CERT@VDE becomes Germany's first Root CNA – more responsibility in the global system for cybersecurity in industry

(Frankfurt am Main, July 25, 2025) Security vulnerabilities in industrial products can be found in power and water supply systems, hospitals, and large manufacturing facilities. If attackers exploit these vulnerabilities, the consequences can be far-reaching and serious for people, the environment, and society. To prevent this effectively, vulnerabilities must be systematically recorded and identified worldwide. To this end, the CVE system was established in the US more than 25 years ago. CVE stands for "Common Vulnerabilities and Exposures". Every known vulnerability is stored with a unique identifier in the heart of the system, the CVE database. This helps to avoid fatal misunderstandings in the complex process of vulnerability management.

As the world's leading industry standard, the CVE system has enabled experts and companies since 1999 to respond quickly and specifically, identify problems immediately, and resolve them across manufacturers using a uniform syntax.

System stability

However, a uniform syntax alone is not enough to ensure order and efficiency in the assignment of CVE IDs. To prevent them from being distributed in an uncontrolled manner, only certain organizations and companies – known as "CVE Numbering Authorities (CNAs)" – are authorized to assign CVE IDs. These CNAs clearly divide the responsibilities for different products and areas of application among themselves. CERT@VDE  has been acting as a CNA for its cooperation partners since 2020 and has achieved the highest quality standard for its own CVEs in the NVD (National Vulnerability Database) in numerous audits by the NIST (National Institute of Standards and Technology, USA). NVD is an US government database operated by NIST. It supplements the CVE system with technical details and evaluations.

Root CNAs are hierarchically organized above the CNAs. These include MITRE, CISA, Google, Red Hat from the US, JPCERT/CC from Japan, INCIBE Cert from Spain, and the Thales Group from France – and, since mid-July 2025, CERT@VDE as the first root CNA in Germany. In this new role, CERT@VDE will essentially structure, supervise, and coordinate the CVE assignment system for its partners. Specifically, this includes identifying, selecting, appointing, and supporting subordinate CNAs from among CERT@VDE partners, as well as training and onboarding these new CNAs. It will also ensure that CVE guidelines and processes are followed and that procedures, guidelines, and standards for assigning and managing CVE IDs are further developed.

New role, new responsibilities

Another important function of the Root CNA is conflict resolution: "We will mediate in the event of ambiguities or disputes between CNAs (e.g., regarding responsibilities for specific products) and check the quality and completeness of our partners' CVE entries," explains Jochen Becker, CNA process manager at CERT@VDE.

"As the first root CNA in Germany, we are not only the direct point of contact for our cooperation partners in the same time zone – we are also part of the international, federal CVE system and publish vulnerabilities according to a coordinated publication process," adds Andreas Harner, Head of Department at CERT@VDE. "The advantages for our cooperation partners are obvious: they demonstrate a high level of maturity in cybersecurity to existing and potential customers through sophisticated vulnerability management. They also retain control over the publication process of CVEs for vulnerabilities in their products."

In its new role, CERT@VDE is now a hub in the global vulnerability coordination network – both for SMEs and for medium-sized industrial companies. The platform brings with it the necessary expertise and trust from the industry. "However, the path to becoming a Root CNA was not a foregone conclusion, but the result of months of preparation, including several audit meetings with CISA and MITRE," emphasizes Jochen Becker. Andreas Harner sums it up: "By being recognized as the first Root CNA in Germany, we are sending a clear signal about the international visibility of German industry in the field of cybersecurity."

What do CVE, CNA, and Root CNA mean? 

CVE stands for "Common Vulnerabilities and Exposures". It is a list of security vulnerabilities reported worldwide that are officially registered by authorized bodies. These bodies are called CNAs (CVE Numbering Authorities), and they assign CVE numbers (CVE IDs) to vulnerabilities in a defined area, i.e., for specific products or manufacturers. A Root CNA is a higher-level organization that helps to record and name known security vulnerabilities in computer programs or devices. It also assigns CVE IDs, but additionally supervises and trains other CNAs. Root CNAs ensure structure and quality in the CVE system.

About CERT@VDE

CERT@VDE is the first independent cybersecurity platform in Germany for companies in the field of embedded software systems. As a coordinating product CERT (PSIRT), we have been working together with our industry partners for over five years to ensure a knowledge advantage along the value chain, thereby enabling a rapid and structured response to current threats in the cyberspace. 

Networking-capabilities in products increase the attack surface and thus also the risk of an successful attack, regardless of whether you are looking at automation technology (OT security), a smart home or Industry 4.0. The CERT@VDE team helps companies to react appropriately to these threats and to respond to security vulnerabilities.  

Our motto: What the individual company cannot do, CERT@VDE offers through cooperation, networking and competence: We support affected companies with the necessary analyses and decisions and coordinate the response to security vulnerabilities across organisational boundaries. 
Become part of this unique team and enable cybersecurity in Europe's supply chains through trusted collaboration on the CERT@VDE platform! More information at cert.vde.com

About VDE

VDE, one of the largest technology organizations in Europe, has been regarded as a synonym for innovation and technological progress for more than 130 years. VDE is the only organization in the world that combines science, standardization, testing, certification, and application consulting under one umbrella. The VDE mark has been synonymous with the highest safety standards and consumer protection for more than 100 years. 

Our passion is the advancement of technology, the next generation of engineers and technologists, and lifelong learning and career development “on the job”. Within the VDE network more than 2,000 employees at over 60 locations worldwide, more than 100,000 honorary experts, and around 1,500 companies are dedicated to ensuring a future worth living: networked, digital, electrical.  
Shaping the e-dialistic future. 

The VDE (VDE Association for Electrical, Electronic & Information Technologies) is headquartered in Frankfurt am Main. For more information, visit www.vde.com