ENISA, the EU’s Cybersecurity Agency, is strengthening its ties with the US-funded Common Vulnerabilities and Exposures (CVE) program, a top leader of the agency has announced.
Invited to speak at VulnCon26’s opening keynote in Scottsdale, Arizona, on April 14, Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, revealed that the agency was currently being onboarded by the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the program, to become a top-level root CVE Numbering Authority (TL-Root CNA).
Speaking to Infosecurity after the session, Carvalho said he hopes the European agency can obtain this status “in 2026 or early 2027.”
CNA, Root CNA and TL-Root CNA Explained
Only two entities currently hold TL-Root CNA status: CISA, the program’s sponsor, and MITRE, the US-funded nonprofit which runs the program.
ENISA became a CVE Numbering Authority (CNA) – an organization authorized to assign CVE IDs to vulnerabilities – in 2024. It then became a root CNA – an organization that oversees and coordinates multiple CNAs within a specific domain or region, onboarding new CNAs and resolving disputes – in 2025.
With the TL-Root CNA status, ENISA would become a top-level authority with the responsibility to manage the entire CVE Program alongside CISA and MITRE, setting global policies and ensuring consistency across all Root CNAs and CNAs.
Speaking to Infosecurity, Johannes Kaspar Clos, a responsible disclosure and CSIRT collaboration expert who works on CNA service implantation in Carvalho’s team at ENISA, said the agency’s future expended role in the CVE program is not only aimed at more operational leverage but also enhanced power in policy and administrative decision-making.
“As a Root CNA, we have a bigger operational footprint: we will now onboard new CNAs in Europe instead of MITRE and we are now represented in the Council of Roots helping to shape and operationalize the program, deal with challenges, adopt the program’s rules accordingly and support MITRE,” he explained.
“Now, as a TL-Root CNA, we would be represented in the CVE program’s Board, where there is currently no European representatives. We want to help and support the CVE Program to blossom and grow and share our European vision.”
Read more: AI Companies to Play Bigger Role in CVE Program, Says CISA
ENISA’s Priority: Onboarding EU National CSIRTs As CNAs
The onboarding of ENISA as the third TL-Root CNA aligns with the CVE Program’s broader diversification and internationalization strategy.
Currently, the CVE Program has 502 CNAs, of which only 83 are Europe-based organizations.
Carvalho told Infosecurity that, while he would not say that Europe is “underrepresented” in the program, “there should be a bit more” European CNAs than there are.
“We know that the European market is not as big as the US market, but we’d like to have more representatives from the EU,” he added.
During his VulnCon speech, Carvalho said ENISA is already onboarding new CNAs and that the agency’s priority is to vet “all national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) in Europe” to become CNAs.
ENISA’s Vulnerability Branch Is Hiring
Both Carvalho and Clos said that the push to get ENISA more involved in the CVE Program came from EU member-states.
Clos added that the growing volume and complexity of reported vulnerabilities calls for more stakeholders to take part in the program, especially now that AI companies, like OpenAI and Anthropic, have launched models that promise to autonomously find and fix cybersecurity vulnerabilities at scale.
“We need to include a diverse crowd of cybersecurity practitioners, from product and nationals CERTs and CSIRTs to researchers and vulnerability finders,” Clos said.
Carvalho also explained that, while the will to get more involved in the CVE program had been an aim of ENISA for a while, the agency needed to “mature its services and team to adequately represent EU interests on the program’s Board.”
“The challenge was always in front of us but was never picked up. I guess the concerns about software vulnerabilities were not big enough until now” Clos told Infosecurity.
“We are a very small team, that’s why, to do this, we need more people to work and support, a critical mass to work on and support the CVE program in different tasks, including onboarding national CERTs and CSIRTs. And indeed, we are growing and hiring. You’ll find vacancy notices on ENISA’s website,” Carvalho added.
Additionally, both Carvalho and Clos agreed that the TL-Root CNA onboarding process is “unchartered territory” as CISA and MITRE have operated it from the inception of the program and no one has ever been granted it ever since.
“While it doesn’t’ depend solely on us, we hope ENISA can become a TL-Root CNA in 2026 or in early 2027. We will do our best for meeting this timeframe,” Carvalho concluded.
