{"id":5143,"date":"2026-04-16T03:37:08","date_gmt":"2026-04-16T03:37:08","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/16\/european-cybersecurity-agency-enisa-seeks-top-tier-status-in-cve-program\/"},"modified":"2026-04-16T03:37:08","modified_gmt":"2026-04-16T03:37:08","slug":"european-cybersecurity-agency-enisa-seeks-top-tier-status-in-cve-program","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/04\/16\/european-cybersecurity-agency-enisa-seeks-top-tier-status-in-cve-program\/","title":{"rendered":"European Cybersecurity Agency ENISA Seeks Top-Tier Status in CVE Program"},"content":{"rendered":"<div id=\"layout-80188848-46ea-4d4a-a9ba-47d5aba8bfa1\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>ENISA, the EU\u2019s Cybersecurity Agency, is strengthening its ties with the US-funded Common Vulnerabilities and Exposures (CVE) program, a top leader of the agency has announced.<\/p>\n<p>Invited\u00a0to speak at VulnCon26&#8217;s opening keynote in Scottsdale, Arizona, on April 14, Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, revealed that the agency was currently being onboarded by the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the program, to become a top-level root CVE Numbering Authority (TL-Root CNA).<\/p>\n<p>Speaking to <em>Infosecurity<\/em> after the session, Carvalho said he hopes the European agency can obtain this status \u201cin 2026 or early 2027.\u201d<\/p>\n<h2><strong>CNA, Root CNA and TL-Root CNA Explained<\/strong><\/h2>\n<p>Only two entities currently hold TL-Root CNA status: CISA, the program\u2019s sponsor, and MITRE, the US-funded nonprofit which runs the program.<\/p>\n<p>ENISA became a CVE Numbering Authority (CNA) \u2013 an organization authorized to assign CVE IDs to vulnerabilities \u2013 in 2024. \u00a0It then became a root CNA \u2013 an organization that oversees and coordinates multiple CNAs within a specific domain or region, onboarding new CNAs and resolving disputes \u2013 in 2025.<\/p>\n<p>With the TL-Root CNA status, ENISA would become a top-level authority with the responsibility to manage the entire CVE Program alongside CISA and MITRE, setting global policies and ensuring consistency across all Root CNAs and CNAs.<\/p>\n<p>Speaking to <em>Infosecurity<\/em>, Johannes Kaspar Clos, a responsible disclosure and CSIRT collaboration expert who works on CNA service implantation in Carvalho\u2019s team at ENISA, said the agency\u2019s future expended role in the CVE program is not only aimed at more operational leverage but also enhanced power in policy and administrative decision-making.<\/p>\n<p>\u201cAs a Root CNA, we have a bigger operational footprint: we will now onboard new CNAs in Europe instead of MITRE and we are now represented in the Council of Roots helping to shape and operationalize the program, deal with challenges, adopt the program\u2019s rules accordingly and support MITRE,\u201d he explained.<\/p>\n<p>\u201cNow, as a TL-Root CNA, we would be represented in the CVE program\u2019s Board, where there is currently no European representatives. We want to help and support the CVE Program to blossom and grow and share our European vision.\u201d<\/p>\n<p><em>Read more: AI Companies to Play Bigger Role in CVE Program, Says CISA<\/em><\/p>\n<h2><strong>ENISA\u2019s Priority: Onboarding EU National CSIRTs As CNAs<\/strong><\/h2>\n<p>The onboarding of ENISA as the third TL-Root CNA aligns with the CVE Program\u2019s broader diversification and internationalization strategy.<\/p>\n<p>Currently, the CVE Program has 502 CNAs, of which only 83 are Europe-based organizations.<\/p>\n<p>Carvalho told <em>Infosecurity<\/em> that, while he would not say that Europe is \u201cunderrepresented\u201d in the program, \u201cthere should be a bit more\u201d European CNAs than there are.<\/p>\n<p>\u201cWe know that the European market is not as big as the US market, but we\u2019d like to have more representatives from the EU,\u201d he added.<\/p>\n<p>During his VulnCon speech, Carvalho said ENISA is already onboarding new CNAs and that the agency\u2019s priority is to vet \u201call national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) in Europe\u201d to become CNAs.<\/p>\n<h2><strong>ENISA\u2019s Vulnerability Branch Is Hiring<\/strong><\/h2>\n<p>Both Carvalho and Clos said that the push to get ENISA more involved in the CVE Program came from EU member-states.<\/p>\n<p>Clos \u00a0added that the growing volume and complexity of reported vulnerabilities calls for more stakeholders to take part in the program, especially now that AI companies, like OpenAI and Anthropic, have launched models that promise to autonomously find and fix cybersecurity vulnerabilities at scale.<\/p>\n<p>\u201cWe need to include a diverse crowd of cybersecurity practitioners, from product and nationals CERTs and CSIRTs to researchers and vulnerability finders,\u201d Clos said.<\/p>\n<p>Carvalho also explained that, while the will to get more involved in the CVE program had been an aim of ENISA for a while, the agency needed to \u201cmature its services and team to adequately represent EU interests on the program\u2019s Board.\u201d<\/p>\n<p>\u201cThe challenge was always in front of us but was never picked up. I guess the concerns about software vulnerabilities were not big enough until now\u201d Clos told <em>Infosecurity<\/em>.<\/p>\n<p>\u201cWe are a very small team, that\u2019s why, to do this, we need more people to work and support, a critical mass to work on and support the CVE program in different tasks, including onboarding national CERTs and CSIRTs. And indeed, we are growing and hiring. You\u2019ll find vacancy notices on ENISA\u2019s website,\u201d Carvalho added.<\/p>\n<p>Additionally, both Carvalho and Clos agreed that the TL-Root CNA onboarding process is \u201cunchartered territory\u201d as CISA and MITRE have operated it from the inception of the program and no one has ever been granted it ever since.<\/p>\n<p>\u201cWhile it doesn\u2019t\u2019 depend solely on us, we hope ENISA can become a TL-Root CNA in 2026 or in early 2027. We will do our best for meeting this timeframe,\u201d Carvalho concluded.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>ENISA, the EU\u2019s Cybersecurity Agency, is strengthening its ties with the US-funded Common Vulnerabilities and Exposures (CVE) program, a top leader of the agency has announced. Invited\u00a0to speak at VulnCon26&#8217;s opening keynote in Scottsdale, Arizona, on April 14, Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, revealed that the agency<\/p>\n","protected":false},"author":2,"featured_media":5144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5143-8ea909f9-ad16-4fa1-be80-9fe043936cc7-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5143"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5144"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}