ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities

On 2026-05-06 ENISA announced four additional organisations joined the CVE Program as CVE Numbering Authorities (CNAs) under ENISA Root, bringing the total under ENISA oversight to at least eleven (ENISA press release, 2026-05-06). The names of the four new CNAs were not disclosed in the press release; more are expected. Over 90 European CNAs are eligible to voluntarily transfer from MITRE Root. This is part of the EU Cyber Resilience Act (CRA) implementation framework: the CRA designates ENISA as the EU-level coordination body for harmonised vulnerability reporting, and the CVE Root transfer is the operational mechanism. For defenders: an increasing proportion of EU-discovered CVEs will be assigned and initially coordinated through ENISA-supervised channels, which may affect advisory publication timing and format compared to MITRE Root coordination — particularly for products made by EU software vendors.