvu Citation: Sl. glasnik RS br. 73/2019, 44/2021

export

Requirement	Law	Details	Bilko Implementation
FBiHDouble-entry CoAbookkeeping	FBiHSchema Pravilnikenforces o računovodstvu (Sl. novine FBiH 89/2016debitAccountId + 2022 revision)	FBiH-specific chart of accounts	FBiH CoA templatecreditAccountId
RSChart entityof CoAaccounts: Pravilnik o kontnom okviru (2021) — 10 class (0-9)	RS BiH Pravilnik	RS entity chart of accounts (differs from FBiH)	RS BiHSerbian CoA templateseed data
VATBilans ratestanja (Balance Sheet) + Bilans uspeha (Income Statement)	ZakonPhase o2 PDV BiH (Sl. glasnik BiH 9/2005)	17% standard, 0% exempt — UIO authority	VAT 17% selectorreports
VATFiling: filingAPR (https://www.apr.gov.rs), deadline June 30	UIOPDF portal	Monthly/quarterly+ PDV prijava	Export to UIO-compatible formatreminders
FilingDocument deadlineretention: 10 years	FBiH/Soft delete — never hard delete financial data

2.3 VAT — Zakon o PDV

Citation: Sl. glasnik RS entitybr. laws84/2004 (consolidated)

goods

Rate	Description
20% (opšta stopa)	MarchStandard 31— (mostgeneral entities)	In-appand reminderservices
FBiH10% retention(snižena stopa)	ZakonReduced o— računovodstvufood, imedicines, reviziji FBiH Art. 17	10 years	Delete-prevention lockutilities
RS entity retention0%	ZakonExports, ointernational računovodstvu i reviziji RS BiH Art. 16	11 years	Delete-prevention lock
e-Invoice	CPF platform (pending)	Expected mandatory ~2027	Roadmap item
CIT rate	Zakon o porezu na dobit FBiH	10% flat	Future: tax calculation moduletransport

EntityVAT detection:threshold: 8,000,000 RSD | Return: Monthly (>50M RSD) or Quarterly | Deadline: 15th of next month

2.4 E-Invoice — SEF (Sistem e-Faktura)

Platform: https://efaktura.gov.rs | Mandatory: B2B since January 2023 Format: UBL 2.1 XML | Penalties: 50,000–2,000,000 RSD for non-compliance Integration: @bilko/country-rs package (Phase 2)

2.5 APR Filing

Serbian entities file annual financial reports with APR (Agencija za privredne registre). Deadline: June 30. Bilko mustgenerates determineAPR-compatible ifPDF/XML anexports.

organization

---

is

3. inBosnia FBiH,& RSHerzegovina entity,(BA) or— BrčkoRegulatory DistrictCompliance

to

Complexity: applyBiH thehas correcttwo CoAentities (FBiH and retentionRepublika rules.Srpska). OnVAT orgunified creation,at userstate selectslevel via UIO. Direct taxes separate per entity. Brčko follows BiH state-level law.

3.31 CroatiaData Protection — Zakon o zaštiti ličnih podataka BiH (HR)ZZLP)

Full name: Zakon o zaštiti ličnih podataka Bosne i Hercegovine Citation: Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011 Supervisory authority: AZLP — Agencija za zaštitu ličnih podataka Bosne i Hercegovine Website: https://www.azlp.ba

ZZLP

Requirement	Law	DetailsArticle	Bilko Implementation
CoALawful basis	Art. 4	Contract + legal obligation
Security measures	Art. 14	TLS 1.3, AES-256, bcrypt, RBAC
Cross-border transfer	Art. 18	Railway EU West — SCCs mechanism
Breach notification to AZLP	Art. 14 + GDPR practice	72 hours

Breach notification: [email protected] | Hamdije Čemerlića 2/VI, 71000 Sarajevo

3.2 FBiH — Accounting Law

Full name: Zakon o računovodstvu i reviziji Federacije Bosne i Hercegovine Citation: Sl. novine FBiH br. 83/2009, 56/2023

Requirement	Bilko Implementation
Double-entry bookkeeping	Schema enforced
Chart of accounts: FBiH Pravilnik (2022)	BiH CoA seed data
Filing: Agency of Financial Information (FBiH), deadline March 31	PDF export
Document retention: 10 years	Immutable storage

3.3 Republika Srpska (BA Entity)

Citation: Sl. glasnik RS BiH br. 96/2005, 74/2016 Filing: Tax Administration of RS (BiH entity), March 31 Retention: 11 years — maximum applied across BA entities

