ctipilot.ch

ENISA expands CVE Numbering Authority Root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

campaign · policy:enisa-cve-root-2026

Coverage timeline
3
first 2026-05-07 → last 2026-05-10
Briefs
3
3 distinct
Sources cited
3
3 hosts
Sections touched
3
ch-eu, research, weekly_policy
Co-occurring entities
0
no co-occurrence
2026-05-073 appearances2026-05-10

Story timeline

  1. 2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
    weekly_policyConsolidated in weekly summary for week 2026-W19 § 8 policy horizon as obligation-affecting item.
  2. 2026-05-09CTI Daily Brief — 2026-05-09
    researchReinforcing coverage. ENISA expansion noted again; names of 4 new CNAs not yet disclosed.
  3. 2026-05-07CTI Daily Brief — 2026-05-07
    ch-euFirst coverage (logged retrospectively in weekly). ENISA designated CVE Root Nov 2025; CRA implementation; 4 new CNAs joined ENISA Root, 7 migrated from MITRE Root; ~90 European CNAs eligible voluntary transfer.

Where this entity is cited

  • ch-eu1
  • research1
  • weekly_policy1

Source distribution

  • enisa.europa.eu1 (33%)
  • globalpolicywatch.com1 (33%)
  • sec.cloudapps.cisco.com1 (33%)

All cited sources (3)

Items in briefs about ENISA expands CVE Numbering Authority Root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer (2)

ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

ENISA announced on 2026-05-06 that four organisations have joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root, and that seven additional European CNAs have migrated from MITRE Root to ENISA Root (ENISA, 2026-05-06). ENISA was designated as a CVE Root in November 2025, establishing a European coordination tier alongside CISA (USA), JPCERT/CC (Japan), MITRE, and Google. Approximately 90 European organisations remain eligible for voluntary transfer — nearly one-fifth of the global CNA population. What changed: EU technology vendors and public-sector organisations now have a European coordination tier for CVE assignment — potentially affecting advisory publication timing and format compared to MITRE Root coordination, particularly for products made by EU software vendors. What defenders need to do differently: EU public-sector CNAs and vendor PSIRTs should re-confirm their root assignment and review whether their disclosure-coordination contacts at ENISA Root differ from their MITRE Root contacts; defender-side SIRT / vulnerability-management functions should expect ENISA-coordinated EU-discovered CVEs to ship through ENISA-supervised channels going forward. The CRA (Cyber Resilience Act) framework drives the migration. Names of the four new CNAs were not disclosed in the press release; more transfers expected.

ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities

From CTI Daily Brief — 2026-05-09 · published 2026-05-11 · view item permalink →

On 2026-05-06 ENISA announced four additional organisations joined the CVE Program as CVE Numbering Authorities (CNAs) under ENISA Root, bringing the total under ENISA oversight to at least eleven (ENISA press release, 2026-05-06). The names of the four new CNAs were not disclosed in the press release; more are expected. Over 90 European CNAs are eligible to voluntarily transfer from MITRE Root. This is part of the EU Cyber Resilience Act (CRA) implementation framework: the CRA designates ENISA as the EU-level coordination body for harmonised vulnerability reporting, and the CVE Root transfer is the operational mechanism. For defenders: an increasing proportion of EU-discovered CVEs will be assigned and initially coordinated through ENISA-supervised channels, which may affect advisory publication timing and format compared to MITRE Root coordination — particularly for products made by EU software vendors.