The European Union Agency for Cybersecurity, ENISA, has embarked on a strategic initiative to deepen its integration with the Common Vulnerabilities and Exposures (CVE) program, marking a significant shift in the governance of global cybersecurity standards. During a keynote address at VulnCon 26 in Scottsdale, Arizona, on April 14, Nuno Rodrigues Carvalho, ENISA’s head of sector for Incidents and Vulnerability Services, announced that the agency is currently being onboarded by the United States Cybersecurity and Infrastructure Security Agency (CISA) to attain the status of a Top-Level Root CVE Numbering Authority (TL-Root CNA). This development, which Carvalho expects to be finalized by 2026 or early 2027, will place the European agency on equal footing with the program’s current primary administrators, CISA and MITRE.
The move signals a major evolution in the international management of software vulnerabilities. Historically, the CVE program has been funded by the U.S. government and managed by U.S.-based entities. By elevating ENISA to a TL-Root CNA, the program is transitioning toward a more multilateral governance model, reflecting the global nature of software supply chains and the increasing regulatory maturity of the European Union’s cybersecurity framework.
Understanding the CVE Hierarchy and ENISA’s Ascendance
The CVE program serves as the international standard for identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities. Each entry in the CVE list provides a standardized identifier for a given vulnerability, ensuring that distinct stakeholders—from software vendors to security researchers and end-users—can communicate using a common language. To manage this massive undertaking, the program utilizes a hierarchical structure of authorities.
At the foundational level are CVE Numbering Authorities (CNAs). These are typically software vendors, researchers, or bug bounty providers authorized to assign CVE IDs to vulnerabilities found within their specific products or scope. Above them are Root CNAs, which act as regional or sectoral hubs. Root CNAs oversee a group of CNAs, providing guidance, resolving disputes, and onboarding new organizations into the ecosystem.
At the apex of this hierarchy sits the Top-Level Root CNA (TL-Root CNA). Until now, this exclusive tier has been occupied solely by CISA, the program’s sponsor, and MITRE, the nonprofit organization that has operated the program since its inception in 1999. As a TL-Root CNA, ENISA will gain the authority to manage the program at a global policy level. This includes a seat on the CVE Board, the highest decision-making body, where it will participate in shaping the program’s strategic direction, administrative rules, and technical standards.
ENISA’s path to this leadership role has been characterized by a rapid progression. The agency first became a CNA in 2024, followed by its promotion to Root CNA status in 2025. The final transition to TL-Root CNA represents the culmination of a multi-year effort to assert European influence over global vulnerability management.
A Chronology of Integration and Future Milestones
The timeline for ENISA’s integration into the CVE program reflects both the agency’s internal growth and the increasing urgency of coordinated vulnerability disclosure (CVD) in the European Union.
- 1999–2023: The CVE program remains primarily under U.S. administration, with MITRE and CISA serving as the central pillars.
- 2024: ENISA is officially designated as a CNA, allowing it to assign CVEs for vulnerabilities discovered within its operational scope.
- 2025: ENISA is elevated to Root CNA status. In this role, the agency begins coordinating European CNAs and takes a seat on the Council of Roots, helping to operationalize the program’s rules at a regional level.
- April 2026 (Projected): ENISA aims to complete the onboarding process to become the third TL-Root CNA globally.
- Early 2027: The agency expects to have a fully operationalized presence on the CVE Board, representing European interests in global policy discussions.
This transition is described by ENISA officials as "unchartered territory." Because the TL-Root CNA status has never been granted to an entity outside the original U.S. partnership, the onboarding process involves complex legal, technical, and administrative negotiations to ensure seamless interoperability between European and American oversight mechanisms.
Data and Representation: Addressing the Transatlantic Gap
A primary driver for ENISA’s expanded role is the current imbalance in the distribution of CNAs. As of early 2024, the CVE Program includes 502 CNAs globally. However, only 83 of these organizations are based in Europe. While Carvalho noted that Europe is not necessarily "underrepresented" in terms of technical capability, he emphasized that the number of European CNAs does not yet reflect the size and importance of the EU digital market.
"We know that the European market is not as big as the US market, but we’d like to have more representatives from the EU," Carvalho stated during his session. By becoming a TL-Root CNA, ENISA will have the administrative power to streamline the onboarding process for European companies and national agencies, potentially lowering the barriers to entry for organizations that may find the U.S.-centric application process cumbersome.
