The European Union’s vulnerability database, under development since the release of the NIS2 Directive in December 2022, has officially launched.
While the database has been in the works for some time, it launched in beta mode in mid-April amid uncertainty over the future of MITRE’s operation of the CVE Program, which received a last-minute 11-month extension that left many wondering about the long-term direction of the program.
The European Union Vulnerability Database (EUVD) may be closer in function to the U.S. National Vulnerability Database (NVD), which enriches CVE data – and has struggled to keep up with the record pace of new vulnerabilities.
Juhan Lepassaar, Executive Director of ENISA, the EU Agency for Cybersecurity, said of the new EUVD: “The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
EUVD Will Include Exploited Vulnerabilities
According to an ENISA statement, the EUVD will provide “aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services.”
The EUVD aims to provide “a high level of interconnection of publicly available information coming from multiple sources” such as CSIRTs, vendors, and existing databases. ENISA said the EUVD will facilitate the correlation of vulnerabilities through the open-source software Vulnerability-Lookup.
The EUVD offers three views: for critical vulnerabilities, exploited ones, and for vulnerabilities coordinated by European CSIRTs. Information from CISA’s Known Exploited Vulnerability Catalogue will be automatically added to the EUVD, among other data sources.
In September 2026, it will become mandatory in the EU for manufacturers to report actively exploited vulnerabilities, through the Single Reporting Platform (SRP) provided for in the Cyber Resilience Act (CRA), so SRP data will likely be added to the EUVD then.
EU Vulnerability Database Launches Amid CVE Uncertainty
ENISA has been in contact with MITRE to understand what the next steps may be for the CVE program. The agency told The Cyber Express that it is also working with EU Member States and the European Commission “to ensure resilience of the vulnerability systems.”
ENISA is also one of 453 CVE Numbering Authorities (CNAs), which assign CVE IDs and add CVE Records to the catalog to help the CVE Program keep up with the massive increase in new vulnerabilities, now totaling more than 40,000 a year.
The EUVD isn’t the only program launching in the wake of uncertainty over the future direction of the CVE Program.
CVE Foundation Meets with CISA on CVE Program
The CVE Foundation launched on April 16, 2025 as the MITRE contract was set to expire. The new foundation’s goal is to move the CVE Program away from a single government sponsor to a diversified nonprofit model.
“We believe that this organization needs to exist outside of sole governmental control and is best suited under a public, nonprofit operating model, allowing global participation, funding, and transparency,” says a lengthy statement on the group’s home page.
The group said it met with CISA representatives on April 24, and described the talks as “positive and encouraging.”
Matt Hartman, CISA’s Acting Executive Assistant Director for Cybersecurity, said in an April 23 statement that there was never a funding issue, just “a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure.”
The statement suggested the agency is open to discussions about the program’s organization, however. “We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program,” Hartman’s statement said. “We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.”