3.4 VAT — Zakon o PDV BiH

Citation: Sl. glasnik BiH br. 9/2005 (consolidated) Authority: UIO — Uprava za indirektno oporezivanje | https://www.uino.gov.ba

Rate	Description
17% (opća stopa)	Standard — all goods and services
0%	Exports

Threshold: 100,000 BAM | Return: Monthly | No reduced rates

3.5 E-Invoice — CPF (Central Platform for Fiscalisation)

Status: PENDING — technical specifications not published Law adopted: January 2026 (FBiH only) Expected: ~2027

Bilko decision: DO NOT implement CPF until specs published. BiH is Phase 3 launch.

3.6 Corporate Income Tax

Entity	Rate	Deadline
FBiH	10%	March 31
RS (BiH entity)	10%	March 31

---

4. Croatia (HR) — Regulatory Compliance

Note: Croatia is EU member state. GDPR applies directly.

4.1 Data Protection — GDPR

Applicable: GDPR Regulation (EU) 2016/679 (directly applicable) National implementing act: Zakon o provedbi Opće uredbe (NN 78/42/2018) Supervisory authority: AZOP — Agencija za zaštitu osobnih podataka | https://azop.hr

Requirement	GDPR Article	Bilko Implementation
Lawful basis	Art. 6	Contract (6.1.b) for service; legal obligation (6.1.c) for tax
Data minimization	Art. 5(1)(c)	OIB, name, email only
Right to access	Art. 15	CroatianGET /api/v1/account/data
Right to erasure	Art. 17	DELETE /api/v1/account
Right to portability	Art. 20	GET /api/v1/account/export
Security of processing	Art. 32	TLS 1.3, AES-256, bcrypt, RBAC
Breach notification to AZOP	Art. 33	Within 72 hours
DPA with processors	Art. 28	Railway, Vercel, Cloudflare, SendGrid

Breach notification: [email protected] | https://azop.hr/prijavapovrede | Selska cesta 136, 10000 Zagreb

4.2 Accounting Law — Zakon o računovodstvu HR

Citation: NN 78/15, 120/16, 116/18, 42/20

Requirement	Bilko Implementation
Double-entry bookkeeping	Schema enforced
Chart of accounts: RRiF standard CoA (HSFI / MSFI for large entities)	HR CoA templateseed data
Accounting standards: CFRS (SMEs) or IFRS (PIEs)	CFRS-compliant reports
Bilanca + Račun dobiti i gubitka	Report generation Phase 2
Filing: FINA RGFI (https://www.fina.hr), deadline April 30	FINA-compatible export
Document retention: 11 years	Immutable storage

4.3 General Tax Law — Opći porezni zakon HR

Citation: NN 115/16, 106/18, 121/19, 32/20 Document retention 11 years, electronic record acceptance, digital accounting system obligations.

4.4 VAT — Zakon o PDV HR

Citation: NN 73/13 et al. | Portal: ePorezna — https://www.porezna-uprava.hr

Rate	Description
25% (opća stopa)	Standard — general goods and services
13% (srednja stopa)	Intermediate — foods, water, accommodation
5% (snižena stopa)	Reduced — books, baby food, medicines
0%	Exports, intra-EU supply

Threshold: 60,000 EUR | Return: Monthly | Deadline: Last day of next month

4.5 E-Invoice — HR-FISK / eRačun

Platform: https://hr-fisk.fina.hr | Operator: FINA — Financijska agencija Mandatory since: January 1, 2026 (all B2B, B2G, B2C) Format: UBL 2.1 XML with HR-CIUS | Protocol: AS4 (Peppol-compatible) Certificate: FINA qualified certificate required Penalties: Up to EUR 500,000 for non-compliance Archive: 11 years

Integration: @bilko/country-hr — FINA certificate + API (Phase 2)

