The European Union Agency for Cybersecurity (ENISA) announced on 6 May 2026 the addition of new CVE Numbering Authorities (CNAs) operating under its root, expanding the capacity to assign Common Vulnerabilities and Exposures (CVE) identifiers for vulnerabilities affecting products and services used across the EU. The move is intended to strengthen coordinated vulnerability disclosure and improve the overall cybersecurity posture of the bloc, directly impacting software vendors, national cybersecurity authorities, and end-users who rely on timely vulnerability information.
ENISA, based in Athens, published the announcement detailing that the new CNAs will operate under the ENISA Root, which was established in 2023 as part of the EU's broader efforts to centralize vulnerability management. The CNAs are organizations authorized to assign CVE IDs to vulnerabilities in their respective scopes, and their addition under ENISA's root means a more distributed and efficient assignment process across EU member states.
The document is a news release, not a formal regulation or guideline, and does not set mandatory requirements. Instead, it signals an operational expansion of ENISA's role in the CVE ecosystem. The announcement lists the new CNAs but does not specify concrete numerical targets for vulnerability assignments. It emphasizes the voluntary cooperation of stakeholders in reporting vulnerabilities and the importance of coordinated disclosure.
Policy orientations and trade-offs: The expansion of CNAs under ENISA's root increases the EU's autonomy in vulnerability management, reducing reliance on non-EU CVE roots. This strengthens cybersecurity resilience but may introduce administrative overhead for new CNAs and potential duplication with existing global CVE processes. The trade-off lies between greater EU control and the risk of fragmentation in the global vulnerability identification system.
Impact on stakeholders: EU software vendors will benefit from faster and more localized CVE assignments, potentially reducing the window of exposure. National cybersecurity authorities gain enhanced oversight of vulnerabilities affecting their constituents. However, smaller vendors may face compliance costs if they need to engage with multiple CNAs. End-users and cybersecurity researchers will have more timely access to vulnerability data, improving their ability to patch systems.
Expected institutional follow-up: ENISA is expected to continue onboarding additional CNAs and may issue operational guidelines for coordination with existing global CVE authorities. The European Commission may reference this expansion in upcoming cybersecurity legislative proposals, such as the Cyber Resilience Act implementation.