Coordinated vulnerability disclosure is now an EU obligation, but cultural change takes time
In this Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, discusses the recent CVE funding scare and what it exposed about the fragility of global vulnerability disclosure infrastructure. He outlines how EU regulations, including the Cyber Resilience Act and NIS2, are creating stronger accountability for vendors and organizations.
ENISA is building out European vulnerability services to support member states. Carvalho also addresses how practitioners navigate conflicting enrichment sources, and argues the CVE program needs a distributed model with no single point of failure.
The CVE program recently experienced a significant funding scare when MITRE’s contract with CISA came close to lapsing. From ENISA’s vantage point, what does that episode reveal about the structural fragility of a vulnerability disclosure ecosystem that underpins global cybersecurity?
The CVE Program has long served as the single global reference point for identifying and tracking publicly disclosed vulnerabilities, and the funding disruption highlighted just how much the broader ecosystem depends on CVE IDs as a shared reference point.
While we do not comment on the specificity of the contract between CISA and MITRE, we stress how vulnerability management is critical for the resilience of IT infrastructure to cyber threat and as consequence, global cybersecurity to rely on assumptions of continuity.
For the European Union, our regulatory, operational, and resilience outcomes relies on businesses being able to conduct effective vulnerability management which in turns demands stability and sustainability of the vulnerability identification ecosystem. That is one of the reasons why the EU and its Member States are stepping up their efforts in this field.
In particular, ENISA has been scaling its own vulnerability services capacity, not to fragment the vulnerability disclosure ecosystem, but to strengthen Europe’s operational contribution to it, maintain interoperability with the global CVE backbone, and translate the existing vulnerability information into EU-wide mitigation and overall risk reduction efforts in support of Member States, CSIRTs, and the EU internal market.
Vendors have long been accused of gaming NVD and CVE processes, either by underreporting severity or delaying disclosure. What enforcement levers, if any, exist within the European regulatory space, and are they being used?
The European regulatory framework is becoming more consequential in this area. The main enforcement levers in the EU are emerging through the Cyber Resilience Act (CRA), which requires manufacturers of products with digital elements placed on the EU market to report actively exploited vulnerabilities and severe incidents within defined timelines through the Single Reporting Platform (SRP), being developed and to be operated by ENISA. These obligations (early warning within 24 hours, a notification within 72 hours, and follow-up reporting thereafter) will sit within a broader product-security and market-surveillance framework.
We expect that these measures will trigger an increased attention in vulnerability management from the producer of digital products and improve current practice in regards to reporting severity and disclosure.
Eventually the producer should be responsible to accurately assess a vulnerability and provide their customers and the larger community to perform risk management when a vulnerability is found. Besides the CRA, which creates stronger legal accountability for timely vulnerability handling, reporting, and remediation, vulnerability coordination (and thereby disclosure timeframes) is facilitated by the EU member states’ designated coordinators based on national CVD policies (as per NIS2). The EU vulnerability database (EUVD), on the other hand, facilitates transparency by merging the available vulnerability information into its vulnerability records.
With the NIS2 Directive now in force, coordinated vulnerability disclosure becomes an obligation for many organizations. In practice, how is that cultural shift being received by sectors that historically treated vulnerability information as a liability?
It’s worth noting there is no obligation for organization (producer or NIS2 entities). The obligation is on the CSIRT to receive information.
There will definitely be a cultural adjustment, but we have to bear in mind also that organizations are not starting from zero. In many sectors, vulnerability disclosure has historically been approached very cautiously. Legal teams were understandably concerned about reputational risks, liability exposure or the potential operational impact of disclosing security weaknesses resulting often in fairly defensive postures toward external researchers.
NIS2 (as well as the CRA) gradually normalizes coordinated vulnerability disclosure as part of standard cybersecurity governance: instead of treating vulnerability reports as exceptional or problematic events, organisations are expected to put in place structured processes to receive them, evaluate them, and coordinate remediation. Some sectors, particularly those with a longer history of engagement with the security research community, have adapted relatively quickly while others are still building the internal processes and confidence needed to engage more openly.
What we observe throughout the EU seems to be organisations adapting to this requirement. It will take some time, but organisations increasingly recognise that software development nowadays requires an active (positive) response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.
ENISA publishes its own threat landscape reports and interacts with CNAs across member states. When a high-severity vulnerability is assigned a CVE but enrichment, analysis, and contextualisation differ between ENISA, NIST, and national CERTs, who does a practitioner in, say, a mid-sized Croatian energy company ultimately trust?
In reality, practitioners often rely on multiple analytical sources. Vulnerability management has become a layered information process.
The vulnerability identifier (e.g. CVE ID) serves as a common reference point allowing everyone in the ecosystem to talk about the same issue and from there, different organisations may legitimately provide different analytical perspectives.
National CSIRTs, for example, often focus on contextual relevance for their own constituencies, including sector-specific exposure or regional threat activity. NIST’s enrichment work within the NVD is typically focused on standardised scoring and structured metadata. For a security practitioner inside an energy operator, the practical approach is usually to combine these perspectives: the identifier for consistency, vendor advisories for remediation guidance, and national or sector-specific guidance for operational context and “independent” criticality assessments. Hence, we continue to observe interoperability between sources rather than a single definitive interpretation of every vulnerability.
However, to address possible challenges related to differences in enrichment, analysis, and contextualisation, ENISA is working, together with EU Member States, to further develop EU vulnerability services, including capabilities for vulnerability enrichment. These efforts aim to strengthen coordination and improve the availability of consistent, context-aware, and machine-readable vulnerability information by and for its stakeholders, ultimately enabling practitioners in making faster and more informed risk management decisions.
If you were advising the next iteration of the CVE Program’s governance structure, what single architectural change would you argue for, and what institutional resistance would you expect to encounter in making it happen?
Rather than pointing to a single architectural fix we need to focus on building a truly sustainable operating model for the next decade, strengthening the distributed approach and accountability, and resilience. A global common good service of this importance should not depend excessively on a potential “single point of failure,” whether financial, institutional, or operational. A stronger model would preserve the integrity of the shared CVE backbone while distributing responsibilities across trusted actors that can contribute capacity, services, and operational support.
From ENISA’s perspective we are ready to contribute to the programme while in parallel, continuing building an European vulnerability services capacity.
Webinar: The True State of Security 2026