ENISA named CVE program root, expanding its role in EU vulnerability coordination

The European Union Agency for Cybersecurity is now officially a CVE Program Root, making ENISA a central contact point for national and EU authorities, the EU CSIRTs network, and partners operating under its mandate. The designation strengthens its role in vulnerability management and expands its responsibility for coordinating disclosures across the region.

As a CVE Numbering Authority, ENISA already assigns CVE IDs and publishes CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, a role it has held since January 2024. Becoming a Root CNA builds on that work and broadens its authority within the CVE program.

The expanded role fits into the EU’s wider push to improve vulnerability coordination and management. It supports ongoing coordinated disclosure efforts across Member States, the development and operation of the EU Vulnerability Database, and ENISA’s tasks under the Cyber Resilience Act, including providing guidance to manufacturers, supporting implementation of the new cybersecurity framework, and operating the Single Reporting Platform. Together, these responsibilities strengthen the EU’s ability to manage vulnerabilities consistently and efficiently across borders.

“By becoming a Root, ENISA moves a step further to improve the development and capacity of the Agency to support vulnerability management in the EU,” Juhan Lepassaar, executive director at ENISA, declared in a media statement. “With the new responsibilities, ENISA extends its support to the CSIRTs network and to all its partners to further enhance the EU’s ability to manage and coordinate cybersecurity vulnerabilities, and improve digital security across the Union.”

As a Root, ENISA will join the CVE Program Council of Roots, which focuses on operational coordination across the CVE Program’s Root hierarchies. At international level, CVE Program Roots include MITRE, CISA, Google, Red Hat from the US, and JPCERT/CC from Japan. Within the EU, they are INCIBE Cert, the Thales Group and, most recently, CERT@VDE. 

Becoming a Root means ENISA is expanding its role in the CVE Program by taking on additional responsibilities, including the identification, onboarding, and support to other CNAs within its scope. Additionally, Roots ensures that CVE Program guidelines and processes are followed and that procedures, guidelines, and standards for assigning and managing CVE IDs are further developed. 

By maintaining its registry service, ENISA further supports the EU CSIRTs in their coordination work, acting as a CNA for vulnerabilities in IT products discovered by European Union Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure. ENISA will also be a central contact point for cooperative partners that fall under ENISA’s mandate.

The Common Vulnerabilities and Exposures program was launched in 1999 and has since become a global standard for identifying and cataloging publicly disclosed security flaws. It assigns each vulnerability a unique CVE ID and publishes a corresponding record with essential context. Partner organizations worldwide contribute these records, creating a unified reference point that helps security teams, developers, and researchers identify issues, exchange information, and address vulnerabilities more effectively.

ENISA’s Root scope will include organisations falling under its mandate. For existing CNAs who are eligible and interested in moving under ENISA’s Root, the CVE Program encourages a collaborative and voluntary transition. The CVE Program will closely engage with each organisation to ensure a smooth transition process. A transition period is foreseen for those CNAs who intend to change Root. The phased approach by ENISA will allow for thoughtful coordination, ongoing support, and alignment with the preferences and operational needs of each CNA.

ENISA becoming a CVE Program Root in addition to its CNA responsibilities marks a meaningful expansion of its role in coordinated vulnerability management, reinforcing its capacity to identify, triage, and help remediate security flaws at scale. By harmonizing CVE practices, elevating the quality and timeliness of CVE Records, and supporting a smooth, voluntary transition for eligible CNAs, ENISA will help reduce fragmentation, strengthen cross-border coordination, and accelerate responsible disclosure. 

Working alongside the global community of Roots, ENISA will foster greater transparency, trust, and operational consistency for CSIRTs, industry, and public authorities alike. These responsibilities underscore ENISA’s commitment to a secure, resilient, and innovative digital ecosystem for EU citizens, businesses, and public administrations.

ENISA’s work on vulnerability disclosure and handling spans several major initiatives. One of these is the European Vulnerability Database, developed under the NIS2 Directive. The database is now operational and maintained by ENISA, giving Member States a shared resource for tracking and managing vulnerabilities across the region.

ENISA is also developing the Single Reporting Platform under the Cyber Resilience Act. The goal of this platform is to provide a central channel for reporting actively exploited vulnerabilities. Manufacturers will be required to submit these notifications starting in September 2026, a shift expected to raise overall product security.

In its role as secretariat of the EU CSIRTs network, ENISA supports coordinated vulnerability disclosure as well. When a vulnerability is judged to have a potentially significant impact across more than one Member State, ENISA assists the designated CSIRTs in working together on coordination efforts. The agency also publishes guidelines and studies to help Member States develop and refine their own coordinated vulnerability disclosure policies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.