ENISA Aims for CVE Program Leadership Role
▼ Summary
– ENISA is being onboarded by CISA to become a top-level root CVE Numbering Authority (TL-Root CNA), aiming for this status in 2026 or early 2027.
– As a TL-Root CNA, ENISA would manage the global CVE Program alongside CISA and MITRE, gaining a seat on the program’s Board to influence policy.
– A current priority for ENISA is to vet and onboard all national CERTs and CSIRTs in Europe to become CVE Numbering Authorities.
– The push for greater ENISA involvement comes from EU member-states, responding to the growing volume of vulnerabilities and the inclusion of AI companies in the program.
– ENISA is hiring to build the team capacity needed to support its expanded role, as the onboarding process for a new TL-Root CNA is unprecedented.
The European Union Agency for Cybersecurity, ENISA, is actively pursuing a top-tier leadership position within the global system for tracking software flaws. A senior agency official has confirmed that ENISA is being onboarded by the US Cybersecurity and Infrastructure Security Agency to become a top-level root CVE Numbering Authority. This elevated status would place the EU body alongside CISA and MITRE as a core manager of the Common Vulnerabilities and Exposures program, which catalogs and identifies cybersecurity weaknesses.
Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, stated the goal is to achieve this TL-Root CNA status in 2026 or early 2027. Currently, only CISA and MITRE hold this highest authority, which involves setting global policies and ensuring consistency across the entire CVE ecosystem. ENISA’s journey began by becoming a standard CNA in 2024, which allowed it to assign CVE IDs, before advancing to a Root CNA in 2025 to oversee other authorities in Europe.
This promotion represents a significant shift from operational duties to strategic influence. Johannes Kaspar Clos, an expert on Carvalho’s team, explained that as a Root CNA, ENISA already manages the onboarding of new European CNAs and helps shape program rules. Attaining TL-Root status would grant the agency a seat on the CVE program’s Board, a forum currently without European representation. “We want to help and support the CVE Program to blossom and grow and share our European vision,” Clos said.
A key driver for this move is the program’s strategic diversification and internationalization. Of the 502 current CVE Numbering Authorities globally, only 83 are based in Europe. Carvalho noted that while he wouldn’t call Europe “underrepresented,” having more EU-based participants is a clear objective. ENISA’s immediate priority is vetting and onboarding all national CERTs and CSIRTs in Europe to become CNAs, thereby strengthening the continent’s role in vulnerability management.
The push for greater involvement originated from EU member-states, responding to the growing volume and complexity of reported vulnerabilities. Clos emphasized the need to include a diverse range of stakeholders, especially with AI companies now developing tools to autonomously find and fix security flaws. Carvalho added that while the ambition existed, ENISA first needed to mature its internal capabilities. “The challenge was always in front of us but was never picked up. I guess the concerns about software vulnerabilities were not big enough until now,” Clos remarked.
Expanding this mission requires more personnel. Carvalho openly stated that ENISA’s vulnerability branch is actively hiring to build the critical mass needed to support the CVE program and onboard national teams. The onboarding process itself is pioneering work, as CISA and MITRE have operated as the sole TL-Root authorities since the program’s inception. Despite the uncharted territory, Carvalho expressed confidence, affirming the agency will do its best to meet the targeted 2026-2027 timeframe for this historic elevation.
(Source: Infosecurity Magazine)
