ENISA expands European role in global vulnerability tracking system

European Union Agency for Cybersecurity has onboarded four additional organisations into the global Common Vulnerabilities and Exposures Program as CVE Numbering Authorities.

The organisations joined under ENISA Root, a coordination structure established after ENISA became a CVE Root authority for European entities in November 2025.

The CVE system is used internationally to identify and catalogue publicly disclosed cybersecurity vulnerabilities. Each vulnerability receives a standardised identifier, allowing governments, vendors, researchers, and security teams to coordinate responses using the same reference system.

The expansion increases Europe’s operational role within that infrastructure. According to ENISA, seven existing European authorities have already transitioned from MITRE coordination to ENISA Root, alongside the four newly onboarded organisations.

The development comes as vulnerability management is becoming more demanding operationally. ENISA linked the expansion to concerns that advanced AI systems are accelerating both vulnerability discovery and exploitation, compressing the time between identifying a flaw and weaponising it.

A key issue is coordination capacity. The number of vulnerabilities reported globally continues to grow, while organisations increasingly depend on fast and standardised disclosure processes to manage security risks across software and network infrastructure.

ENISA stated that more organisations are expected to join in the coming weeks. The agency currently supports onboarding, training, and operational readiness processes for European CNAs within its scope.

Rather than creating a separate European vulnerability system, ENISA emphasised coordination with Cybersecurity and Infrastructure Security Agency and MITRE Corporation. The agency described its role as reinforcing the existing global vulnerability identification framework rather than fragmenting it into regional systems.