The European Union Agency for Cybersecurity (ENISA) has officially launched the European Vulnerability Database (EUVD), a cornerstone initiative under the NIS2 Directive. The platform serves as a centralized source of actionable data on cybersecurity vulnerabilities affecting ICT services and systems across Europe.
The EUVD aims to streamline access to verified vulnerability insights, including exploitation status and mitigation techniques. This vital information hub is now live and maintained by ENISA.
Strengthening Cybersecurity Across Europe
Henna Virkkunen, a European Commission Vice-President, emphasized that the EUVD marks significant progress in fortifying the continent’s digital defenses. The centralized database enhances transparency and coordination, empowering both public and private entities to manage cybersecurity risks more effectively.
Juhan Lepassaar, ENISA’s Executive Director, added that the platform represents a major milestone in implementing the NIS2 Directive. It enables users to assess exposure and access mitigation guidance swiftly.
Why the EUVD Was Developed
The purpose of the EUVD is to unify and aggregate public data from multiple cybersecurity sources. These include national CSIRTs, security vendors, and other public databases. This unified platform offers a clear overview of existing threats and countermeasures.
By supporting vulnerability lookup through open-source tools, the database improves analysis, risk assessment, and response times. It also strengthens situational awareness by mapping out relevant threats more comprehensively.
Who Can Use the EUVD?
The platform is publicly accessible and serves a broad user base. It is particularly useful for:
- IT service providers and system operators
- Public institutions and cybersecurity authorities
- Researchers and private organizations seeking reliable vulnerability data
These groups can consult the EUVD to track vulnerabilities impacting their infrastructure and understand how to mitigate them effectively.
How the EUVD Functions
The EUVD presents data through user-friendly dashboards, featuring three primary views:
- Critical Vulnerabilities
- Exploited Vulnerabilities
- EU-Coordinated Vulnerabilities
Data originates from open-source databases and is supplemented with advisories from CSIRTs, vendor updates, and exploitation indicators. Each record includes details such as:
- Affected systems and versions
- Severity levels and exploit methods
- Patching instructions and CSIRT guidance
ENISA’s Role in the Cybersecurity Landscape
To comply with the NIS2 Directive, ENISA works closely with European and global partners, including the MITRE CVE Program. The agency coordinates with Member States that have set up national disclosure policies and designated CSIRTs.
As of January 2024, ENISA also serves as a CVE Numbering Authority. It assigns and publishes CVE IDs for vulnerabilities either discovered by EU CSIRTs or reported to them for coordinated disclosure.
EUVD vs. Cyber Resilience Act’s SRP
It’s important to distinguish the EUVD from the Single Reporting Platform (SRP) under the Cyber Resilience Act. While the EUVD provides a public database of vulnerabilities, the SRP will serve as the official reporting tool for actively exploited threats by 2026.
Next Steps for EUVD in 2025
ENISA plans to enhance the EUVD throughout 2025. This includes collecting feedback and improving features to ensure the database remains a reliable and effective security resource.
Supporting Concepts for Readers
What Is Coordinated Vulnerability Disclosure (CVD)?
CVD ensures vulnerabilities are disclosed only after affected parties have time to issue fixes or patches, reducing exploit risk.
What Is the CVE Program?
The CVE Program assigns unique identifiers to known vulnerabilities, ensuring consistent communication and prioritization among cybersecurity teams worldwide.
What Are CVE Numbering Authorities (CNAs)?
CNAs are authorized bodies that assign CVE IDs. ENISA now plays this role within the EU, focusing on reports submitted to national CSIRTs.
What Is CSAF?
The Common Security Advisory Framework (CSAF) standardizes how advisories are published. It enables faster, automated vulnerability triage and improves organizational response times.
