European Cybersecurity Agency Takes on Role in CVE Program
The European Union Agency for Cybersecurity (ENISA) is set to enhance its role in overseeing vulnerability announcements throughout the EU. This development follows ENISA’s recognition as a “Root”-level entity within the Common Vulnerabilities and Exposures (CVE) program.
See Also: New Trend in Federal Cybersecurity: Streamlining Efficiency with a Holistic IT Approach eBook
As part of the CVE program, an organization designated as a Root possesses the authority to assign identifiers to vulnerabilities and facilitate their disclosure. “With these new responsibilities, ENISA will bolster the EU’s capacity to manage cybersecurity vulnerabilities effectively and enhance digital security throughout the region,” stated ENISA’s Director, Juhan Lepassaar.
In addition to assigning CVE IDs, ENISA will serve as a pivotal contact for overseeing and publicizing vulnerabilities reported by or directed to the European Union Computer Security Incident Response Teams (CSIRTs). This initiative aims to minimize “fragmentation, improve cross-border coordination, and expedite responsible disclosures,” according to ENISA.
Europe has been actively working to elevate its stature in cybersecurity transparency and monitoring. A notable step was the launch of the European Union Vulnerability Database in May, which aims to serve as an analog to the U.S. National Vulnerability Database (see: Tracking Bugs: European Vulnerability Database Goes Live).
Additively, ENISA is in the process of establishing a “Single Reporting Platform” designed for manufacturers to report actively exploited vulnerabilities. This requirement will come into effect under the Cyber Resilience Act starting in 2026 (see: European Council Adopts Cyber Resilience Act).
ENISA’s enhanced focus on vulnerability management comes on the heels of a turbulent period for the CVE program earlier this year when Mitre, the organization responsible for running the program under U.S. federal direction, faced potential funding cuts. The last-minute extension of funding by the U.S. Cybersecurity and Infrastructure Security Agency alleviated immediate concerns but raised questions about reliance on a potentially volatile U.S. partner (see: Filling the Gap with the European Vulnerability Database).
