The European Union Agency for Cybersecurity (ENISA) has brought out the European Vulnerability Database – EUVD, for short, as provided for under the EU’s NIS2 Directive covering network and information systems.
What they say
Juhan Lepassaar, Executive Director at ENISA said: “ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
The database is accessible to the public and details vulnerabilities affecting IT products and services. It is also aimed at suppliers of network and information systems and those using their services. Documented information in the EUVD is also intended for national authorities such as the EU’s CSIRTs network, private companies and researchers. The EUVD offers three dashboard views: for critical vulnerabilities, for exploited ones, and for EU-coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs (cyber security incident response team) network.
The collected and referenced vulnerability information comes from open-source databases; besides via advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and exploited vulnerability markings. EUVD data records may include:
A description of the vulnerability;
ICT products or ICT services affected and/or affected versions, the severity of the vulnerability and how it could be exploited;
Information of existing relevant available patches or guidance provided by authorities such as CSIRTs, and addressed to users on how to mitigate risks.
Comments
John Gunn, CEO at the US multi-factor authentication company Token, said: “Because of the present [Trump] administration’s “defund the cyber-police” policies and actions, the future of this program is in extreme jeopardy. Because of the critical importance of stopping cyberattacks from Russia and other enemy nations, it is good news that the EU is taking this action even it means that they will set the agenda and priorities instead of the US.”
Gavin Knapp, Cyber Threat Intelligence Principal Lead at Bridewell, said: “Recent concerns about potential funding cuts to established vulnerability programs, like the MITRE CVE project, highlight the importance of a European Vulnerability Database (EVD). Diversifying sources of vulnerability information adds resilience and reduces over-dependence on any single entity or source.
“Introducing any new data source, including the EVD, requires organisations to adapt their processes. There will be an initial effort to integrate the EVD ensure effective de-duplication against existing sources, but the long-term benefits of increased coverage and resilience are significant.
“The rapid evolution of technology, including AI and Large Language Models in software development, has the potential to significantly increase the volume and velocity of new vulnerabilities. It will be interesting to see if the EVD and similar projects can maintain pace with the changing landscape.”
Boris Cipot, senior security engineer at the security software firm Black Duck, said the database brings advantages and challenges. “One clear benefit is reducing the reliance on the US National Vulnerability Database (NVD) as a single source of truth. Today, multiple vulnerability databases exist, including the NVD (National Vulnerability Database), CNVD (Chinese National Vulnerability Database), and now the EUVD, a European implementation of a vulnerability database system.
“While much of the information across these databases will overlap, each may also contain region-specific data. For example, the CNVD publishes a significant portion of its content in Chinese, posing a language barrier for global companies. This becomes particularly relevant for industries like automotive, where businesses operate in both Western and Asian markets and need to provide vulnerability information from both the NVD and CNVD to meet local requirements.
“With the emergence of the EUVD, yet another database must now be monitored and referenced. This adds complexity for organisations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage.
“In this context, Software Composition Analysis (SCA) tools play a crucial role. These tools aggregate vulnerability data from various sources, including different regional databases, and present it to customers. Because some of these tools draw from multiple databases, they offer resilience against outages or delays in any single source, including prolonged disruptions in the NVD or the CVE publishing process. This ensures customers continue to receive timely and reliable vulnerability information.
“Organisations that rely solely on the US NVD should evaluate how their SCA tools incorporate new sources like the EUVD. Alternatively, they may need to establish manual processes to monitor the EUVD directly, especially to remain compliant with potential EU regulations or to meet the requirements of EU-based customers and projects.”
