ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. What changed: EU technology vendors and public-sector organisations now have a European coordination tier for CVE assignment — potentially affecting advisory publication timing and format compared to MITRE Root coordination, particularly for products made by EU software vendors. What defenders need to do differently: EU public-sector CNAs and vendor PSIRTs should re-confirm their root assignment and review whether their disclosure-coordination contacts at ENISA Root differ from their MITRE Root contacts; defender-side SIRT / vulnerability-management functions should expect ENISA-coordinated EU-discovered CVEs to ship through ENISA-supervised channels going forward. The CRA (Cyber Resilience Act) framework drives the migration. Names of the four new CNAs were not disclosed in the press release; more transfers expected.