4.6 Corporate Income Tax — Croatia

• Standard rate: 18% | Reduced: 10% (revenue <1M EUR) | Deadline: April 30

---

5. Cross-Country Compliance Matrix

Requirement	Serbia (RS)	Bosnia & Herzegovina (BA)	Croatia (HR)
Data protection law	ZZPL (GDPR-aligned, 2018)	ZZLP BiH (2006)	GDPR (directly applicable)
Supervisory authority	Poverenik	AZLP	AZOP
Breach notification deadline	72 hours (ZZPL Art. 56)	72 hours (best practice)	72 hours (GDPR Art. 33)
VAT standard rate	20%	17%	25%
VAT reduced rate	10%	None	13% / 5%
E-invoice platform	SEF (mandatory Jan 2023)	CPF (pending ~2027)	HR-FISK (mandatory Jan 2026)
E-invoice format	UBL 2.1 XML	TBD	UBL 2.1 XML (HR-CIUS)
Annual report filing	APR — June 30	Agency Fin. Info / Tax Admin — March 31	FINA RGFI — April 30
Chart of accounts	Pravilnik (2021)	FBiH Pravilnik (2022)	RRiF standard
Document retention	10 years	10 (FBiH) / 11 (RS entity)	11 years
Currency	Since Jan 2024: EUR onlyRSD	HRK phased out. All amounts in EUR.BAM	EUR default for HR orgs
VATCIT ratesrate	Zakon o PDV (NN 73/13)15%	25% standard, 13% (food/hotels), 5% (books/medicines), 0%10%	VAT rate selector per line item
VAT filing	Porezna uprava	Monthly/quarterly PDV obrazac	Export for manual filing18% (Porezna10% uprava<1M portal)
HR-FISK (eRačun)	Zakon o elektroničkom izdavanju računa u javnoj nabavi (NN 94/18) + amendments	Mandatory Jan 1, 2026 for B2B above threshold. FINA certificate required. UBL 2.1 XML HR-CIUS. Penalty up to EUR 500K	HR-FISK API integration — Roadmap P2
FINA RGFI filing	Zakon o računovodstvu Art. 30	April 30	In-app reminder + FINA export
Retention	Zakon o računovodstvu Art. 10 + Opći porezni zakon	11 years	Delete-prevention lock
Fiscalization 2.0	Pravilnik o fiskalizaciji	Cash register fiscalization (if cash payments)	Cash receipt module with Porezna uprava integrationEUR)

HR-FISKBilko Priority:retention policy: Croatia'sApply eRačunmaximum mandateacross (Janall 2026)markets with— EUR11 500K penalty makes this the highest-priority e-invoicing integration. FINA certificate must be obtained during onboardingyears for HRall organizations.financial records. Never hard delete.

---

4.6. ControlsData RegisterClassification Scheme

To

Control IDLevel	DescriptionLabel	TypeExamples	AppliesControls
L1	Public	Exchange rates, fee schedule, privacy policy	None
L2	Internal	Aggregated analytics, non-PII logs	Access control
L3	Confidential	Email, name, organization data, invoice amounts	Encryption + access control + audit
L4	Restricted	PIB/JMBG/OIB/JIB (tax IDs), IBAN, TOTP secrets, password hashes	Encryption + RBAC + MFA + audit + 11-year retention

Tax ID types by country:

• Serbia: PIB (9 digits), JMBG (13 digits)
• BiH: JIB (13 digits)
• Croatia: OIB (11 digits)

---

7. Data Subject Rights Implementation

Right	Endpoint	SLA	Exception
Access (GDPR Art. 15 / ZZPL Art. 26)	GET /api/v1/account/data	30 days	—
Rectification (Art. 16)	PATCH /api/v1/account/profile	Immediate	—
Erasure (Art. 17)	DELETE /api/v1/account	30 days	Financial records retained per law
Portability (Art. 20)	GET /api/v1/account/export	30 days	—
Restriction (Art. 18)	[email protected]	30 days	Manual

Erasure exception: Invoices, expenses, transactions retained 10-11 years (accounting law). Only PII (email, name, password hash) anonymized.

---

8. Third-Party Data Processors

EU

Processor	Service	Region	DPA Status
CC-01Railway	AES-256-GCMPostgreSQL encryption for L4 Restricted fields (PIB, JMBG, OIB, JIB, IBAN)hosting	Technical	RS, BA, HR	Planned
CC-02	Organization-scoped WHERE on all Prisma queries	Technical	All	Planned
CC-03	RBAC with 4 rolesWest (owner/admin/accountant/viewer)	Technical	All	Planned
CC-04	JWT RS256 with 15min expiry + refresh token rotation	Technical	All	Planned
CC-05	TLS 1.3 minimum via Cloudflare	Technical	All	Active
CC-06	LoggedAction audit trail (append-only, 10-11yr retention)	Technical	All	Planned
CC-07	DPA signed with Railway, Cloudflare, Sentry	Legal	AllFrankfurt/Paris)	Required pre-— sign before launch
CC-08Vercel	SEFFrontend integration for RS B2B e-invoicinghosting	TechnicalEU edge	RS	P2 RoadmapRequired
CC-09Cloudflare	HR-FISKCDN, integrationWAF, +R2 FINA certificate flowstorage	TechnicalEU region	HR	P2 RoadmapRequired
CC-10SendGrid	DataTransactional subject rights endpoints (/gdpr/export, /gdpr/delete)email	Technical	All	Planned
CC-11	72-hour breach notification procedure to Poverenik/AZLP/AZOP	Procedural	AllEU	Required pre-launch
CC-12	Privacy Policy in Serbian, Bosnian, Croatian	Legal	RS, BA, HR	Required pre-launch
CC-13	Terms of Service with data processing consent	Legal	All	Required pre-launch
CC-14	VAT rate validation per jurisdiction	Technical	RS, BA, HR	Planned
CC-15	Retention lock preventing deletion of accounting records during mandatory retention period	Technical	All	Planned

