ENISA is taking on a bigger role in how software and hardware vulnerabilities are coordinated across Europe by becoming a Root in the global CVE Program. This change moves ENISA from simply assigning CVE IDs for issues handled by EU CSIRTs to acting as a central point of contact for national authorities, incident response teams and other partners operating under its mandate. As a Root, ENISA will help onboard and support other CVE Numbering Authorities, oversee how CVE rules and processes are applied, and work to harmonize practices so that vulnerabilities affecting multiple Member States or cross-border services can be handled more consistently and quickly.

This expanded role fits into a broader push to strengthen vulnerability management in the EU through initiatives like the European Vulnerability Database and new reporting obligations under laws such as NIS2 and the Cyber Resilience Act. By coordinating CVE activities at European level, ENISA aims to reduce fragmentation, give researchers and vendors a clearer path for getting CVE IDs and legal guidance, and ensure that high-quality, timely vulnerability records are available to everyone who needs them. In the long run, a European Root in the CVE hierarchy is intended to give the EU greater strategic autonomy in vulnerability management, while still integrating smoothly with the global CVE community.

‍

Source: https://www.enisa.europa.eu/news/stepping-up-our-role-in-vulnerability-management-enisa-becomes-cve-root