The EU cybersecurity agency ENISA on Tuesday announced the official launch of the European Vulnerability Database, or EUVD. Industry professionals believe the EUVD can be a useful resource, but the agency needs to ensure it stays relevant.
The EUVD is mandated by the NIS2 Directive, the EU baseline framework for cybersecurity risk management and incident reporting. The database aims to provide “aggregated, reliable, and actionable information”, including exploitation status and mitigation measures, on vulnerabilities affecting IT, OT and IoT products.
The database is accessible for free to anyone. It includes information sourced from vendors, incident response teams, and other vulnerability databases, such as CISA’s Known Exploited Vulnerabilities (KEV) catalog and MITRE’s CVE Program. It’s also worth noting that ENISA has been a CVE Numbering Authority (CNA) since 2024 and it can also assign CVE identifiers to vulnerabilities.
SecurityWeek has reached out to several experts to get their thoughts on the new EUVD, particularly in light of the recent issues plaguing the CVE Program and the National Vulnerability Database (NVD).
“There’s a long history of vulnerability databases, so it’s not uncommon to see new vulnerability and exploit database sources emerge. In the case of ENISA, it makes sense that the EU would want a regional database—even if it’s largely redundant with the CVE Program—because it allows for greater control and customization tailored to regional stakeholders,” said Patrick Garrity, security researcher at vulnerability management firm VulnCheck.
“The ENISA initiative was not intended to replace the CVE Program; in fact, it was developed in close coordination with it. That said, its launch does come at a time when concerns about NIST NVD and the CVE Program’s funding crisis have been widely voiced,” Garrity added.
VulnCheck maintains its own KEV catalog for customers, and it currently stores data on nearly three times more vulnerabilities compared to CISA’s KEV and the EUVD, based on an analysis by SecurityWeek.
Nathaniel Jones, VP of Security & AI Strategy and Field CISO at Darktrace, described the EU Vulnerability Database as “a win for the global cybersecurity community”.
“While there will be operational kinks to work out, the basics of maintaining information from MITRE’s CVE Program and CISA’s KEV are encouraging,” Jones said. “It’s sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time.”
On the other hand, Julian Brownlow Davies, VP of Advanced Services at bug bounty platform Bugcrowd, pointed out that there are certain challenges that ENISA needs to overcome in order for the database to stay operationally relevant.
“Unlike KEV or private sources like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases; they need better signal,” Davies told SecurityWeek.
Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth
Related: White House Proposal Slashes Half-Billion From CISA Budget