Europe launches its own vulnerability database on Tuesday – one that will work in tandem with existing industry databases, including Mitre’s widely-used CVE database, which had its own funding crisis last month.
The brand new European Union Vulnerability Database – to be officially known by its acronym “EUVD” – was developed by the European Union Agency for Cybersecurity (ENISA), which will also be responsible for maintaining and updating the database.
The EUVD follows in the footsteps of other industry databases to provide “aggregated, reliable, and actionable information” on cybersecurity vulnerabilities and their exploit status, as well as mitigation methods to eliminate or reduce risks to network systems.
“The EU Vulnerability Database is a major step towards reinforcing Europe's security and resilience," said Henna Virkkunen, European Commission Executive Vice-President for Tech Sovereignty, Security and Democracy.
“By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy,” said Virkkunen, echoing the sentiment of most security insiders who back EU integration with the vulnerability reporting ecosystem.
In response to nothing at all in particular, the EU have started their own vulnerability database. This is an excellent thing.https://t.co/pk3YWHpWG0
undefined Peter Lowe (@pgl) May 13, 2025
Reducing reliance on the CVE database
The timing of the EUVD launch comes just weeks after the most widely used vulnerability database among cyber professionals, MITRE’s Common Vulnerabilities and Exposures (CVE) database, was almost shuttered on April 16th due to the imminent expiration of its US government funding contract.
In a last-minute Hail Mary, the CVE funding was continued in force by the US Department of Homeland Security, essentially preventing an overnight collapse of the global security tool.
The funding crisis created a major stir across the cybersecurity community, even leading to the creation of a non-profit CVE Foundation to step in as a charter organization in the event of a future repeat 'lack-of-funding' event.
Joe Nicastro, Field Chief Technology Officer at Legit Security, said that the fast-tracking rollout of Europe’s own vulnerability database is no surprise given the recent chaos around MITRE's CVE funding debacle.
“It makes sense not only from a sovereignty perspective for the EU, I also think it's a smart move to reduce reliance on a single system whose future funding and viability isn't clear,” said Nicastro.
Nicastro, who mentioned he spoke on the matter with ENISA’s Chief Operating Officer Hans de Vries at the RSA conference held in San Francisco earlier this month, said it appears “the ultimate goal is for these two systems to work closely together as opposed to being a replacement.”
The EUVD maps its vulnerability entries to MITRE’s existing CVE IDs, Nicastro said, pointing out that besides "providing redundancy... it shows they're thinking about practicality and interoperability, not just politics,” Nicastro said.
Still in beta, the publicly accessible EUVD will aggregate available information from and work in conjunction with multiple sources, including CSIRTs (Computer Security Incident Response Teams), vendors, and existing open-source databases.
The database itself offers three dashboard views: for critical vulnerabilities, for exploited ones, and for EU coordinated ones, according to ENISA.
EUVD entries will include the following:
- Description of the vulnerability.
- Information and Communication Technologies (ICT) products or services affected and/or affected versions.
- Severity of the vulnerability and how it could be exploited.
- Information of existing relevant available patches or guidance provided by competent authorities.
- How to mitigate associated risks.
Besides cybersecurity professionals, the documented information will also be an invaluable asset to “suppliers of network and information systems and the entities using their services, competent national authorities, such as the EU CSIRTs network, as well as private companies and researchers,” ENISA said.
Your email address will not be published. Required fields are markedmarked