.png)
3 hours ago
1
The European Union Agency for Cybersecurity (ENISA) has recently launched the beta of the European Vulnerability Database (EUVD), a new public platform operating alongside, but independently from, the widely used Common Vulnerabilities and Exposures (CVE) system. The new platform aims to improve coordination and transparency in vulnerability handling within the EU.
Although the CVE system remains the standard for vulnerability reporting, recent political developments have raised concerns in the community about the program's long-term stability, as the program operates solely as a US government-funded initiative. While the contract with MITRE Corporation, which manages the CVE program, was renewed at the last minute and the CVE Board announced the formation of the CVE Foundation, the incident highlighted the risks of relying on a single national entity for global cybersecurity coordination.
While the EUVD could be seen as a backup in case the US CVE database fails, the new platform also offers additional functionalities, highlighting exploited vulnerabilities and an enhanced search function, allowing software practitioners and security specialists to search various attributes. Furthermore, ENISA plans for its database to support the Common Security Advisory Framework (CSAF), a machine-readable format of vulnerability advisories. Sarah Fluchs, CTO of admeritia GmbH, comments:
It looked like excellent timing: just as funding for the CVE database was faltering in the USA thanks to Trump's austerity measures, the European equivalent went live (...) The USA is once again proving to be a unstable partner when it comes to globally used infrastructures that were taken for granted - and the EU is simply going live with a serious alternative in an unbureaucratic, spontaneous, unplanned manner and without any fanfare.
Source: ENISA website
According to the EUVD FAQ page, the current database leverages the Vulnerability-Lookup repository, providing a public, open-access interface for viewing reported vulnerabilities, complete with detailed descriptions and metadata. According to ENISA, the EUVD is designed to improve Europe’s digital resilience by supporting risk assessment and incident response.
Even though the service still references Mitre’s CVE entries with an "alternative ID," the EUVD uses its own identification system rather than simply duplicating the CVE ones. The new approach allows for independent validation of reports and complements existing entries rather than replacing them.
Furthermore, the new platform can focus on vulnerabilities that may be underreported or insufficiently covered in existing databases, particularly those relevant to the European digital landscape. On Reddit, while most users agree on not relying on US institutions to keep track of vulnerabilities, some question the new IDs. User Elistic-E summarizes:
This is great minus potentially yet another ID to keep up with.
Community feedback suggests that a regional database focused on local needs could provide value, but some practitioners remain unconvinced by the underlying data:
That would be true if it wasn't just an aggregator of existing (mostly US-based) databases. It doesn't provide anything new, except yet another identifier that you'll need to track. I had high hopes for the EUVD, but can't help but feel a bit disappointed since I looked at the actual data.
The EUVD initiative is part of broader efforts to improve digital sovereignty in Europe and strengthen cybersecurity capabilities across EU member states. The database is currently in its beta stage, with ENISA encouraging national authorities, private companies, and academic institutions to contribute by submitting vulnerabilities or using the platform for security assessments.
EUVD is not the only initiative aiming to provide a vulnerability database compatible with the traditional CVE system in response to concerns over sovereignty and dependence on US corporations, with the Global CVE (GCVE) allocation system offering a decentralized approach to vulnerability identification and numbering.
