ENISA Aims for Top-Tier Role in CVE Program: What It Means for EU Cybersecurity

The European Union Agency for Cybersecurity (ENISA) is pushing for a more powerful position within the globally recognized Common Vulnerabilities and Exposures (CVE) program. A senior official at the agency confirmed that ENISA is currently undergoing onboarding to become a top-level root CVE Numbering Authority, or TL-Root CNA status. This move could reshape how vulnerabilities are managed across Europe.

Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, made the announcement during the opening keynote at VulnCon26 in Scottsdale, Arizona. Speaking to Infosecurity Magazine, he expressed hope that the agency would achieve this elevated status by 2026 or early 2027. Currently, only two organizations hold this distinction: the US Cybersecurity and Infrastructure Security Agency (CISA) and MITRE, the nonprofit that operates the program.

What Does TL-Root CNA Status Entail?

To understand the significance of this ambition, it helps to break down the CVE hierarchy. ENISA became a CVE Numbering Authority (CNA) in 2024, which allowed it to assign CVE IDs to newly discovered vulnerabilities. A year later, it advanced to a Root CNA, taking on responsibilities such as overseeing and coordinating multiple CNAs within a specific domain or region, onboarding new CNAs, and resolving disputes.

If granted TL-Root CNA status, ENISA would become a top-level authority managing the entire CVE Program alongside CISA and MITRE. This means setting global policies, ensuring consistency across all Root CNAs and CNAs, and representing European interests at the highest decision-making table. Johannes Kaspar Clos, a responsible disclosure and CSIRT collaboration expert working on CNA service implementation at ENISA, explained that this expanded role offers more than operational leverage. “As a Root CNA, we have a bigger operational footprint,” he said. “Now, as a TL-Root CNA, we would be represented in the CVE Program’s Board, where there is currently no European representatives. We want to help and support the CVE Program to blossom and grow and share our European vision.”

Why Europe Needs More CNAs

Currently, the CVE Program boasts 502 CNAs worldwide, but only 83 are based in Europe. Carvalho acknowledged that while he wouldn’t call Europe “underrepresented,” he believes there should be more European CNAs. “We know that the European market is not as big as the US market, but we’d like to have more representatives from the EU,” he noted.

During his VulnCon speech, Carvalho highlighted that ENISA is already onboarding new CNAs. The agency’s top priority is to vet all national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) across Europe to become CNAs. This initiative aims to strengthen the continent’s vulnerability response capabilities and ensure a more balanced global representation.

Addressing the Vulnerability Gap

Both Carvalho and Clos emphasized that the push for greater ENISA involvement came directly from EU member-states. The growing volume and complexity of reported vulnerabilities demand more stakeholders participate in the program. This is especially urgent now that AI companies like OpenAI and Anthropic have launched models capable of autonomously finding and fixing cybersecurity vulnerabilities at scale.

“We need to include a diverse crowd of cybersecurity practitioners, from product and national CERTs and CSIRTs to researchers and vulnerability finders,” Clos said. This diversity is crucial for keeping pace with the rapidly evolving threat landscape.

Building the Team for the Challenge

Carvalho admitted that while the ambition to join the CVE Program’s top tier has been a long-standing goal, ENISA needed time to mature its services and team. “The challenge was always in front of us but was never picked up,” Clos added. “I guess the concerns about software vulnerabilities were not big enough until now.”

To meet this challenge, ENISA is actively hiring. Carvalho noted that the agency is expanding its vulnerability branch to build a critical mass capable of handling tasks like onboarding national CERTs and CSIRTs. “You’ll find vacancy notices on ENISA’s website,” he said. This growth reflects the agency’s commitment to representing EU interests effectively on the CVE Program’s Board.

The Road Ahead: Uncharted Territory

Both Carvalho and Clos described the TL-Root CNA onboarding process as “uncharted territory.” Since CISA and MITRE have operated the program from its inception, no entity has ever been granted this status before. “While it doesn’t depend solely on us, we hope ENISA can become a TL-Root CNA in 2026 or in early 2027. We will do our best for meeting this timeframe,” Carvalho concluded.

