ENISA Onboards Its First CNAs: What It Means for CRA Article 14

ENISA onboards its first CVE Numbering Authorities under ENISA Root. Learn what 4 new CNAs and 7 transfers mean for the CRA Article 14 reporting chain ahead of the September 2026 deadline.

CRA Evidence Team Published May 6, 2026
ENISA onboards first CNAs under ENISA Root - CRA Article 14 vulnerability reporting chain
In this article

The 24-hour clock under CRA Article 14 starts the moment you have reasonable belief of active exploitation. That clock presupposes a working vulnerability identification chain. ENISA just made that chain more direct.

On 6 May 2026, ENISA announced that four new organisations joined the CVE Programme as CVE Numbering Authorities (CNAs) under ENISA Root. Seven existing European CNAs also moved from MITRE Root to ENISA Root. For any manufacturer preparing for CRA Article 14 compliance, this is the operational backbone becoming operational.

This announcement matters more than it looks. The CRA does not exist in a vacuum. It defines legal obligations, but those obligations depend on infrastructure that has to exist and function before 11 September 2026. ENISA building out its CVE Root is part of that infrastructure, and the fact that it is happening now, with the CRA deadline this close, is both reassuring and a reminder that the EU is still assembling the machinery while the clock runs.

Summary

  • ENISA is a CVE Root for European entities. It became a Root in November 2025 and onboarded its first CNAs in May 2026.
  • 4 new CNAs joined the CVE Programme under ENISA Root, trained and onboarded by ENISA directly. 7 existing European CNAs transferred from MITRE Root.
  • 90+ European CNAs are eligible to transfer voluntarily under ENISA Root. Europe already represents nearly one-fifth of the 510 CNAs across 42 countries globally.
  • CRA Article 14 requires manufacturers to report actively exploited vulnerabilities within 24 hours via the ENISA Single Reporting Platform (SRP), live from 11 September 2026.
  • CVE IDs are the common identifier for that report. ENISA as CVE Root means Europe now assigns CVE IDs directly, without routing through MITRE.
  • AI acceleration is a named driver. ENISA's Hans de Vries cited frontier AI models compressing the gap between vulnerability discovery and exploitation.
  • Cybersecurity Act 2 proposes additional ENISA operational resources to match the growing volume.
4
New CNAs under ENISA Root
onboarded May 2026
7
Transferred from MITRE
existing EU CNAs, new root
90+
Eligible EU CNAs
voluntary transfer open
Nov 2025
ENISA became CVE Root
first CNAs onboarded May 2026

Source: ENISA announcement, 6 May 2026.

Why CVE IDs Matter to Your Article 14 Report

When CRA Article 14 requires you to report an actively exploited vulnerability, the report needs to identify the vulnerability precisely. CVE IDs are the global standard for that identification. They are what ENISA's European Vulnerability Database (EUVD) uses. They are what the ENISA Single Reporting Platform will expect.

Getting a CVE ID assigned requires a CNA. If no EU CNA covered your software category, you went to MITRE. MITRE is US-based. The coordination worked, but it added latency. Under a 24-hour clock, latency is a compliance risk.

ENISA as CVE Root changes the routing. European CNAs now coordinate CVE assignment directly with ENISA. For most manufacturers, this is invisible day-to-day. You don't need to be a CNA. But the security researcher who finds a bug in your product, or the CSIRT that handles your disclosure, now operates under a root authority that is geographically aligned with the agency you report to under Article 14.

That is the infrastructure your 24-hour window depends on.

The Reporting Chain Under CRA Article 14

CRA Article 14(1) requires manufacturers to report to the coordinator CSIRT and to ENISA simultaneously, via the ENISA Single Reporting Platform. You file once. Both receive it.

But the SRP needs a CVE ID to anchor the report. ENISA's role as CVE Root means the identification step and the reporting step now sit under the same agency. The body that names the vulnerability is the same body you report to. That closes a coordination gap that existed when the two functions ran through separate organisations on different continents.

One agency, two roles

ENISA now assigns CVE IDs for European entities and receives Article 14 reports via the SRP. The agency that names the vulnerability is the same agency you report to under the CRA.

See the Article 14 reporting guide for the full 24h, 72h, and 14-day cadence and what the SRP submission covers.

The AI Acceleration Problem

Hans de Vries, ENISA's Chief Cybersecurity and Operations Officer, was direct about why this matters now:

At a time when frontier AI models are accelerating vulnerability discovery and exploitation, Europe's vulnerability management capacity must keep pace and provide trusted operational support to the wider cybersecurity community.

Hans de Vries, Chief Cybersecurity and Operations Officer, ENISA · 6 May 2026

AI tools compress the time between a bug being found and a bug being exploited. The window between "a researcher discovers it" and "your 24-hour Article 14 clock starts" is getting shorter. Two things follow. First, your internal triage process needs to match a faster threat timeline. Second, the CVE assignment step in the chain needs the same speed. ENISA is building that capacity now, and Cybersecurity Act 2 proposes additional ENISA operational resources specifically for this function.

