In a significant move toward strengthening the European Union’s cybersecurity autonomy and resilience, the European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD) — a purpose-built alternative to the globally recognized Common Vulnerabilities and Exposures (CVE) system maintained by MITRE in the United States.
This development aligns with the objectives of the NIS2 Directive and the upcoming Cyber Resilience Act (CRA), laying the groundwork for a more robust, independent, and legally binding vulnerability management framework across the EU.
🔍 Why Was EUVD Introduced?
- Strategic Autonomy:
ENISA recognized the need for Europe to reduce its dependence on US-managed cybersecurity registries like CVE. The EUVD ensures Europe has control over how vulnerabilities affecting its digital infrastructure are recorded, disclosed, and tracked. - Legal Mandates Under NIS2 & CRA:
The NIS2 Directive, which came into effect in January 2023, calls for a centralized, coordinated vulnerability disclosure mechanism. The Cyber Resilience Act further mandates that software and hardware vendors report vulnerabilities through a recognized EU platform — and that platform is now the EUVD. - Resilience Against Centralized Risk:
CVE, although globally accepted, depends heavily on funding and governance from a single nation. By launching EUVD, ENISA creates a sovereign fallback and alternative registry, protecting the EU from geopolitical or administrative disruptions in the US-led system.
🔧 How Does EUVD Work?
- Own Identifier Scheme:
EUVD assigns its own unique identifiers in the formatEUVD‑YYYY‑XXXXX. However, it also cross-references CVE IDs and Global Security Database (GSD) IDs, ensuring compatibility with other databases. - Rich Metadata:
EUVD records include:- Detailed vulnerability descriptions
- CVSS (Common Vulnerability Scoring System) scores
- Affected products and vendors
- Publicly available advisories and patches
- Links to national CSIRTs or CERTs
- Machine-Readable Formats (CSAF):
It supports CSAF (Common Security Advisory Framework), making it easier for tools and platforms to ingest and automate processing of vulnerability data. - Centralization of EU Advisories:
Vulnerabilities reported by European CSIRTs, CERTs, vendors, and researchers will now be aggregated into this single, authoritative EU repository.
🔐 ENISA as a CVE Numbering Authority (CNA)
Interestingly, ENISA has also been accredited as a CVE Numbering Authority. This means:
- It can assign official CVE IDs for reported vulnerabilities in the EU.
- It serves as a bridge between global CVE processes and European-specific security requirements.
However, ENISA aims to gradually shift more attention and usage toward the EUVD, especially as legal mandates kick in under CRA from 2027 onwards.
🌐 The Emerging Multi-Registry Landscape
- CVE Foundation (launched April 2025): Now oversees CVE with multi-stakeholder support.
- GCVE: A decentralized global system by CIRCL allowing multiple global naming authorities (GNAs) to assign IDs.
🏛️ Legal Enforcement Timeline
🔄 Impact on Organizations
✔ What You Need to Do:
- Security teams should begin monitoring EUVD alongside CVE to ensure full visibility into vulnerabilities.
- Vendors must prepare for upcoming mandatory reporting requirements under the CRA.
- Tool vendors and SIEM/SOAR platforms need to integrate EUVD and CSAF feeds to maintain operational relevance.
✅ Final Thoughts
The introduction of the European Vulnerability Database (EUVD) is more than just a new registry — it represents a shift in global cybersecurity governance. As the world adapts to multi-registry environments (CVE, EUVD, GCVE), the focus will shift from reliance on a single point of truth to interoperability, data richness, and legal accountability.
ENISA’s EUVD not only complements the CVE system but also prepares the European Union for greater resilience, transparency, and control over its cybersecurity destiny.
