ENISA Aims for TL-Root CNA Status to Enhance European Cybersecurity
Severity: Low (Score: 21.9)
Sources: Feeds2.Feedburner, Infosecurity-Magazine
Summary
ENISA, the European Cybersecurity Agency, is working to become a top-level root CVE Numbering Authority (TL-Root CNA) in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA). Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, announced this initiative during VulnCon26 on April 14, 2026. The agency hopes to achieve this status by late 2026 or early 2027, which would allow it to manage the CVE Program alongside CISA and MITRE. Currently, only CISA and MITRE hold TL-Root CNA status. ENISA's expanded role is part of a broader strategy to diversify and internationalize the CVE Program, which currently has 502 CNAs, with only 83 based in Europe. Carvalho emphasized the need for more European representation within the program, as the EU market is smaller compared to the US. Additionally, ENISA is addressing the recent CVE funding scare and the fragility of global vulnerability disclosure infrastructure through new EU regulations. Key Points: • ENISA is seeking TL-Root CNA status to enhance its role in the CVE Program. • Only CISA and MITRE currently hold TL-Root CNA status, highlighting a gap in European representation. • New EU regulations are strengthening accountability for vendors and organizations in vulnerability disclosure.