Redazione RHC : 27 November 2025 10:57
The European Union Agency for Cybersecurity (ENISA) has taken on the role of Root within the Common Vulnerabilities and Exposures (CVE) programme, becoming the main point of reference for national authorities, EU CSIRTs and partners falling within its mandate.
The new role expands on the Agency’s existing functions as Vulnerability Numbering Authority (CNA), which is responsible for assigning CVE identifiers and publishing the related records for reports managed by European CSIRTs, an operational role that has been active since January 2024.
ENISA Executive Director Juhan Lepassaar highlighted how this change strengthens the Agency’s ability to support vulnerability management within the Union, contributing to a more coordinated and consistent response to cybersecurity issues. Root’s new status is part of a broader EU commitment to improving cooperation in vulnerability management, also in line with recent legislative initiatives, such as the Cyber Resilience Act, which introduces new obligations for manufacturers and developers.
Established in 1999, the CVE program provides a standardized framework for identifying and describing publicly disclosed vulnerabilities. Each vulnerability receives a unique ID (CVE), allowing organizations, researchers, and security practitioners to communicate consistently and contribute to addressing identified issues. CVE records are published by a global network of partner organizations active in monitoring and managing threats.
With its entry into the Roots, ENISA takes on additional tasks, including overseeing the CNAs within its institutional perimeter, verifying compliance with the CVE program guidelines, and establishing procedures and standards for assigning identifiers. The Agency will also continue to support the EU CSIRTs through its registry service, acting as an intermediary for the coordinated management of vulnerabilities discovered or reported within the network.
ENISA thus joins the CVE Program Root Council , which coordinates operational activities among Roots internationally. In addition to existing European partners, including INCIBE-CERT, Thales Group, and CERT@VDE, the council also includes organizations such as MITRE, CISA, Google, and Red Hat in the United States, as well as JPCERT/CC in Japan.
ENISA’s new scope of responsibility will affect all organizations subject to its mandate. CNAs wishing to transition to the Agency’s oversight can do so through a voluntary and collaborative process, supported by the CVE Program to ensure a smooth and seamless migration.
The acquisition of the Root role consolidates ENISA’s position in the coordinated management of vulnerabilities at the European level, facilitating the standardization of practices, improving the quality of CVE records, and faster and more harmonized disclosure of vulnerabilities . The goal is to reduce fragmentation and strengthen cross-border cooperation, promoting greater transparency and accountability for CSIRTs, industry, and institutions.
The Agency’s work is part of a broader ecosystem of European digital security initiatives, including:
Founded in 2004 and strengthened by the European Cybersecurity Act, ENISA supports Member States in developing cybersecurity policies, promotes certification schemes, and helps increase the resilience of Europe’s digital infrastructures.
Redazione