From this week, the global technology industry has a new database to check for the latest software security flaws: the European Union Vulnerability Database (EUVD).
Made operational by the European Union Agency for Cybersecurity (ENISA) to fulfil the EU’s NIS2 cybersecurity Directive, EUVD joins a small but important group of global vulnerability tracking platforms headed by the world-famous US Common Vulnerabilities and Exposures (CVE) program.
The obvious first question is why the world needs another vulnerability tracking system when the industry long ago standardized on CVEs as a way of identifying software flaws.
According to ENISA, the EUVD and its new identification system is meant to complement the CVE program rather than rival it.
Vulnerabilities will be given an EUVD tracker if they are first reported by European companies or CERTs and have some relevance in that context, for example affecting critical infrastructure or companies in the EU itself.
However, EUVD flaws will be cross-referenced with a CVE identifier where one is available. If no CVE has been assigned — presumably a rare event given the agreed principles of disclosure coordination — the EUVD identifier will stand on its own.
For example, a critical vulnerability affecting SAP’s NetWeaver Visual Composer Metadata Uploader reported this week can be tracked as EUVD-2025-14349 or CVE-2025-42999.
A second concern is that the EU is able to track its obligations under NIS2 legislation using an independent system. The European Commission’s executive vice-president for tech sovereignty, security and democracy, Henna Virkkunen, made this point in the official news release:
“The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience. By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy,” she said.
Near-death experience
Although it’s been promised for a while, the arrival of the EUVD might also be a case of good timing.
For a few hours in April, it looked as though there was a chance that the CVE program might shut down after a quarter of a century when the US Department of Homeland Security (DHS) failed to renew the contract with the non-profit that operates it, MITRE Corporation.
That unthinkable possibility was only averted after the Cybersecurity and Infrastructure Security Agency (CISA) stepped in to fund the program’s continuation.
In cybersecurity terms, defunding the world’s foremost vulnerability-tracking system would be akin to abolishing the US dollar in commerce, which is why it didn’t happen.
Nevertheless, the near-death experience has reminded the industry of criticisms that have been levelled at the CVE program, which operates in conjunction with the US National Vulnerability Database (NVD), run separately by NIST.
These include that it depends too much on US government largesse and doesn’t help organizations understand which vulnerabilities to prioritize beyond giving them a general CVSS score.
However, that doesn’t mean that everyone is celebrating EUVD’s arrival.
“The creation of EUVD is a mix of good and bad traits,” said Morey J. Haber, chief security advisor at security vendor BeyondTrust. “This is a complementary service that could improve response times and bridge gaps in CVE coverage,” he said, but “losing MITRE CVE as a global authority is disheartening.”
While Haber said that treating the CVE system as a “single source of truth” is no longer viable in a globalized vulnerability environment, the arrival of the EUVD “could create scoring conflicts, risk prioritization issues, and conflicts within multinational organizations attempting to remediate software flaws.”
According to Boris Cipot, senior security engineer at Black Duck (formerly Synopsys), the arrival of a new vulnerability system will create more work for security professionals.
“Yet another database must now be monitored and referenced. This adds complexity for organizations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage,” said Cipot.
“Organizations that rely solely on the US National Vulnerability Database should evaluate how their software composition analysis (SCA) tools incorporate new sources like the EUVD.”
“Alternatively, they may need to establish manual processes to monitor the EUVD directly, especially to remain compliant with potential EU regulations or to meet the requirements of EU-based customers and projects.”
The current EUVD website is still in its beta phase. We asked ENISA to clarify how long this might last but received no comment at press time.
The original article found on New EU vulnerability database will complement CVE program, not compete with it, says ENISA | CSO Online Read More