What You Don't Need to Do

You don't need to become a CNA. CVE Numbering Authority status is for organisations that discover and publish vulnerability records. Most manufacturers are not CNAs and the CRA does not require it.

What CRA Annex I, Part II does require is a coordinated vulnerability disclosure (CVD) policy. That policy describes how your organisation receives, handles, and discloses vulnerabilities. Under that policy, you work with CNAs or CSIRTs who handle CVE assignment. ENISA as CVE Root means those partners now operate under a more direct EU authority structure.

Review your CVD policy against three questions before 11 September 2026:

  1. Does it name the reporting path? The policy must reference the ENISA SRP as the submission channel for Article 14 reports.
  2. Does it specify how you handle inbound reports? When a researcher reports a vulnerability to you, the policy must describe your response timeline and the CVE request process.
  3. Does it identify your coordinator CSIRT? Article 14(7) requires manufacturers to designate a coordinator CSIRT. That designation belongs in the policy.

See the CVD policy template for a structured starting point.

Our Take

The "reinforce, not fragment" framing is the right position. The risk with any EU-specific infrastructure is fragmentation. A European CVE silo that diverges from MITRE would hurt everyone, including European manufacturers working with global supply chains. The announcement is explicit that ENISA is working with CISA and MITRE under a shared commitment to the global programme.

The bigger message for manufacturers is timing. The infrastructure is being assembled at the same time you are supposed to comply with it. The SRP is not yet live. The CVE Root has 11 CNAs out of 90+ eligible. These will be ready by September 2026, but you need to be ready too, and building your process around infrastructure that is still coming online is harder than building it on stable ground.

Frequently Asked Questions

Does ENISA becoming a CVE Root change my Article 14 reporting obligations?

No. Your obligations under Article 14 are unchanged. You still report actively exploited vulnerabilities within 24 hours via the ENISA SRP from 11 September 2026. What changes is the infrastructure behind the platform. ENISA now handles CVE ID assignment directly for European entities, reducing coordination latency between vulnerability identification and the reporting step. See the Article 14 reporting guide for the full obligation details.

Do I need to become a CVE Numbering Authority to comply with the CRA?

No. CNA status is for organisations that discover and publish vulnerability records. The CRA requires a coordinated vulnerability disclosure policy under Annex I, Part II, and Article 14 reporting via the ENISA SRP. Those are separate from CNA membership. Most manufacturers comply by working with existing CNAs or CSIRTs rather than holding CNA status themselves.

When did ENISA become a CVE Root and what does that mean in practice?

ENISA became a CVE Root for European entities in November 2025. As Root, it recruits, onboards, trains, and manages CNAs within its scope, and facilitates CVE ID assignment and record publication for European entities. The first CNA onboardings under ENISA Root were announced on 6 May 2026: four new CNAs and seven transferring from MITRE Root. In practice, it means European CNAs now coordinate CVE assignment with ENISA rather than routing through the US-based MITRE organisation.

What is the European Vulnerability Database and how does it connect to ENISA Root?

ENISA operates the European Vulnerability Database (EUVD), which catalogues vulnerabilities using CVE IDs as the common identifier. As CVE Root, ENISA now controls the assignment of those IDs for European entities. The database and the assignment authority are aligned under one agency. Manufacturers can use the EUVD to verify whether a vulnerability has been recorded before or after submitting an Article 14 report via the SRP.

Why does the AI acceleration argument matter for my CRA preparation?

ENISA's Chief Cybersecurity and Operations Officer cited frontier AI models compressing the time between vulnerability discovery and exploitation. A shorter discovery-to-exploit window means less buffer between when a researcher finds a bug and when your 24-hour Article 14 clock starts. Your internal triage process needs to be built for that pace. Run a tabletop exercise against the 24-hour window before 11 September 2026 to verify your process holds.

What is the difference between MITRE Root and ENISA Root for European CNAs?

MITRE is the US-based organisation that historically served as the global CVE root. European CNAs under MITRE Root coordinated CVE assignment through MITRE. Under ENISA Root, those CNAs coordinate directly with ENISA. The CVE ID format and CVE Programme rules are unchanged. The difference is the root authority: EU-based, EU-mandated, and integrated with the ENISA SRP and EUVD that CRA manufacturers report through.

What to do before 11 September 2026

  1. Review your coordinated vulnerability disclosure policy. Confirm it names the ENISA SRP as the Article 14 reporting channel and designates a coordinator CSIRT. Use the CVD policy template as a reference.
  2. Run a tabletop exercise against the 24-hour Article 14 window. Identify who in your organisation triggers the clock, who files the report, and how the CVE ID is obtained. See the Article 14 reporting guide for the full cadence.
  3. Identify the CNAs or CSIRTs you work with for CVE ID requests. If they are European, check whether they operate under ENISA Root. That determines your first point of contact when a vulnerability needs an ID before reporting.
  4. Monitor the ENISA SRP for the testing period and go-live date. No registration URL has been published yet. Watch the ENISA SRP page for updates before the September deadline.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.

CRA ENISA Vulnerability Management Security
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Product Classification

How the CRA classifies products by risk level and what each category means for obligations.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide