Following its November move to become an official CVE Program Root, the European Union Agency for Cybersecurity (ENISA) announced that four organizations have joined the Common Vulnerabilities and Exposures (CVE) Program as CVE Numbering Authorities (CNAs) under the ENISA Root. The organizations were trained and onboarded by ENISA, reinforcing the agency’s role as a central coordination point for national and EU authorities, the EU CSIRTs network, and partners operating under its mandate.
As CVE Root, ENISA supports gradual transition of existing European CNAs under its Root. As part of the shared global responsibility for vulnerability management, currently, seven CNAs have moved from MITRE Root to ENISA Root, in addition to the four new CNAs in the Program.
“Onboarding and training our first CNAs under ENISA Root is a major milestone for European cybersecurity,” Hans de Vries, chief cybersecurity and operations officer, stated in a statement last week. “It strengthens Europe’s operational contribution to the global CVE Program and improves the reliability, timeliness, and coordination of vulnerability handling across the EU.”
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered, then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue and coordinate their efforts to prioritize and address the vulnerabilities.
ENISA’s role as CVE Root further strengthens the agency’s support to the CSIRTs Network and to its broader community of partners. In doing so, ENISA contributes to more consistent, timely, and coordinated vulnerability identification and handling across Europe. This role is carried out in close coordination with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and not-for-profit organization MITRE, as part of a shared commitment to strengthen the resilience, quality, and long-term sustainability of the global CVE Program.
It also reflects ENISA’s wider objective of reinforcing, rather than fragmenting, the shared global vulnerability identifier backbone on which governments, vendors, researchers, and defenders rely.
ENISA’s initiative comes at a time when frontier AI models are accelerating vulnerability discovery and exploitation; Europe’s vulnerability management capacity must keep pace and provide trusted operational support to the wider cybersecurity community. Frontier AI models are challenging traditional security paradigms by compressing the vulnerability management lifecycle and attack chain, from discovery to exploitation.
Given the expected increase in reported and discovered IT vulnerabilities, ENISA has been growing its capacity and expertise, and intends to further augment its operational resources and scalable support mechanisms in partnership with Member States. Additional capacities to reinforce this function have been proposed in the Cybersecurity Act 2.
Since November, ENISA has served as the central point of contact within the CVE Program for national and EU authorities, EU CSIRTs Network members, and cooperative partners under ENISA’s mandate. The agency’s role as Root includes recruiting, onboarding, training, supporting, and managing CNAs within its scope, facilitating their transition where relevant, and ensuring the effective assignment of CVE Identifiers (CVE IDs) and publication of CVE Records. This role also helps ensure that CVE Program rules, guidelines, and processes are followed.