ENISA’s immediate priority is the vetting and onboarding of all national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) across the EU’s 27 member states. By empowering these national bodies as CNAs, the EU can create a decentralized but highly coordinated network for vulnerability reporting that aligns with local regulations and languages.
Strategic Context: The Cyber Resilience Act and NIS2
The push for ENISA to take a leading role in the CVE program is not happening in a vacuum. It is deeply linked to the EU’s evolving legislative landscape, specifically the Network and Information Security (NIS2) Directive and the upcoming Cyber Resilience Act (CRA).
The NIS2 Directive mandates that member states develop national vulnerability disclosure policies and establishes ENISA as a central player in coordinating these efforts across borders. Simultaneously, the CRA introduces strict requirements for manufacturers of "products with digital elements," including the mandatory reporting of actively exploited vulnerabilities to ENISA.
By holding a TL-Root CNA status, ENISA ensures that the reporting requirements mandated by EU law are compatible with global CVE standards. This prevents a fragmented system where European vendors would have to report vulnerabilities through different channels using incompatible identifiers. Instead, ENISA can act as a bridge, ensuring that a vulnerability reported under the CRA can be seamlessly cataloged in the global CVE list.
The Role of AI and the Need for Scalable Solutions
The decision to expand the CVE leadership also stems from the increasing complexity of the threat landscape. Johannes Kaspar Clos, a collaboration expert at ENISA, highlighted that the sheer volume of vulnerabilities is expected to surge due to the advent of Artificial Intelligence.
Companies like OpenAI and Anthropic have recently demonstrated AI models capable of autonomously identifying and suggesting fixes for software bugs. While these tools can improve security, they also threaten to overwhelm existing vulnerability management systems with a flood of new reports.
"We need to include a diverse crowd of cybersecurity practitioners, from product and national CERTs and CSIRTs to researchers and vulnerability finders," Clos explained. The addition of ENISA as a TL-Root CNA provides the "critical mass" and administrative bandwidth necessary to handle this projected increase in volume. It allows the CVE program to distribute the workload of vetting and managing vulnerabilities more effectively across different time zones and jurisdictions.
Institutional Growth and Recruitment
To meet its new responsibilities, ENISA is undergoing a period of rapid expansion. Carvalho acknowledged that the agency’s vulnerability branch was previously a "very small team" and that the decision to pursue TL-Root status was delayed until the agency had matured its services and team.
"The challenge was always in front of us but was never picked up. I guess the concerns about software vulnerabilities were not big enough until now," Clos remarked. The agency is currently hiring for various positions within its vulnerability services sector to support the onboarding of national CERTs and to manage its upcoming seat on the CVE Board. This recruitment drive is essential for ENISA to fulfill its mandate of providing technical expertise and administrative oversight on a global scale.
Broader Implications for Global Cybersecurity Governance
The inclusion of ENISA in the top tier of the CVE program is a landmark event for digital sovereignty and international cooperation. For years, the global cybersecurity community has relied on a U.S.-led model for vulnerability identification. While this model has been highly successful, the integration of a European authority reflects a move toward a more balanced, multilateral approach.
This shift has several potential implications:
- Standardization of Disclosure: With ENISA at the board level, European perspectives on privacy (such as GDPR compliance) and consumer protection will be integrated into the global rules for vulnerability disclosure.
- Increased Vendor Participation: European software vendors may feel more confident participating in a program that has a direct administrative presence in the EU, leading to better security outcomes for European products.
- Enhanced Geopolitical Stability: By institutionalizing cooperation between CISA and ENISA at the highest level, the CVE program becomes more resilient to political shifts, ensuring that the global community continues to share critical security information regardless of the geopolitical climate.
- Operational Efficiency: Regionalizing the Root CNA functions allows for faster response times and better support for local organizations, as ENISA can provide guidance tailored to the European regulatory environment.
As ENISA works toward its 2026/2027 goal, the global cybersecurity community will be watching closely. The success of this onboarding process will serve as a blueprint for how other international regions—such as Asia or Latin America—might eventually integrate into the top-level governance of the CVE program. For now, the focus remains on building the technical and administrative bridges necessary to unite the U.S. and European efforts in the fight against software vulnerabilities.
