The European Union Agency for Cybersecurity (ENISA) is now a Common Vulnerabilities and Exposures (CVE) Program-Root, thus becoming a central point of contact within the CVE program for national/EU authorities, EU CSIRTs network members, and cooperative partners falling under ENISA’s mandate.
As a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA is authorised to assign CVE Identifiers (CVE IDs) and to publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles since January 2024. As Root CNA, ENISA is now expanding its role within the CVE program.
The European Union Agency for Cybersecurity Executive Director, Juhan Lepassaar, declared: “By becoming a Root, ENISA moves a step further to improve the development and capacity of the Agency to support vulnerability management in the EU. With the new responsibilities, ENISA extends its support to the CSIRTs network and to all its partners to further enhance the EU's ability to manage and coordinate cybersecurity vulnerabilities, and improve digital security across the Union.”
ENISA’s new role is part of the European Union investment in strengthening vulnerability coordination and management in the EU. As such, this new role complements and supports the Coordinated Vulnerability Disclosure activities engaged by EU Member States and in particular the establishment and operation of the EU Vulnerability Database, as well as ENISA’s new tasks under the Cyber Resilience Act in relation to the provision of guidance to manufacturers on compliance, assistance with the implementation of the new cybersecurity framework, and the implementation of the Single Reporting Platform.
Together, these responsibilities strengthen Europe’s ability to ensure consistent and timely vulnerability handling across borders.
The purpose of the CVE Program
The Common Vulnerabilities and Exposures Program (or CVE Program) was created in 1999 and since then, is being used worldwide. CVE provides a scheme to identify, define, and catalog publicly disclosed vulnerabilities with contextual information in order to create a standardised listing of such vulnerabilities. Vulnerabilities are assigned a CVE ID and their corresponding CVE Records are published by organisations from around the world that have partnered with the CVE Program. In this way, the information of the CVE Program will further enable organisations, developers, and cybersecurity professionals to quickly identify, discuss, share information about them, and address security flaws, thereby providing a base for improving the security of software and systems.
The role of ENISA within the CVE Program
Becoming a Root means ENISA is expanding its role in the CVE Program by taking on additional responsibilities including the identification, onboarding, and support to other CNAs within its scope. Additionally, Roots ensure that CVE Program guidelines and processes are followed and that procedures, guidelines, and standards for assigning and managing CVE IDs are further developed.
By maintaining its registry service, ENISA further supports the EU CSIRTs in their coordination work, acting as a CNA for vulnerabilities in IT products discovered by European Union Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure. ENISA will also be a central contact point for cooperative partners that fall under ENISA’s mandate.
ENISA joins the CVE Program Council of Roots
As a Root, ENISA will join the CVE Program Council of Roots, which focuses on operational coordination across the CVE Program’s Root hierarchies. At international level, CVE Program Roots include MITRE, CISA, Google, Red Hat from the US, and JPCERT/CC from Japan. Within the EU, they are: INCIBE Cert, the Thales Group and, most recently, CERT@VDE.
Next steps in the change process for organisations concerned
ENISA’s Root scope will include organisations falling under its mandate. For existing CNAs who are eligible and interested in moving under ENISA’s Root, the CVE Program encourages a collaborative and voluntary transition. The CVE Program will closely engage with each organisation to ensure a smooth transition process. A transition period is foreseen for those CNAs who intend to change Root. The phased approach by ENISA will allow for thoughtful coordination, ongoing support, and alignment with the preferences and operational needs of each CNA.
ENISA’s efforts towards improved vulnerability management
ENISA becoming a CVE Program Root in addition to its CNA responsibilities marks a meaningful expansion of its role in coordinated vulnerability management, reinforcing its capacity to identify, triage, and help remediate security flaws at scale. By harmonising CVE practices, elevating the quality and timeliness of CVE Records, and supporting a smooth, voluntary transition for eligible CNAs, ENISA will help reduce fragmentation, strengthen cross-border coordination, and accelerate responsible disclosure.
Working alongside the global community of Roots, ENISA will foster greater transparency, trust, and operational consistency for CSIRTs, industry, and public authorities alike. These responsibilities underscore ENISA’s commitment to a secure, resilient, and innovative digital ecosystem for EU citizens, businesses, and public administrations.
The work of ENISA on vulnerability disclosure and handling also includes:
The European Vulnerability Database - EUVD.
The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive. The now operational EUVD service is maintained by ENISA.
The Cyber Resilience Act’s Single Reporting Platform - SRP
ENISA aims to build trust in secure digital solutions and is developing the Single Reporting Platform (SRP). Provided for by the Cyber Resilience Act (CRA), the objective of the platform will be to notify actively exploited vulnerabilities. Such notification will become mandatory for manufacturers by September 2026 and is expected to increase product security.
Coordinated Vulnerability Disclosure – CVD
As the secretariat of the EU CSIRTs network, ENISA supports CSIRTs designated as coordinators to cooperate within the network, in case a reported vulnerability is assessed to have a potentially significant impact on entities in more than one Member State. ENISA regularly publishes guidelines and studies to assist Member States in establishing CVD policies.
About ENISA
ENISA is the European Union Agency for Cybersecurity. As such ENISA is dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004, it was strengthened by the EU Cybersecurity Act.
ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes.
The Agency also cooperates with EU Member States and EU bodies, to help Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe's society and citizens digitally secure.
Contact
For press questions and interviews, please contact: press@enisa.europa.eu.
Content written for: National / EU authorities | Private Sector
