ctipilot.ch

ENISA expands CVE Numbering Authority Root

campaign · campaign:enisa-cve-root-2026 single-source-national-cert

ENISA expands CVE Numbering Authority Root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

Coverage timeline
1
first 2026-05-04 → last 2026-05-04
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
weekly-policy
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-04ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer
    weekly-policyENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

Where this entity is cited

  • weekly-policy1

Source distribution

  • enisa.europa.eu1 (100%)

Entries about ENISA expands CVE Numbering Authority Root (1)

2026-05-04 · view entry permalink →

ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

notable policy discovered 2026-05-04 05:00 UTC single-source · national CERT

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. What changed: EU technology vendors and public-sector organisations now have a European coordination tier for CVE assignment — potentially affecting advisory publication timing and format compared to MITRE Root coordination, particularly for products made by EU software vendors. What defenders need to do differently: EU public-sector CNAs and vendor PSIRTs should re-confirm their root assignment and review whether their disclosure-coordination contacts at ENISA Root differ from their MITRE Root contacts; defender-side SIRT / vulnerability-management functions should expect ENISA-coordinated EU-discovered CVEs to ship through ENISA-supervised channels going forward. The CRA (Cyber Resilience Act) framework drives the migration. Names of the four new CNAs were not disclosed in the press release; more transfers expected.

vulnerabilities eu-nexus law-enforcement europe