← Back to News
Industry News

ENISA Head of Vulnerability Services: CVD Is Now a Selling Point, Not a Liability

In a Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, addressed the recent CVE funding scare, EU regulatory enforcement, and why vulnerability disclosure is becoming a competitive differentiator for manufacturers.

On the CVE Funding Scare: No Single Point of Failure

A stronger model would preserve the integrity of the shared CVE backbone while distributing responsibilities across trusted actors that can contribute capacity, services, and operational support.

— Nuno Rodrigues Carvalho, ENISA

Carvalho confirmed that ENISA is scaling its own vulnerability services capacity — not to fragment the ecosystem, but to strengthen Europe's operational contribution and maintain interoperability with the global CVE backbone. From ENISA's perspective, the agency is ready to contribute to the programme while continuing to build European vulnerability services capacity in parallel.

On CRA Enforcement: SRP Pilot and September 2026

The CRA mandates 24-hour early warnings, 72-hour notifications, and follow-up reports via the Single Reporting Platform (SRP) currently in pilot phase at ENISA. These obligations take effect September 2026. They apply to products already on the EU market, including any product placed on the market before September 2026.

On NIS2: The Obligation Is on CSIRTs, Not Manufacturers

Carvalho clarified a widely held misconception: under NIS2, the coordinated vulnerability disclosure obligation falls on CSIRTs to receive reports — not on organisations to submit them. The Cyber Resilience Act is the instrument that creates mandatory disclosure obligations for manufacturers.

On Vulnerability Disclosure as a Competitive Advantage

Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.

— Nuno Rodrigues Carvalho, ENISA

CVD Portal provides Article 13 and 14 compliance infrastructure — free to get started.

Get started free