New CVE Numbering Authorities Under ENISA Root

Back to News

Press Release May 06,2026

Today, four organisations have newly joined the Common Vulnerabilities and Exposures (CVE™) Program as CVE Numbering Authorities (CNAs) under ENISA Root. These organisations were all trained and onboarded by ENISA.

ENISA acts as CVE Root for European entities within its scope, including vulnerabilities discovered by or reported to EU CSIRTs. As CVE Root, ENISA also supports the gradual transition of existing European CNAs under its Root. As part of the shared global responsibility for vulnerability management, currently, seven CNAs have moved from MITRE Root to ENISA Root, in addition to the four new CNAs in the Program.

Hans de Vries, Chief Cybersecurity and Operations Officer, stated: "Onboarding and training our first CNAs under ENISA Root is a major milestone for European cybersecurity. It strengthens Europe’s operational contribution to the global CVE Program and improves the reliability, timeliness, and coordination of vulnerability handling across the EU. At a time when frontier AI models are accelerating vulnerability discovery and exploitation, Europe’s vulnerability management capacity must keep pace and provide trusted operational support to the wider cybersecurity community."

The growing CVE Program

The number of CNAs under ENISA is growing quickly, with several additional organisations requesting to be onboarded in the coming weeks.

ENISA works closely with CNA candidates during the transition and onboarding process to ensure operational readiness, clarity of scope, and alignment with the CVE Program requirements and rules.

There are currently over 90 CNAs in Europe that can transfer voluntarily under ENISA Root, out of a total of 510 CNAs from 42 countries and 1 CNA with no country affiliation, actively participating in the CVE Program. As Europe already represents nearly one fifth of all CNAs around the world, and as the CVE Program continues to rapidly grow globally, ENISA, as CVE Root for European entities, plays a significant role in supporting the European cybersecurity ecosystem.

Why does it matter?

Building more consistent, timely, and coordinated vulnerability identification across Europe

ENISA’s role as CVE Root further strengthens the Agency’s support to the CSIRTs Network and to its broader community of partners. In doing so, ENISA contributes to more consistent, timely, and coordinated vulnerability identification and handling across Europe. This role is carried out in close coordination with CISA and MITRE, as part of a shared commitment to strengthen the resilience, quality, and long-term sustainability of the global CVE Program. It also reflects ENISA’s wider objective of reinforcing, rather than fragmenting, the shared global vulnerability identifier backbone on which governments, vendors, researchers, and defenders rely.

Expanding the capacity and operational maturity of EU vulnerability services

Frontier AI models are challenging traditional security paradigms by compressing the vulnerability management lifecycle and attack chain, from discovery to exploitation. Given the expected increase in reported and discovered IT vulnerabilities, ENISA has been growing its capacity and expertise, and intends to further augment its operational resources and scalable support mechanisms in partnership with Member States. Additional capacities to reinforce this function have been proposed in the Cybersecurity Act 2.

Additional information

What is the role of ENISA as CVE Root?

ENISA became a CVE Root for European entities in November 2025. As such, ENISA serves as the central point of contact within the CVE Program for national and EU authorities, EU CSIRTs Network members, and cooperative partners under ENISA’s mandate.

ENISA’s role as Root includes recruiting, onboarding, training, supporting, and managing CNAs within its scope, facilitating their transition where relevant, and ensuring the effective assignment of CVE Identifiers (CVE IDs) and publication of CVE Records. This role also helps ensure that CVE Program rules, guidelines, and processes are followed.

About the CVE Program 

The mission of the CVE™ Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.

Visual promoting the new CVE Numbering Authorities Under ENISA Root

Contact

For press questions and interviews, please contact:
press@enisa.europa.eu.

Access to the press office

Related topics

Content written for: National / EU authorities | Private Sector

Related content

Developing National Vulnerabilities Programmes

Based on the experiences and perspectives gathered from industry players and national governments, as well as on the documentation developed by multiple actors involved with national vulnerability initiatives and programmes, the EU Coordinated Vulnerab

State of Vulnerabilities 2018/2019 - Analysis of Events in the life of Vulnerabilities

The purpose of this report is to provide an insight on both the opportunities and limitations the vulnerability ecosystem offers.

Economics of Vulnerability Disclosure

Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited.

Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations

Vulnerabilities are ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.

BROWSE ALL PUBLICATIONS

Stepping up our role in Vulnerability Management: ENISA Becomes CVE Root

Press Release

The European Union Agency for Cybersecurity (ENISA) is now a Common Vulnerabilities and Exposures (CVE) Program-Root, thus becoming a central point of contact within the CVE program for national/EU authorities, EU CSIRTs network members, and cooperativ

Joint Statement on SharePoint vulnerabilities - Assessment and advice on recovery and mitigating actions

News Item

The European Commission, the EU Agency for Cybersecurity (ENISA), the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU), and the network of the EU CSIRTs, are closely following the active exploitation of vulnerabi

Consult the European Vulnerability Database to enhance your digital security!

Press Release

The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive.

Another step forward towards responsible vulnerability disclosure in Europe

News Item

The EU Agency for Cybersecurity (ENISA) expands its support to EU CSIRTs for Coordinated Vulnerability Disclosure and is now authorised as a Common Vulnerabilities and Exposures (CVE) Numbering Authority.

BROWSE ALL NEWS

European Vulnerability Database

The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services.

BROWSE ALL TOOLS