Mechanical bug on keyboard showing vulnerability database

EU Launches Government-Backed Vulnerability Database as CVE Alternative

Amidst great uncertainty about the future of MITRE’s Common Vulnerabilities and Exposures (CVE), the EU has launched its own vulnerability database. The new alternative will be backed up and maintained by the European Union Agency for Cybersecurity (ENISA), an agency that was founded by an EU Regulation in 2005 and has the long-term stability of the EU government budget behind it.

EU vulnerability database looks to establish stable CVE alternative

The European Vulnerability Database was announced via press release on May 13, which indicated that the undertaking is already operational. Though the timing is likely coincidental to at least some degree, the announcement comes just weeks after the MITRE CVE database avoided defunding at the last minute and announced that stable financial support from the US government can only be relied upon for one more year.

But at least initially, the European Vulnerability Database does not appear to be meant as a replacement or even a parallel system. The plans call for it to rely on the CVE database and other existing databases to a great degree. Documented vulnerabilities will be assigned their own new identifiers, but also mapped to existing CVE IDs. The project has also announced that it will draw on other open-source databases as well as information from CSIRTs (Computer Security Incident Response Teams) and vendors.

The European Vulnerability Database presently offers three dashboard views, one of which is for EU-coordinated vulnerabilities. The other two views are for more general critical vulnerabilities and those that have been exploited in the wild. The native database entries list a description of the vulnerability, versions of products or services that are impacted by it, the severity level, methods by which it could be exploited, and leads on any available patches, guidance or recommended mitigation methods.

Though it has already launched, the European Vulnerability Database is slated to be enhanced throughout the remainder of 2025 to include a stakeholder feedback process that may steer future development. Notification of actively exploited vulnerabilities for all digital hardware and software products will become mandatory for manufacturers in the EU in September 2026 under the terms of the Cyber Resilience Act (CRA), with the Single Reporting Platform (SRP) as the primary tool. The SRP will be seperate from the European Vulnerability Database, but the database will likely become the initial point of notification for the public.

For as long as it might continue to exist, CVE data will be automatically included in the European Vulnerability Database as it is published. EU member states will also each designate a computer security incident response team (CSIRT) to provide data under their Coordinated Vulnerability Disclosure (CVD) policies. For its part, ENISA will publish an assortment of guidance (such as handbooks and frameworks that incorporate new legislative developments) in support.

Government support, open source databases key to success of new EU vulnerability database

The formation of the vulnerability database has been in the pipes for some time, and appears to be part of a broader push for European self-reliance rather than an attempt to replace the CVE program. Should MITRE’s program fail to secure alternative funding in the next 11 months the cybersecurity community will likely experience the same level of chaos, even if the European Vulnerability Database is tuned up and well underway by then. But it does begin removing the factor of a single point of failure essentially upending this necessary resource, and provides a new alternative with stable government funding behind it.

This is not the world’s first alternative of this sort, though, and not even the first with government funding and support. China’s CNNVD has existed for years and at times has had thousands more listed vulnerabilities; however, it has also struggled with trust issues amidst reports of it delaying the publication of particularly juicy high-level vulnerabilities that the government might want to make use of. And there are some independent vulnerability database projects like VulnDB, created to document cloud vulnerabilities that are generally not well covered by the CVE system, and the GitHub Security Advisories (GHSA). At least during its initial rollout, the European Vulnerability Database will rely on MITRE and other sources to a great degree to provide a useful service.

The CVE vulnerability database is also far from dead, though it is definitely experiencing an existential crisis as the rest of 2025 plays out. As its contractual funding from the US government ran out earlier this year, MITRE’s vice president issued a letter indicating that the group did not expect it to be renewed and that it might have to cease operations immediately. It was saved by CISA independently exercising a contractual option to continue for 11 more months, but beyond that the future would be very uncertain. MITRE could transfer the existing records to GitHub to keep them available, but would do no new work. The group is in process of separating the CVE program out to the non-profit CVE Foundation and seeking alternative non-government funding sources to keep it rolling through 2026 and beyond.

Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace, sees this as an important development: “The launch of the EU Vulnerability Database is a win for the global cybersecurity community. While there will be operational kinks to work out, the basics of maintaining information from MITRE’s CVE Program and CISA’s KEV are encouraging. Additionally, the EU taking on CNA status will help to address historic coordination gaps. It’s also sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time.”

Boris Cipot, Senior Security Engineer at Black Duck, dives more deeply into what the future of the new database may look like: “The introduction of a new vulnerability database brings both advantages and challenges. One clear benefit is reducing the reliance on the U.S. National Vulnerability Database (NVD) as a single source of truth. Today, multiple vulnerability databases exist, including the NVD (National Vulnerability Database), CNVD (Chinese National Vulnerability Database), and now the EUVD, a European implementation of a vulnerability database system. While much of the information across these databases will overlap, each may also contain region-specific data. For example, the CNVD publishes a significant portion of its content in Chinese, posing a language barrier for global companies. This becomes particularly relevant for industries like automotive, where businesses operate in both Western and Asian markets and need to provide vulnerability information from both the NVD and CNVD to meet local requirements. With the emergence of the EUVD, yet another database must now be monitored and referenced. This adds complexity for organisations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage. NVD, compared to CISA KEV, has a broader coverage of vulnerabilities. However, one could argue that CISA KEV is a more focused VD as it focuses on the most critical vulnerabilities (7 or higher) based on the CVSS score.”

“Both however, usually lack when it comes to speed of delivery and updating the vulnerabilities compared to private/commercial VDs. The information contained in private/commercial VDs is usually also enriched with fixes or workarounds, technical details and links to the original data sources. The information is typically more exact. Noting when a vulnerability was first introduced and when it was fixed for example, we can see that NVD is usually not as precise on documenting the actual start and end of a risk. Private/commercial VDs are more expensive than using the information of a public VD. However, one needs to also consider the manual work hours spent trying to make sense of the publicly available VD, cross check the information and see if the information might have some updates that are not mentioned in the CVE. To say it plainly – companies are spending money either way, be it on “free” or paid solutions. However, there is no such thing as free lunch. It may be wiser to spend the money on a prepared solution and use the time saved to implement the fixes,” added Cipot.

Julian Brownlow Davies, Vice President, Advanced Services at Bugcrowd, adds: “The launch of the EUVD reflects a broader trend: governments asserting digital sovereignty in cybersecurity infrastructure. While it’s great to see Europe investing in its own vulnerability coordination, the challenge will be staying operationally relevant. Unlike KEV or private sources like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases; they need better signal.”

 

Senior Correspondent at CPO Magazine