Europe may not have total faith in the US’s Common Vulnerabilities and Exposures (CVE) database, so it has created its own version. As of May 13, the European Vulnerability Database is up and running.
According to the European Union Agency for Cybersecurity (ENISA), cyber researchers can find exploitation statuses, mitigation measures, and other information about disclosed vulnerabilities through its new service. Data is sourced from incident response advisories, mitigation guidelines provided by IT vendors, and existing open-source databases. It is updated in near real-time.
An ‘essential tool’ to improve vulnerability management, reduce risk
Cyber professionals and enthusiasts can use the new European Vulnerability Database to search for vulnerability information, such as descriptions, affected products, mitigations, and attack vectors. It has three dashboard views, highlighting critical vulnerabilities, actively exploited vulnerabilities, and vulnerabilities coordinated by EU incident response teams.
“The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it,” Juhan Lepassaar, executive director at ENISA, said in a press release. “The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
ENISA first announced the European Vulnerability Database in June 2024 as part of its mandate under the NIS2 Directive. At the same time, the agency became a CVE Numbering Authority, meaning it can assign and manage CVE identifiers for newly discovered vulnerabilities within the EU.
“It makes sense that the EU would want a regional database — even if it’s largely redundant with the CVE Program — because it allows for greater control and customisation tailored to regional stakeholders,” Patrick Garrity, security researcher at intelligence platform VulnCheck, told TechRepublic in an email.
“The ENISA initiative was not intended to replace the CVE Program; in fact, it was developed in close coordination with it. That said, its launch does come at a time when concerns about NIST NVD and the CVE Program’s funding crisis have been widely voiced.”
US vulnerability system has been struggling for some time
The EUVD was launched during a time of trouble for the US’s CVE database.
Back in April, fears started to circulate that the US government would stop funding the operations of MITRE, the nonprofit behind CVE. The US Cybersecurity and Infrastructure Security Agency quickly issued a notice confirming that it had extended support. But this will lapse in 10 months, so the database’s future is uncertain.
Throughout the last year or so, the National Institute of Standards and Technology (NIST) has been struggling with a backlog of submissions for its own National Vulnerability Database, which is a more extensive version of what MITRE offers. The problem originated in February 2024 when NIST announced it would temporarily reduce its analysis of CVE entries due to staffing and resource constraints.
US President Donald Trump’s decisions to cut CISA’s budget by $10 million and fire personnel are unlikely to have helped the situation. His administration has described the agency’s work countering misinformation, especially that pertaining to US elections, as the “censorship industrial complex.” The White House’s 2026 budget proposal will see CISA lose $491 million if greenlit.
On Monday, CISA announced that only “urgent” security alerts will be published on its website. Other routine updates and new guidance will only be distributed through emails and the agency’s social media platforms.
