ENISA takes on the role of Root in the European Cybersecurity Initiative (CVE). – Against Invaders

A Apple apresenta a Imposição de Integridade de Memória. Será este o fim do hacking? - Against Invaders - Notícias de CyberSecurity para humanos.

ENISA takes on the role of Root in the European Cybersecurity Initiative (CVE). - Against Invaders

Redazione RHC:27 November 2025 10:57

The European Union Agency for Cybersecurity (ENISA) has taken on the role of Root within the Common Vulnerabilities and Exposures (CVE) programme, becoming the main point of reference for national authorities, EU CSIRTs and partners falling within its mandate.

The new role expands on the Agency’s existing functions as Vulnerability Numbering Authority (CNA), which is responsible for assigning CVE identifiers and publishing the related records for reports managed by European CSIRTs, an operational role that has been active since January 2024.

ENISA Executive Director Juhan Lepassaar highlighted how this change strengthens the Agency’s ability to support vulnerability management within the Union, contributing to a more coordinated and consistent response to cybersecurity issues. Root’s new status is part of a broader EU commitment to improving cooperation in vulnerability management, also in line with recent legislative initiatives, such as the Cyber Resilience Act, which introduces new obligations for manufacturers and developers.

The context of the CVE program

Established in 1999, the CVE program provides a standardized framework for identifying and describing publicly disclosed vulnerabilities. Each vulnerability receives a unique ID (CVE), allowing organizations, researchers, and security practitioners to communicate consistently and contribute to addressing identified issues. CVE records are published by a global network of partner organizations active in monitoring and managing threats.

ENISA’s new responsibilities

With its entry into the Roots, ENISA takes on additional tasks, including overseeing the CNAs within its institutional perimeter, verifying compliance with the CVE program guidelines, and establishing procedures and standards for assigning identifiers. The Agency will also continue to support the EU CSIRTs through its registry service, acting as an intermediary for the coordinated management of vulnerabilities discovered or reported within the network.

ENISA thus joins the CVE Program Root Council , which coordinates operational activities among Roots internationally. In addition to existing European partners, including INCIBE-CERT, Thales Group, and CERT@VDE, the council also includes organizations such as MITRE, CISA, Google, and Red Hat in the United States, as well as JPCERT/CC in Japan.

The transition phase

ENISA’s new scope of responsibility will affect all organizations subject to its mandate. CNAs wishing to transition to the Agency’s oversight can do so through a voluntary and collaborative process, supported by the CVE Program to ensure a smooth and seamless migration.

A European strategy for vulnerability management

The acquisition of the Root role consolidates ENISA’s position in the coordinated management of vulnerabilities at the European level, facilitating the standardization of practices, improving the quality of CVE records, and faster and more harmonized disclosure of vulnerabilities . The goal is to reduce fragmentation and strengthen cross-border cooperation, promoting greater transparency and accountability for CSIRTs, industry, and institutions.

The Agency’s work is part of a broader ecosystem of European digital security initiatives, including:

  • EUVD – European Vulnerability Database , developed in implementation of the NIS2 Directive and currently operational under the management of ENISA.
  • The Cyber Resilience Act’s Single Reporting Platform (SRP) will become the single reporting system for manufacturers to report actively exploited vulnerabilities by September 2026.
  • Support for coordinated vulnerability disclosure (CVD) through the EU CSIRTs network, in cases where a security issue may affect multiple Member States.

Founded in 2004 and strengthened by the European Cybersecurity Act, ENISA supports Member States in developing cybersecurity policies, promotes certification schemes, and helps increase the resilience of Europe’s digital infrastructures.

  • #cybersecurity
  • CSIRT
  • cve
  • CVE program
  • enisa
  • European cybersecurity
  • European Union Agency
  • root
  • vulnerability management

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.