ENISA CVE Numbering Authority Root — 4 new CNAs onboarded, identities undisclosed; 7 existing CNAs migrated from MITRE Root

ENISA's 2026-05-06 announcement (W19 forward-looking item) is now confirmed: four organisations have newly joined the CVE Program as CNAs under ENISA Root, and seven existing European CNAs have transferred from MITRE Root to ENISA Root. ENISA's announcement does not name the four new CNAs. ENISA became CVE Root for European entities in November 2025; over 90 European CNAs can voluntarily transfer. ENISA's CVE Root scope covers entities within its mandate including vulnerabilities discovered by or reported to EU CSIRTs. Strengthens European vulnerability-disclosure capacity under NIS2 Article 12 (coordinated vulnerability disclosure) obligations. The undisclosed CNA identities are a transparency gap worth surfacing — defenders cannot pattern-match which EU vendors / institutions have CNA capacity until ENISA publishes the list (ENISA news).