As the MITRE-run CVE program faces operational challenges, Europe has quietly launched a significant alternative. The European Vulnerability Database (EUVD), developed by ENISA, officially went live in April 2025.
Though some viewed it as a reaction to MITRE’s instability, the EUVD was long in the making. Its creation was mandated under the NIS2 Directive (Articles 62–63), adopted in 2022, which required ENISA to develop a vulnerability database serving the EU digital ecosystem.
Why EUVD Exists
The goal is both operational and political: build cybersecurity sovereignty and improve vulnerability visibility across EU infrastructure. Existing national databases, like the U.S. CVE and China’s CNNVD, have been criticized for selective disclosure—with some U.S. agencies delaying reports of zero-days for strategic reasons.
With the EUVD, Brussels is asserting control over vulnerability intelligence, subject to transparency and accountability rules that mirror EU values.
In ENISA’s words, the EUVD is a “central hub” for software and hardware vulnerability data, helping national CSIRTs, critical infrastructure providers, and software developers act faster on disclosed flaws (ENISA announcement).
How EUVD Works
The EUVD portal currently functions as an aggregator of known vulnerabilities. It assigns its own IDs but also mirrors CVEs. Notably, ENISA is an authorized CVE Numbering Authority (CNA)—but it’s also developing a parallel identification system, which could lead to some friction or confusion.
In the long term, this dual-ID model may enable the EU to spot omissions, lags, or discrepancies in U.S. or Chinese databases, bolstering resilience across the continent.
Powered by Law: NIS2 + Cyber Resilience Act
Two key regulations will give EUVD real teeth:
- NIS2 requires large providers to report vulnerabilities.
- The Cyber Resilience Act (effective September 2025) mandates vendors to report actively exploited bugs—which will feed directly into EUVD.
This legal backbone could transform EUVD from a passive aggregator into a leading vulnerability disclosure system in Europe.
What It Means for Security Teams
For cybersecurity vendors and defenders, EUVD brings:
- A redundant, independent source of vulnerability data.
- Faster alignment with EU-specific compliance regimes.
- A chance to cross-check disclosures across CVE and EUVD listings.
While still in early stages, EUVD is Europe’s bid to ensure vulnerability intelligence is not dependent on foreign actors—a strategic move in an era of digital autonomy.
Conclusion
The EUVD is more than just a database—it’s a political and regulatory instrument aimed at reshaping how vulnerability management works in Europe. It won’t replace CVE overnight, but it signals a shift toward a multipolar vulnerability landscape, where no single country controls the global flow of bug disclosures.
With enforcement of NIS2 and the Cyber Resilience Act on the horizon, expect the EUVD to play an increasingly central role in vulnerability response across Europe.