The European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD) to enhance cyber resilience. Developed in accordance with the NIS2 Directive, the platform is now live and will be maintained by ENISA.
The EUVD is designed to provide aggregated, reliable, and actionable information about cybersecurity vulnerabilities affecting ICT (Information and Communication Technology) products and services. It includes details such as mitigation measures, exploitation status, and affected versions of ICT products.
“The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience,” said Henna Virkkunen, European Commission Executive Vice-President for Tech Sovereignty, Security and Democracy. “By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.”
A Strategic Asset for the EU
The launch of the EUVD addresses a long-standing need for a centralized, European-focused vulnerability management platform. Unlike existing global databases, the EUVD integrates data with a distinctly European context, correlating vulnerabilities using sources such as CSIRTs (Computer Security Incident Response Teams), ICT vendors, and other open-source repositories.
“ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive,” said Juhan Lepassaar, Executive Director at ENISA. “The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
Who Is It For?
The EUVD is open to the public, and particularly useful for ICT product suppliers, cybersecurity professionals, public institutions, and private enterprises. Competent national authorities, including members of the EU CSIRTs network, will also benefit from the platform’s comprehensive and EU-centric data.
Key Features
The database offers three dashboard views, Critical Vulnerabilities, Exploited Vulnerabilities, and EU-Coordinated Vulnerabilities (managed by European CSIRTs).
Each entry may include a description of the vulnerability, affected ICT products/services and impacted versions, exploitation details and severity level, and available patches and mitigation guidelines.
The platform supports vulnerability lookups and provides enhanced situational awareness, enabling better risk assessment and mitigation planning for users across the EU.
Integration with Global Standards
ENISA has partnered with MITRE’s CVE Programme, so the EUVD can integrate Common Vulnerabilities and Exposures (CVE) data. ENISA became a CVE Numbering Authority (CNA) in January 2024, and can now assign CVE IDs for vulnerabilities discovered by EU CSIRTs as well as vulnerabilities reported to EU CSIRTs that fall outside the scope of other CNAs.
The database also ingests data from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and leverages the Common Security Advisory Framework (CSAF) for machine-readable advisories.
Distinction from the CRA Reporting Platform
The EUVD is distinct from the upcoming Single Reporting Platform (SRP) under the Cyber Resilience Act (CRA), which will serve as a notification channel for actively exploited vulnerabilities by manufacturers (which will become mandatory for these entities by September 2026). While the SRP is focused on compliance and manufacturer reporting, the EUVD is informational and proactive, aimed at risk management and knowledge-sharing.
A Double-Edged Sword
The introduction of a new vulnerability database brings both advantages and challenges, says Boris Cipot, Senior Security Engineer at Black Duck. “One clear benefit is reducing the reliance on the U.S. National Vulnerability Database (NVD) as a single source of truth. Today, multiple vulnerability databases exist, including the NVD (National Vulnerability Database), CNVD (Chinese National Vulnerability Database), and now the EUVD, a European implementation of a vulnerability database system.”
On the downside, now, yet another database must now be monitored and referenced, which adds complexity for organizations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage.
“NVD, compared to CISA KEV, has a broader coverage of vulnerabilities. However, one could argue that CISA KEV is a more focused VD as it focuses on the most critical vulnerabilities (7 or higher) based on the CVSS score. Both however, usually lack when it comes to speed of delivery and updating the vulnerabilities compared to private/commercial VDs,” says Cipot.
The information contained in private/commercial VDs is usually also enriched with fixes or workarounds, technical details and links to the original data sources, he adds. “The information is typically more exact. Noting when a vulnerability was first introduced and when it was fixed for example, we can see that NVD is usually not as precise on documenting the actual start and end of a risk. Private/commercial VDs are more expensive than using the information of a public VD. However, one needs to also consider the manual work hours spent trying to make sense of the publicly available VD, cross check the information and see if the information might have some updates that are not mentioned in the CVE.”
In short, Cipot says companies are spending money either way, be it on “free” or paid solutions. “However, there is no free lunch. It may be wiser to spend the money on a prepared solution and use the time saved to implement the fixes.”
A Risk of Fragmentation
Julian Brownlow Davies, Vice President, Advanced Services at Bugcrowd says the launch of the EUVD is a move towards governments asserting digital sovereignty in cybersecurity infrastructure. “While it’s great to see Europe investing in its own vulnerability coordination, the challenge will be staying operationally relevant. Unlike KEV or private sources like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases; they need better signal.”
Enhanced Transparency, Shared Knowledge
Darren Guccione, CEO and Co-Founder at Keeper Security, says large databases like the EUVD offer enhanced transparency and shared knowledge, while providing critical redundancy for existing databases. “The EUVD is a great example of what large-scale collaboration can produce. ENISA has demonstrated teamwork and cooperation with CISA, the US cyber defense agency, and the federally-funded research organization MITRE – incorporating relevant data from the organizations’ Known Exploited Vulnerabilities (KEV) catalog and Common Vulnerabilities and Exposures database. Together, these sources make the EUVD a powerhouse of knowledge to be consulted across the globe.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.