This development aligns with the CVE Program’s broader diversification and internationalization strategy. For more insights on how AI is influencing vulnerability management, check out our article on AI Companies to Play Bigger Role in CVE Program, Says CISA. Additionally, learn about the importance of effective vulnerability management strategies for organizations.

As ENISA navigates this complex process, the cybersecurity community watches closely. The agency’s success could herald a new era of collaboration between US and European entities in tackling global vulnerabilities.

UK Intelligence Warns 100 Countries Now Possess Spyware Capable of Hacking Phones

British intelligence has issued a stark warning: more than half of the world’s governments now have access to commercial spyware to hack phones and computers, marking a dramatic escalation in global surveillance capabilities. The UK National Cyber Security Centre (NCSC) is set to reveal that the number of countries wielding these invasive tools has jumped from 80 in 2023 to 100 today, according to a report by Politico.

This means that governments across every continent can now deploy sophisticated hacking software to break into devices, steal sensitive data, and monitor individuals without their knowledge. The barrier to entry for such technology has fallen significantly, making it easier for foreign adversaries and cybercriminals to target UK citizens, companies, and critical infrastructure.

The Expanding Threat of Commercial Spyware

Commercial spyware, developed by private firms like NSO Group (maker of Pegasus) and Paragon Solutions (creator of Graphite), typically exploits security vulnerabilities in phone and computer operating systems. Once installed, these tools can extract messages, contacts, passwords, and even record calls or activate microphones remotely.

While governments have historically claimed they only use such spyware against serious criminals or terrorist suspects, security researchers and human rights advocates have repeatedly documented misuse. Journalists, political dissidents, and human rights defenders have been targeted by authoritarian regimes using these very tools. Now, UK intelligence warns that the victim pool has “expanded” to include bankers, wealthy businesspeople, and other high-net-worth individuals.

UK Businesses Underprepared for State-Backed Cyber Attacks

Richard Horne, the head of the NCSC, delivered a sobering speech at the CYBERUK conference in Glasgow. He stated that British companies are “failing to grasp the reality of today’s world,” as the majority of nationally significant cyberattacks against the UK now originate from foreign adversarial governments—not criminal gangs. This shift underscores the need for businesses to bolster their defenses against state-sponsored hacking operations.

Horne’s remarks come amid ongoing intrusions linked to China, aimed at stealing sensitive data, spying on prominent individuals, and laying the groundwork for disruptive hacks that could hinder a Western military response in the event of a conflict over Taiwan. The UK is not alone in facing these threats; allied nations are also grappling with similar espionage campaigns.

The Leak of Powerful Hacking Tools

The danger isn’t limited to government use. Earlier this year, a hacking toolkit called DarkSword leaked online. This toolkit contained multiple exploits capable of breaking into modern iPhones and iPads. It allowed anyone—not just governments—to set up malicious websites that could hack Apple users who hadn’t installed the latest software updates.

This leak demonstrates a troubling reality: even tightly controlled hacking tools developed by or for governments can escape into the wild. Once leaked, they can proliferate uncontrollably, putting millions of people at risk from opportunistic cybercriminals. The DarkSword incident is just the latest example of how phone hacking tools can fall into the wrong hands.

What This Means for National Security

The expansion of commercial spyware access represents a significant shift in the global threat landscape. With 100 countries now possessing the capability to deploy spyware to hack phones, the potential for abuse is enormous. Governments can monitor not only criminals but also political opponents, activists, journalists, and business rivals. For the UK, this means that both state actors and non-state actors pose a credible threat to national security and economic stability.

Building on this, the NCSC is urging organizations to adopt stronger cybersecurity practices, including regular software updates, multi-factor authentication, and employee training on phishing risks. For more insights on protecting your organization, check out our guide on cybersecurity best practices for businesses. Additionally, learn how to identify potential spyware infections by reading our article on common signs your phone may be hacked.

As the line between government surveillance and criminal exploitation blurs, the need for robust digital defenses has never been more urgent. The UK government must also consider stricter regulations on the sale and export of commercial spyware to prevent further proliferation.

In conclusion, the revelation that 100 countries now possess spyware capable of hacking phones should serve as a wake-up call. Whether you’re a corporate executive, a journalist, or an ordinary citizen, the threat is real and growing. Stay informed, stay updated, and stay vigilant.

