How to Use Europe’s New Vulnerability Database

The European Cybersecurity Agency (ENISA) officially launched the European Union Vulnerability Database (EUVD) in April 2025, a strategic initiative designed to enhance cybersecurity resilience across the EU.

The EUVD’s development is part of a long-term vision. Under the NIS2 Directive, ENISA was explicitly tasked with establishing a dedicated vulnerability database to support EU-wide cybersecurity efforts.

As part of the EU Cyber Resilience Act (CRA), another piece of EU cybersecurity regulation recently adopted, the EUVD is intended to support developers, vendors and regulators in identifying and addressing security flaws more efficiently.

While the EUVD had already been operating in an alpha phase before April, ENISA accelerated its public announcement in response to the instability surrounding the US National Vulnerability Database (NVD) and the CVE Program.

In theory, the emergence of this new vulnerability database marks a significant step toward a more self-sufficient and robust cybersecurity infrastructure for Europe, with an ambition for European organizations to reduce their reliance on US-funded programs.

However, the EUVD, which remains in beta phase at the time of writing, has already faced scrutiny over its coverage, timeliness and integration with existing security tools. 

The EUVD is designed to serve a broad audience, including cybersecurity professionals, software and online service providers, IT service end-users, security researchers and national authorities, such as the EU CSIRT Network.

The EUVD draws its core data from multiple authoritative sources, including:

• Open-source vulnerability databases (such as CVE and NVD)
• National CSIRT advisories and security alerts
• Vendor-provided patching and mitigation recommendations
• Exploitation status indicators showing active abuse in cyber attacks

It then enhances the data with additional context and organizes it through intuitive dashboards tailored to different security needs.

The platform offers three specialized views: one highlighting critical vulnerabilities that demand urgent attention, another tracking actively exploited flaws in real-world attacks and a third focusing on vulnerabilities coordinated by European CSIRTs within the EU CSIRTs Network.

Each vulnerability entry in the EUVD is assigned a unique identifier (e.g., EUVD-2025-21128 for CVE-2025-50121) and provides comprehensive details to support effective risk management.

These records typically include a technical description of the vulnerability, information about affected products and versions, severity assessments, exploitation characteristics and practical mitigation guidance from both vendors and cybersecurity authorities.

1. Access the dashboards: Start with the three main views (critical, exploited, or EU-coordinated) to filter vulnerabilities by relevance
2. Search for specific threats: Use keywords, CVE IDs, or product names to find detailed vulnerability records
3. Check mitigation guidance: Review vendor patches, CSIRT advisories, and recommended actions
4. Monitor exploitation status: Identify whether a vulnerability is actively being exploited in attacks
5. Integrate with existing workflows: Security teams can use the data to prioritize patching and risk assessments

ENISA has made clear that the EUVD is not intended to operate in isolation. Therefore, the EUVD is not designed to replace the CVE Program but rather to complement it as a downstream repository – Europe’s counterpart to the NVD.

Like the NVD, it enriches CVE records with additional metadata, such as Common Vulnerability Scoring System (CVSS) scores and Common Weakness Enumeration (CWE) classifications, to support automated risk assessment.

However, unlike the NVD, the EUVD operates within a decentralized ecosystem where multiple CVE Numbering Authorities (CNA) already exist. This means that while it enhances resilience, it does not seek to monopolize vulnerability data.

To meet that objective, the EUVD platform is adopting a holistic approach, which includes support for Vulnerability-Lookup, an open-source software application, as stated by ENISA in its announcement.

There are over 300 CNAs globally, including MITRE, Red Hat, GitHub, Google, Microsoft and now the EUVD. Their role is to decentralize the intake and registration of vulnerabilities at scale.

In fact, the global CVE ecosystem has long been decentralized, with inconsistencies between different CNAs and databases. For example, a single CVE might carry different CVSS scores in the NVD versus Red Hat’s advisories.

The NVD and the EUVD will likely coexist, share data, align where possible, and reinforce each other. 

The launch of the EUVD has generated significant interest, particularly in the context of its potential role as an alternative to established vulnerability databases like those maintained by NIST and CVE.

However, several limitations and criticisms have surfaced regarding the EUVD at this stage. Below is a compiled list of these key points, highlighted by Patrick Garrity, vulnerability researcher at VulnCheck:

• EUVD API and website limitations present fewer vulnerabilities than CVE.org/NIST NVD, with over 50,000+ CVEs not surfaced via its principal vulnerabilities API endpoint
• The exploited vulnerabilities listed in EUVD mirror CISA KEV but omit some entries on their website
• The current EUVD API presents performance constraints and limited support for high-volume or automated use, which may impact operational workflows
• Important metadata, such as CWE, CPE, and CVSS Source, is not yet available, reducing EUVD’s utility for in-depth risk analysis
• The implementation of EPSS includes scoring modifications that introduce the possibility of misleading downstream consumers

The launch EUVD by ENISA marks a pivotal step in bolstering Europe's cybersecurity resilience under the frameworks of the NIS2 Directive and the EU Cyber Resilience Act.

This strategic initiative not only reduces Europe's reliance on US-funded vulnerability programs but also lays the foundation for a more autonomous and robust cybersecurity infrastructure across the EU.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?