---

5.9. Compliance Roadmap

gantt
    title Bilko Compliance Roadmap
    dateFormat  YYYY-MM

    section 
Phase 1 — MVPPre-Launch (pre-launch)GDPR GDPR/ZZPLbaseline)
core

controls     : 2026-03, 2026-05
    DPAs signed                  : 2026-04, 2026-05
 Privacy Policypolicy (3published
languages) : 2026-04, 2026-05
 Terms of Service :published
2026-04,
 2026-05User DPIAconsent completedmechanism :at 2026-04,registration
2026-05
 sectionData deletion + anonymization workflow

 Data export endpoint

 DPAs signed: Railway, Vercel, Cloudflare, SendGrid

 Railway EU West region confirmed

 Breach notification process ready


Phase 2 — RSSerbia Launch + Croatia Launch

Serbia:


 Legal review (accounting law + ZZPL)

 Serbian CoA seed data (Pravilnik 2021)

 VAT at 20% / 10%

 SEF e-invoiceXML export + API integration

 APR report export (Bilans stanja, Bilans uspeha)


Croatia:


 Legal review (Zakon o računovodstvu + GDPR)

 Croatian CoA seed data (RRiF)

 VAT at 25% / 13% / 5%

 FINA certificate for HR-FISK

 HR-FISK API integration :(mandatory)
2026-06,
 2026-08FINA RSRGFI CoA + APRreport export
:
2026-06, 2026-07
    RS VAT reporting             : 2026-06, 2026-07

    section 
Phase 3 — BABiH Launch
BA

entity
 detectionLegal review (FBiH vs+ RS)RS :entity 2026-09,distinction)
2026-10
 BABiH CoA templatesseed :data 2026-09,(FBiH 2026-10Pravilnik UIO2022)

 VAT exportat :17% 2026-09,(UIO)
2026-10
 sectionMonitor CPF specs (~2027)

 FBiH vs RS entity org settings



10. Risk Assessment





















Launch
cert2026-12:PoreznaupravaPDV2026-10,2026-11FINA2026-11












Risk
Likelihood
Impact
Mitigation
GDPR/ZZPL breach fine
Low (if compliant)
High (GDPR €20M / ZZPL RSD 2M)
Full implementation before first customer
SEF non-compliance (RS)
Medium
High (RSD 2M)
Phase 42 —SEF HRintegration

HR-FISK +non-compliance FINA(HR)
High flow(if :not 2026-10,integrated)
Critical HR CoA + (EUR amounts500K)
Phase 2026-10,2 2026-11mandatory


Financial exportdata :loss
Low
Critical
30-day RGFIRailway exportbackups, :immutable 2026-10,audit

Tax calculation error
Low
High
Configurable rates, NUMERIC precision, Zod
BiH CPF delay
Medium
Low
Phase 3 planned, not blocking RS/HR


Related Documents


Security Architecture: security-architecture.md

DPIA: data-protection-impact-assessment.md

Breach Response Plan: data-breach-response-plan.md

Bilko Compliance: ../../products/Bilko/docs/security/COMPLIANCE.md

Serbia Regulatory: ../../products/Bilko/docs/regulatory/RS/README.md

BiH Regulatory: ../../products/Bilko/docs/regulatory/BA/README.md

Croatia Regulatory: ../../products/Bilko/docs/regulatory/HR/README.md



Approval

















Role
Name
SignatureDate
DateSignature




Author
DPO / Compliance Officer
Architect
2026-02-23


Reviewer (CTO)DPO





ReviewerLegal (RS Legal)Counsel





Reviewer (BA Legal)CEO
Reviewer (HR Legal)
Approver
CEO