OpenAI Launches GPT-5.4-Cyber: A New AI Model Tailored for Cyber Defense

OpenAI has officially introduced GPT-5.4-Cyber, a specialized version of its GPT-5.4 model designed specifically for cybersecurity applications. This move, coupled with an expansion of the company’s Trusted Access for Cyber (TAC) program, signals a significant push to integrate artificial intelligence into defensive security operations. The announcement, made on April 14 via a blog post, positions this new model as a tool to empower security professionals while carefully managing potential risks.

What Makes GPT-5.4-Cyber Different for Cyber Defense?

Unlike standard large language models, GPT-5.4-Cyber is described as “cyber-permissive.” This means it has been fine-tuned to lower its refusal boundaries for legitimate cybersecurity tasks. For defenders, this translates into a model that can handle sensitive queries about vulnerabilities, threat analysis, and incident response without unnecessary restrictions. OpenAI states that this variant enables advanced defensive workflows, allowing researchers and organizations to explore complex security scenarios.

Building on this, the model is a direct response to what OpenAI calls “steady improvements in agentic coding.” As AI-driven coding becomes more powerful, the potential for both defensive and offensive applications grows. Therefore, GPT-5.4-Cyber aims to give defenders a comparable edge, helping them identify and fix flaws faster than attackers can exploit them.

Expanding the Trusted Access for Cyber Program

The expansion of the Trusted Access for Cyber (TAC) program is a key part of this release. Initially launched in February, TAC was designed to automate identity verification and reduce friction for cybersecurity tasks. Now, OpenAI has introduced additional tiers, with the highest levels reserved exclusively for users who authenticate themselves as cybersecurity defenders. This staggered release strategy allows OpenAI to monitor usage carefully and learn from real-world deployment.

As a result, only vetted security vendors, organizations, and researchers currently have access to the full capabilities of GPT-5.4-Cyber. However, the company has expressed a desire to make these tools widely available while preventing misuse. Stronger verification processes are now in place to ensure that the model’s cyber defense capabilities are not abused.

Addressing Dual-Use Risks

OpenAI acknowledges a fundamental challenge: “Cyber capabilities are inherently dual use.” This means that the same technology which helps defenders can also aid attackers. Therefore, the company is proceeding with caution. By limiting access to verified professionals, OpenAI aims to mitigate the risk of malicious actors leveraging GPT-5.4-Cyber for offensive purposes. This approach mirrors broader industry trends, including Anthropic’s launch of Claude Mythos Preview and Project Glasswing, which focus on discovering and fixing vulnerabilities.

Implications for Software Security and Development

Beyond immediate defense, GPT-5.4-Cyber and the TAC program are positioned to improve software development practices. OpenAI argues that the strongest ecosystem is one that continuously identifies, validates, and fixes security issues as code is written. By integrating advanced coding models into developer workflows, the company hopes to shift security from periodic audits to ongoing, tangible risk reduction.

For example, developers could use GPT-5.4-Cyber to receive immediate, actionable feedback on vulnerabilities while building applications. This proactive approach could reduce the number of exploitable flaws in production software. However, the effectiveness of this strategy will depend on how well the model integrates with existing development tools and workflows.

What This Means for the Future of AI in Cybersecurity

This launch represents a growing trend: AI companies are increasingly tailoring their models for specific high-stakes domains. For cybersecurity professionals, GPT-5.4-Cyber offers a glimpse into a future where AI assistants can handle complex threat analysis, automate routine defenses, and even suggest code patches. Nevertheless, the dual-use nature of such capabilities ensures that access will remain tightly controlled for the foreseeable future.

To learn more about how AI is reshaping security operations, check out our guide on AI cybersecurity tools and best practices. Additionally, explore how vulnerability management strategies are evolving with machine learning.

In conclusion, OpenAI’s GPT-5.4-Cyber marks a deliberate step toward harnessing AI for cyber defense. While the model is not yet widely available, its development underscores the importance of building secure, verifiable AI systems. For defenders, the message is clear: AI is becoming an indispensable ally, but only if wielded with care and accountability.