The European Union Agency for Cybersecurity (ENISA) has launched the European Vulnerability Database (EUVD), a platform developed in line with the NIS2 Directive. Now fully operational, the EUVD is intended to support improved management of cybersecurity vulnerabilities across Information and Communication Technology (ICT) products and services.

The database aggregates publicly available information from a range of trusted sources, including national CSIRTs, ICT vendors, and international vulnerability repositories, to provide organisations with timely, practical details such as mitigation measures, severity ratings, and exploitation status.

A Centralised Resource for the EU Market

The EUVD enables more structured and transparent sharing of information across sectors. It incorporates data from open-source databases and official advisories, offering users a clearer view of current risks and available responses.

The platform includes three dashboard views:

Critical vulnerabilities

Known exploited vulnerabilities

EU-coordinated vulnerabilities, as managed by the EU CSIRTs network

Each entry may include:

A description of the vulnerability

Affected systems or software versions

Severity assessment and potential methods of exploitation

Mitigation steps and links to relevant advisories or patches

Who Is the EUVD For?

The EUVD is publicly accessible and relevant to a wide range of stakeholders, including:

ICT suppliers and digital service providers

Organisations relying on digital systems

National authorities and cybersecurity teams

Researchers and security analysts

Its open access model supports more consistent understanding and response to vulnerabilities across the Union, contributing to a more secure digital environment.

Supporting Coordinated Vulnerability Disclosure

The platform also underpins the EU's approach to Coordinated Vulnerability Disclosure (CVD). Under this model, vulnerabilities are only published once the responsible parties have had adequate time to develop patches or mitigation guidance. This approach limits the risk of premature public exposure.

To meet the obligations under the NIS2 Directive, ENISA has worked with national CSIRTs and international organisations such as MITRE. Since January 2024, ENISA has functioned as a CVE Numbering Authority (CNA), allowing it to register vulnerabilities discovered or reported to EU CSIRTs that fall within its remit.

The EUVD emphasises collaboration in managing vulnerabilities in the EU. By connecting ICT suppliers, organisations, and researchers, it enhances collective threat response and digital resilience.

