The European Union Agency for Cybersecurity (Enisa) has debuted a European Union Vulnerability Database (EUVD) to provide “aggregated, reliable and actionable” information on newly disclosed cyber security vulnerabilities in IT products and services.
The EUVD, which is mandated by the NIS2 Directive, is designed to gather publicly available information from sources such as EU member state national computer security incident response teams (CSIRTs), industry threat researchers, and other vulnerability databases, including Mitre’s CVE Program.
Enisa said that to meet this goal, it has constructed its platform on a holistic approach as an interconnected database that it believes will allow for better analysis and help the community correlate vulnerabilities. It said this would ultimately make it a more trustworthy, transparent and broader information source.
“The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience,” said Henna Virkkunen, European Commission executive vice-president for tech sovereignty, security and democracy.
“By bringing together vulnerability information relevant to the EU market, we are raising cyber security standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.”
Enisa executive director Juhan Lepassaar added: “Enisa achieves a milestone with the implementation of the vulnerability database requirement from the NIS2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with them.
“The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
Mitre CVE Program
The launch of the EUVD comes mere weeks after the security community was rocked by the near-death experience of Mitre’s long-running CVE Program, a US government-backed and -funded resource that over the past two decades has become a fixture in the security world.
Although Mitre’s funding was, in the end, restored at the last minute by the US authorities, the 24 hours of uncertainty prompted much soul-searching and many cyber professionals have begun to consider or discuss the idea of alternatives to a programme that is ultimately backed by a single government.
Although EUVD is not designed to replace the US programme, Enisa said it had worked with Mitre on its development, and continues to work alongside the non-profit body to understand the impact of the funding crisis on the EUVD project.
For now, data on common vulnerabilities and exposures (CVE), data provided by those disclosing vulnerabilities, and other sources such as the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities catalogue will be automatically transposed into EUVD with support from EU member state CSIRTs.
For example, CVE-2025-32709, a privilege escalation vulnerability in Windows Ancillary Function Driver for WinSock – disclosed this week on Patch Tuesday – appears in the EUVD with the designation EUVD-2025-14439.
Sylvain Cortes, strategy vice-president at Hackuity, said: “Enisa’s new EUVD is a good initiative when you consider the recent funding issues around Mitre’s CVE Program.
“There’s also still some uncertainty around whether the Mitre database will continue to exist after the new contract expires in 10 months’ time, so having a European option in place means the industry can be less reliant on one vulnerability enrichment source. It’s an even greater alternative when you consider the fact that the NVD [the US National Vulnerability Database] has suffered backlogs in the past.
“Ultimately, we need a source for all vulnerabilities that is reliable and open, and we hope that the new EUVD promises will provide this,” said Cortes.
Crystal Morin, cyber security strategist at Sysdig, also welcomed the launch as part of the ongoing effort to strengthen global cyber security amid an uncertain future. She said she hoped the EUVD would complement the CVE Program.
“Having both in play means more organisations handling CVE requests and, ultimately, faster public disclosure,” she said.
“For security teams, the EUVD is simply another trusted source for vulnerability intelligence. As long as vulnerability submissions are streamlined – only submitted to one programme – we avoid duplication and confusion, and gain speed and resilience.”
