Log In
Request Demo Start 30-Day Trial
Back
Glossary Glossary

European Vulnerability Database (EUVD)




The European Vulnerability Database (EUVD) is a centralized compilation of vulnerability information developed and maintained by the European Union Agency for Cybersecurity (ENISA). It was launched in May 2025. 

It serves as a platform for entities, such as Computer Security Incident Response Teams (CSIRTs), IT system vendors, and private companies, to disclose and register detected cybersecurity vulnerabilities affecting network and IT products and services. 

To prevent duplication of efforts, ENISA collaborates with MITRE and aggregates data from existing vulnerability databases, such as CISA’s Known Exploited Vulnerabilities (KEV) catalog and MITRE’s CVE Program.

Table of Contents

European Vulnerability Database (EUVD): A Deep Dive

Why Was the EUVD Launched?

The primary reason for the EUVD’s launch is the NIS 2 Directive, which, among other things, tasked ENISA with establishing and maintaining a centralized European vulnerability database. NIS 2 replaced the original NIS Directive, aiming to strengthen cybersecurity risk management and incident reporting across several critical sectors in the EU.

The EUVD also supports the Cyber Resilience Act (CRA), which mandates that manufacturers of products with digital elements have to timely disclose vulnerabilities and provide software updates to fix them, offer security support, and meet other cybersecurity requirements. The EUVD will serve as a platform for reporting, documenting, and coordinating vulnerabilities, submitted in accordance with the CRA. 

Aside from aligning with these regulatory requirements, EUVD was also launched at a time when geopolitical issues, AI, and other threats are making European digital sovereignty and autonomy a necessity. 

Besides, the EUVD serves as a redundancy and regional alternative or complement to existing global databases, especially in light of the funding issue faced by MITRE’s CVE Program. On April 16, 2025, the program’s funding contract with CISA had expired, prompting the CVE board to create the CVE Foundation, a non-profit entity that will continue the CVE program through an incremental funding mechanism.

How Does the EUVD Work?

The EUVD contains information about each vulnerability, including:

  • Severity, expressed as CVSS Base Score
  • EPSS Score
  • Alternative identifiers (e.g., CVE ID, GSD ID, GHSA ID, etc.) 
  • Summary containing a short description of the vulnerability
  • Affected vendor, product, and version
  • Advisories
  • Date of publication and last update
  • References

The EUVD collects vulnerability information from open-source databases such as GitHub, vendors, the National Vulnerability Database (NVD), and CSIRTs. Additional information is incorporated through advisories and alerts issued by national authorities such as CSIRTs and mitigation measures and patching guidelines published by vendors.

It’s worth noting that since January 2024, ENISA itself acts as a CVE Numbering Authority (CNA), a designation that allows the organization to directly register vulnerabilities and support coordinated vulnerability disclosure. 

How is the EUVD Different from the NVD

The EUVD correlates data from various sources, such as CVE, CISA KEV, and EPSS, unlike the NVD, which relies solely on the CVE program as its source of vulnerability data. Another key differentiator is that the EUVD gathers information directly from European CSIRTs. This translates to a more localized and regionally relevant perspective on vulnerabilities impacting EU products and infrastructure. 

Since the EUVD is designed as part of data aggregation efforts, it retrieves vulnerability IDs from other vulnerability databases, such as the Global Security Database (GSD) and GitHub Security Advisories (GHSA). Users can easily trace vulnerability information across various platforms and sources.

Users may also find the EUVD easier to use since it allows them to filter vulnerabilities by product, vendor, and severity rating right away.

The European Vulnerability Database (EUVD) interface screenshot
EUVD. Image source: https://euvd.enisa.europa.eu/search

The EUVD also provides an immediate view of critical vulnerabilities, exploited vulnerabilities, and EU CSIRT-coordinated vulnerabilities.

In contrast, the NVD only offers search functionality.

An NVD screenshot
NVD. Image source: https://nvd.nist.gov/vuln/search

What Are the Pros and Cons of the EUVD Launch?

The launch of the EUVD impacts the entire world, as it adds one more vulnerability database that vendors are legally required to use. While the launch has been mostly welcomed by the security community, it has both pros and cons to it.

Pros:

  • Faster handling of CVE requests and public disclosure: Since ENISA acts as a CNA, assigning CVE IDs and disseminating information about reported security flaws within the region can be expedited, leading to quicker public disclosure and, consequently, faster patching. 
  • Aggregated data: The EUVD pulls in and correlates data from diverse origins, offering users a more comprehensive view of vulnerabilities.
  • Improves resilience of global vulnerability intelligence: It provides redundancy and ensures that critical information remains available in case the CVE database and other systems are disrupted.

Despite these benefits, the EUVD has raised some concerns in the cybersecurity community.

Cons/concerns:

  • Potential duplication of information:  If a vulnerability is submitted to both the NVD and the EUVD, it could lead to duplicated efforts in tracking the same vulnerability, which can potentially cause confusion.
  • Fragmentation risk: There are already several vulnerability databases, and the introduction of the EUVD could increase the risk of the global vulnerability intelligence becoming divided and less cohesive, instead of being unified and easily digestible for faster response. 
  • Monitoring additional sources for security teams: For security teams, especially those in multinational organizations, the EUVD launch means they may need to monitor an additional data source. This can contribute to alert fatigue and complicate the management of vulnerabilities. 

EUVD Integrations

One of the other concerns is that to be effective, the EUVD needs to integrate with existing security tools. The adoption of the EUVD is currently low, but it is growing. 

For example, Attaxion integrates with the EUVD. It’s the first External Attack Surface Management (EASM) platform to do so, providing security teams with comprehensive vulnerability intelligence coverage. 

Attaxion has an EUVD integration. Screenshot
Image source: app.attaxion.com

Key Takeaways

  • The EUVD is a centralized vulnerability database maintained by ENISA.
  • Its launch was mandated by the NIS2 Directive and supports the Cyber Resilience Act, also serving as a regional complement and independent alternative to existing global databases.
  • The EUVD works by aggregating and enriching data from various sources, including CVE, CISA KEV, EPSS, GSD, GHSA, and direct input from EU national CSIRTs.
  • It differs from the NVD by integrating more data types (like KEV and EPSS), gathering information directly from EU CSIRTs, and offering a more user-friendly interface with immediate filtering options by product.

Ready to access enriched global vulnerability intelligence? Kick off your 30-day free trial with Attaxion today.