ENISA Aims for Top-Tier Role in CVE Program: What It Means for EU Cybersecurity

The European Union Agency for Cybersecurity (ENISA) is pushing for a more powerful position within the globally recognized Common Vulnerabilities and Exposures (CVE) program. A senior official at the agency confirmed that ENISA is currently undergoing onboarding to become a top-level root CVE Numbering Authority, or TL-Root CNA status. This move could reshape how vulnerabilities are managed across Europe.

Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, made the announcement during the opening keynote at VulnCon26 in Scottsdale, Arizona. Speaking to Infosecurity Magazine, he expressed hope that the agency would achieve this elevated status by 2026 or early 2027. Currently, only two organizations hold this distinction: the US Cybersecurity and Infrastructure Security Agency (CISA) and MITRE, the nonprofit that operates the program.

What Does TL-Root CNA Status Entail?

To understand the significance of this ambition, it helps to break down the CVE hierarchy. ENISA became a CVE Numbering Authority (CNA) in 2024, which allowed it to assign CVE IDs to newly discovered vulnerabilities. A year later, it advanced to a Root CNA, taking on responsibilities such as overseeing and coordinating multiple CNAs within a specific domain or region, onboarding new CNAs, and resolving disputes.

If granted TL-Root CNA status, ENISA would become a top-level authority managing the entire CVE Program alongside CISA and MITRE. This means setting global policies, ensuring consistency across all Root CNAs and CNAs, and representing European interests at the highest decision-making table. Johannes Kaspar Clos, a responsible disclosure and CSIRT collaboration expert working on CNA service implementation at ENISA, explained that this expanded role offers more than operational leverage. “As a Root CNA, we have a bigger operational footprint,” he said. “Now, as a TL-Root CNA, we would be represented in the CVE Program’s Board, where there is currently no European representatives. We want to help and support the CVE Program to blossom and grow and share our European vision.”

Why Europe Needs More CNAs

Currently, the CVE Program boasts 502 CNAs worldwide, but only 83 are based in Europe. Carvalho acknowledged that while he wouldn’t call Europe “underrepresented,” he believes there should be more European CNAs. “We know that the European market is not as big as the US market, but we’d like to have more representatives from the EU,” he noted.

During his VulnCon speech, Carvalho highlighted that ENISA is already onboarding new CNAs. The agency’s top priority is to vet all national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) across Europe to become CNAs. This initiative aims to strengthen the continent’s vulnerability response capabilities and ensure a more balanced global representation.

Addressing the Vulnerability Gap

Both Carvalho and Clos emphasized that the push for greater ENISA involvement came directly from EU member-states. The growing volume and complexity of reported vulnerabilities demand more stakeholders participate in the program. This is especially urgent now that AI companies like OpenAI and Anthropic have launched models capable of autonomously finding and fixing cybersecurity vulnerabilities at scale.

“We need to include a diverse crowd of cybersecurity practitioners, from product and national CERTs and CSIRTs to researchers and vulnerability finders,” Clos said. This diversity is crucial for keeping pace with the rapidly evolving threat landscape.

Building the Team for the Challenge

Carvalho admitted that while the ambition to join the CVE Program’s top tier has been a long-standing goal, ENISA needed time to mature its services and team. “The challenge was always in front of us but was never picked up,” Clos added. “I guess the concerns about software vulnerabilities were not big enough until now.”

To meet this challenge, ENISA is actively hiring. Carvalho noted that the agency is expanding its vulnerability branch to build a critical mass capable of handling tasks like onboarding national CERTs and CSIRTs. “You’ll find vacancy notices on ENISA’s website,” he said. This growth reflects the agency’s commitment to representing EU interests effectively on the CVE Program’s Board.

The Road Ahead: Uncharted Territory

Both Carvalho and Clos described the TL-Root CNA onboarding process as “uncharted territory.” Since CISA and MITRE have operated the program from its inception, no entity has ever been granted this status before. “While it doesn’t depend solely on us, we hope ENISA can become a TL-Root CNA in 2026 or in early 2027. We will do our best for meeting this timeframe,” Carvalho concluded.

This development aligns with the CVE Program’s broader diversification and internationalization strategy. For more insights on how AI is influencing vulnerability management, check out our article on AI Companies to Play Bigger Role in CVE Program, Says CISA. Additionally, learn about the importance of effective vulnerability management strategies for organizations.

As ENISA navigates this complex process, the cybersecurity community watches closely. The agency’s success could herald a new era of collaboration between US and European entities in tackling global vulnerabilities.