European Cybersecurity Agency ENISA Seeks Top-Tier Status in CVE Program

ENISA’s bid to become the third top‑level root CVE Numbering Authority marks a strategic shift in how the European Union will influence global vulnerability coordination. Announced by sector head Nuno Rodrigues Carvalho at VulnCon 26, the agency expects formal TL‑Root CNA status by 2026 or early 2027, pending approval from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Achieving this tier would place ENISA alongside CISA and MITRE, granting it a seat at the CVE program’s board and the ability to shape policy, standards, and dispute‑resolution mechanisms across the worldwide ecosystem.

The move directly addresses the current geographic imbalance in the CVE ecosystem, where only 83 of the 502 registered CNAs are Europe‑based. By securing TL‑Root status, ENISA will be able to onboard national computer emergency response teams (CERTs) and CSIRTs as CNAs, expanding the European footprint and ensuring regional threat intelligence is reflected in vulnerability disclosures. This deeper involvement also promises faster coordination during cross‑border incidents, as European stakeholders will have a direct voice in the Council of Roots that governs CNA onboarding, dispute handling, and rule‑making.

Rising vulnerability complexity and the emergence of AI‑driven discovery tools have amplified the need for broader participation in the CVE program. ENISA’s leadership highlighted that a larger, more diverse pool of practitioners—from national CSIRTs to independent researchers—will improve the quality and timeliness of disclosures. To support this expanded role, the agency is actively recruiting cybersecurity analysts and engineers, signaling a commitment to build a critical mass capable of managing the increased workload. The hiring surge underscores how Europe is preparing to meet the growing demands of a rapidly evolving threat landscape.