CADE Hub Topics Events Updates Resources Actors

European Union Agency for Cybersecurity Launches centralised vulnerability database

The EUVD represents a paradigm shift in how Europe manages digital risks. For ordinary users, it promises safer online experiences; for organisations, a roadmap to compliance; and for civil society, a tool to demand accountability.
European Union Agency for Cybersecurity Launches centralised vulnerability database

The European Union Agency for Cybersecurity (ENISA) has unveiled the European Vulnerability Database (EUVD), a landmark initiative mandated under the NIS2 Directive (Network and Information Systems Directive). The centralised platform aims to transform how cybersecurity threats are identified, managed, and mitigated across the EU.

Understanding the NIS2 Directive and the EUVD

The NIS2 Directive, enacted in 2022, is the EU’s updated framework for bolstering cybersecurity across critical sectors like energy, healthcare, transport, and digital infrastructure. It expands the scope of its predecessor (NIS1) by requiring stricter security measures, incident reporting, and cross-border cooperation among member states. A key component of NIS2 is the establishment of the EUVD to centralise vulnerability data and enhance transparency.

European Vulnerability Database (EUVD)

The EUVD is a publicly accessible repository that aggregates cybersecurity vulnerability information from diverse sources, including:

  • National Computer Security Incident Response Teams (CSIRTs)
  • Vendors’ security advisories
  • Global databases like MITRE’s Common Vulnerabilities and Exposures (CVE) program
  • The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog.

Unlike traditional databases that merely list vulnerabilities, the EUVD provides actionable insights, such as:

  • Severity ratings
  • Exploitation status (e.g., whether a vulnerability is actively being abused)
  • Mitigation guidance and patch availability.

The database features three interactive dashboards:

  1. Critical Vulnerabilities: High-severity risks requiring immediate attention.
  2. Actively Exploited Vulnerabilities: Real-time threats being weaponised by attackers.
  3. EU-Coordinated Vulnerabilities: Cases managed collaboratively by European CSIRTs.

Implications for stakeholders

For individuals, the EUVD indirectly improves security by:

  • Accelerating patching: Vendors and service providers are incentivised to address vulnerabilities faster, reducing the window of exposure for everyday users.
  • Transparency: Public access to the database allows users to verify if their devices or software are affected by known risks.
  • Trust in digital services: By holding companies accountable for vulnerability management, the EUVD fosters confidence in online platforms, banking systems, and IoT devices.

Businesses, especially those in sectors covered by NIS2 (e.g. energy, healthcare), must now:

  • Monitor the EUVD regularly to identify threats relevant to their infrastructure.
  • Implement mitigation measures outlined in the database to comply with regulatory requirements.
  • Collaborate with CSIRTs when vulnerabilities impact cross-border operations.

Civil society groups gain tools to:

  • Advocate for stronger cybersecurity policies by analysing vulnerability trends in the EUVD.
  • Hold governments and corporations accountable for lax security practices, using publicly available data on unaddressed risks.
  • Educate vulnerable populations (e.g. elderly users, small businesses) about threats highlighted in the database.

Synergy with the Cyber Resilience Act (CRA) and integration with global systems

Starting in September 2026, the CRA will require hardware and software manufacturers to report actively exploited vulnerabilities via a Single Reporting Platform. While the CRA focuses on mandatory disclosures, the EUVD serves as a complementary resource for public awareness and coordination. Together, they create a dual framework:

  • CRA: Ensures manufacturers proactively disclose risks.
  • EUVD: Disseminates actionable data to defenders.

ENISA will be collaborating with MITRE to align the EUVD with the CVE program, ensuring compatibility and avoiding duplication

What does it matter?

The EUVD represents a paradigm shift in how Europe manages digital risks. For ordinary users, it promises safer online experiences; for organisations, a roadmap to compliance; and for civil society, a tool to demand accountability. As ENISA iterates on the platform, its success will hinge on cross-sector collaboration-proving that in cybersecurity, transparency and shared responsibility are the best defenses.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top