The European Union Agency for Cybersecurity (ENISA) has taken a major step forward in advancing vulnerability management across Europe by becoming a CVE Root within the global Common Vulnerabilities and Exposures (CVE) Program. This designation makes ENISA a central point of contact for national and EU authorities, members of the EU CSIRTs Network, and other partners under its mandate.
Previously acting as a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA has been authorized since January 2024 to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs. The move to CVE Root status expands the agency’s responsibilities and strengthens the coordination of vulnerability management efforts throughout the EU.
ENISA’s Executive Director, Juhan Lepassaar, emphasized the importance of this milestone: “By becoming a Root, ENISA moves a step further to improve the development and capacity of the Agency to support vulnerability management in the EU. With the new responsibilities, ENISA extends its support to the CSIRTs network and to all its partners to further enhance the EU’s ability to manage and coordinate cybersecurity vulnerabilities and improve digital security across the Union.”
This development aligns with wider EU investments in coordinated vulnerability disclosure, the European Vulnerability Database (EUVD), and responsibilities outlined in the Cyber Resilience Act (CRA). Under the CRA, ENISA will guide manufacturers on compliance, assist in applying the new cybersecurity framework, and contribute to the development of the Single Reporting Platform for vulnerability notifications.
Understanding the CVE Program and ENISA’s Expanded Mandate
Founded in 1999, the CVE Program serves as a global system for identifying and cataloging publicly disclosed vulnerabilities. CVE IDs and accompanying records allow developers, organizations, and cybersecurity professionals to understand and address security flaws quickly. As a key figure in this ecosystem, ENISA now plays an expanded role in supporting the identification, onboarding, and oversight of CNAs that fall within its scope.
As a CVE Root, ENISA will help enforce CVE Program guidelines, refine procedures for assigning and managing CVE IDs, and maintain its registry services to support the vulnerability coordination work of EU CSIRTs. It will also act as a central contact point for cooperative partners under its mandate.
ENISA will join the CVE Program Council of Roots, the coordinating body responsible for overseeing operational alignment among Root organizations. Internationally, Roots include MITRE, CISA, Google, Red Hat, and Japan’s JPCERT/CC. Within the EU, INCIBE-CERT, Thales Group, and CERT@VDE are existing Roots, now accompanied by ENISA.
Transition Plans for Existing CNAs
ENISA’s new Root scope applies to organizations within its mandate, and eligible CNAs interested in transitioning under ENISA’s Root may do so voluntarily. The CVE Program will collaborate closely with each organization to support a smooth and phased transition. This approach ensures that CNAs can align the change with their operational requirements while maintaining continuity in their vulnerability management processes.
By becoming a CVE Root, ENISA deepens its involvement in coordinated vulnerability management across the EU. The agency’s expanded duties will help enhance the accuracy and timeliness of CVE Records, improve cross-border coordination, and support responsible vulnerability disclosure practices. These advances contribute directly to reducing fragmentation across Member States and creating a more unified European cybersecurity ecosystem.
ENISA also plays a pivotal role in several strategic EU cybersecurity initiatives. It operates the European Vulnerability Database (EUVD), developed under the NIS2 Directive and now fully operational. Additionally, the agency is developing the Single Reporting Platform (SRP) under the Cyber Resilience Act to facilitate mandatory reporting of actively exploited vulnerabilities by manufacturers starting in September 2026.
Conclusion
As secretariat of the EU CSIRTs Network, ENISA plays a key role in coordinating vulnerability disclosure across Member States and guiding CVD policies, reinforcing Europe’s cybersecurity resilience. Its new CVE Root status further strengthens its capacity in vulnerability management and cross-border coordination.
Complementing these efforts, Cyble offers AI-driven threat intelligence and real-time monitoring, enabling European enterprises to detect, investigate, and mitigate emerging cyber threats. Request a personalized demo from Cyble today to enhance your organization’s cyber resilience.