ENISA Strengthens Ties with CVE Program: A Strategic Move in Cybersecurity Collaboration
The European Union Agency for Cybersecurity (ENISA) is enhancing its partnership with the US-funded Common Vulnerabilities and Exposures (CVE) program. This strategic development was announced by Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, during the opening keynote at VulnCon26 held in Scottsdale, Arizona on April 14. ENISA is currently undergoing onboarding processes with the US Cybersecurity and Infrastructure Security Agency (CISA), the sole sponsor of the CVE program, to achieve the status of a top-level root CVE Numbering Authority (TL-Root CNA).
In an insightful conversation with Infosecurity after his keynote address, Carvalho expressed optimism that ENISA could attain this prestigious status by 2026 or early 2027, aiming to improve its operational participation in global cybersecurity initiatives.
Understanding CNA, Root CNA, and TL-Root CNA
Currently, only two entities hold the TL-Root CNA designation: CISA and MITRE, the US-based nonprofit responsible for managing the CVE program. ENISA ascended to the role of a CVE Numbering Authority (CNA) in 2024, which authorized the agency to designate CVE IDs to vulnerabilities. In 2025, it elevated its role to that of a Root CNA, overseeing numerous CNAs across Europe.
Achieving TL-Root CNA status would allow ENISA to assume significant responsibilities, enhancing its ability to manage the CVE Program alongside its American counterparts, CISA and MITRE. This position would empower ENISA to set global policies, ensuring a consistent approach across all Root CNAs and other CNAs worldwide.
Johannes Kaspar Clos, an expert in responsible disclosure and CSIRT collaboration, who collaborates with Carvalho, emphasized that the expanded role for ENISA in the CVE program aims not only to enhance operational capacities but also to strengthen its influence in policy-making and administrative decisions. Clos outlined that becoming a Root CNA means that ENISA would take charge of onboarding new CNAs in Europe— a responsibility previously managed by MITRE— and participate in the Council of Roots, shaping and operationalizing the program.
"Having a seat at the CVE program’s Board is crucial as it currently lacks European representation," Clos stated. The agency aspires to share its European perspective and help foster growth within the CVE program.
Prioritizing Onboarding of EU National CSIRTs as CNAs
The onboarding of ENISA as a TL-Root CNA aligns perfectly with the CVE Program’s strategy to diversify and internationalize. At present, there are 502 CNAs operating within the program; however, only 83 of these are based in Europe. Carvalho articulated that while Germany and France have been proactive in joining the CVE initiative, he believes there could be a greater presence of European CNAs.
Despite acknowledging that Europe’s cybersecurity ecosystem may not be as extensive as that of the US, Carvalho stressed the importance of increasing the number of EU representatives within the program.
Following his remarks at VulnCon, he highlighted ENISA’s commitment to onboarding new CNAs, prioritizing the vetting process for national Computer Security Incident Response Teams (CSIRTs) and National Computer Emergency Response Teams (CERTs) across Europe.
Expanding the Vulnerability Branch and Addressing Emerging Threats
Both Carvalho and Clos acknowledged that the push for ENISA’s deeper involvement in the CVE program is a response to requests from EU member states. The increasing complexity and volume of reported vulnerabilities necessitate a larger array of stakeholders within the program. In light of advancements from AI companies like OpenAI and Anthropic, which are deploying models to autonomously identify and address cybersecurity vulnerabilities, expanding participation is crucial.
“We aim to include a diverse crowd of cybersecurity professionals—from product-based national CERTs and CSIRTs to independent researchers and vulnerability assessors,” Clos elaborated.
Although the desire to enhance participation in the CVE program has long been on ENISA’s agenda, Carvalho acknowledged the need for the agency to develop its services and team effectively to represent EU interests adequately on the program’s Board. “The challenge has always existed, but it was never fully addressed. Concerns about software vulnerabilities have only recently emerged as pressing issues,” Clos noted.
Furthermore, both stakeholders reiterated that the onboarding process for TL-Root CNA is an unprecedented venture, as CISA and MITRE have maintained control since the program’s inception. "This process does not rely solely on us; however, we are optimistic that ENISA will secure TL-Root CNA status by 2026 or early 2027," Carvalho concluded, affirming the agency’s dedication to realizing this goal.
In conclusion, ENISA’s potential status as a TL-Root CNA could significantly reshape the landscape of cybersecurity collaboration in Europe, enhancing its ability to address vulnerabilities and strengthen the cybersecurity framework across the continent and beyond.