European Vulnerability Database steps into the breach amid fears for future of Mitre's CVE program
EU bug database does a similar job to its famous American cousin, which was saved from closure after a last-minute intervention from CISA.
Europe has launched a new vulnerability database as uncertainty looms around the long-term future of the famous Mitre Common Vulnerabilities and Exposures (CVE) program.
In April 2025, Mitre said that funding was about to expire, raising fears that the world's premier software vulnerability catalogue was about to be shut down.
The Cybersecurity and Infrastructure Security Agency (CISA) then renewed funding for the "invaluable" CVE scheme at the eleventh hour - but only for 11 months.
Now Europe is stepping into the breach - if you’ll pardon the pun - with the European Vulnerability Database (EUVD), a resource mandated under NIS2 regulation.
It will provide "aggregated, reliable, and actionable information", including mitigation measures and exploitation status for security vulnerabilities.
Henna Virkkunen, European Commission Executive Vice-President for Tech Sovereignty, Security and Democracy, said: "The EU Vulnerability Database is a major step towards reinforcing Europe's security and resilience.
"By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy."
Why has the EU launched its European Vulnerability Database?
The objective of the EUVD is to ensure a "high level of interconnection of publicly available information" from multiple sources such as vendors, existing databases and Computer Security Incident Response Teams (CSIRTs).
Europe's database is aimed at a number of audiences, including the public, researchers, private companies, and suppliers of network and information systems.
The EUVD offers three dashboard views: one for critical vulnerabilities, another for exploited ones and the last for EU-coordinated vulnerabilities identified by CSIRTs.
The collected and referenced vulnerability information comes from open-source databases. Additional information is added via advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, together with exploited vulnerability markings.
READ MORE: “We’re entering a trust crisis": Shifting left to scale agentic AI
The catalogue will even feature entries taken from Mitre's CVE program, which will be automatically transferred to its database and viewable through the dashboards.
Juhan Lepassaar, Executive Director at ENISA (the European Union Agency for Cybersecurity), said: "ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it.
"The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures."
CSIRTs, CVEs and a sea of vulnerabilities
As a CVE Numbering Authority (CNA), ENISA has been able to register vulnerabilities and support vulnerability disclosure since January 2024, as long as the disclosures do not fall under the scope of another CNA.
From September 2026, manufacturers will be required to report actively exploited vulnerabilities in digital products.
This will be carried out via the Single Reporting Platform (SRP), introduced under the Cyber Resilience Act (CRA). It’s important to note that the SRP is distinct from the EUVD, which is established under the NIS2 Directive for broader situational awareness.
READ MORE: Happy birthday WannaCry! Marking a grim ransomware anniversary
Stephen Fewer, Principal Security Researcher at Rapid7, welcomed the launch of the new program.
He told Machine: "The EU’s commitment to establishing and maintaining a new centralized and publicly available vulnerability database is a positive move; both for the EU in terms of its resilience against dependencies from other countries, and for the broader cybersecurity community worldwide, who will benefit from an additional source of truth for vulnerability information.
"This development presents an opportunity to strengthen international security by creating resilience from a diversity of sources. A broader and more distributed set of trusted vulnerability databases will help ensure transparency and accessibility for all stakeholders.
"As we see more global databases emerge, it will be important to ensure they complement, rather than fragment, the global vulnerability disclosure ecosystem. This is why the focus needs to be on transparency and bridging public and private sector efforts.
"Through this, Europe and the wider cyber community can strengthen collective resilience and avoid the risks of siloed approaches."
Do you have a story or insights to share? Get in touch and let us know.
