The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services.
Henna Virkkunen, European Commission Executive Vice-President for Tech Sovereignty, Security and Democracy, said: “The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience. By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.”
Juhan Lepassaar, Executive Director at ENISA stated: “ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
Why a European Vulnerability Database?
The objective of the EUVD is to ensure a high level of interconnection of publicly available information coming from multiple sources such as CSIRTs, vendors, as well as existing databases. In order to meet this objective, the platform is building on a holistic approach. As an interconnected database the EUVD allows for better analysis and facilitates the correlation of vulnerabilities by facilitating the open-source software Vulnerability-Lookup, thereby enabling enhanced cybersecurity risk management.
The EUVD offers therefore a trusted, more transparent and broader source of information and further improves situational awareness while limiting exposure to threats.
Who is the EUVD for?
The database is accessible to the public at large to consult information related to vulnerabilities impacting IT products and services. It is also addressed to suppliers of network and information systems and entities using their services. Documented information in the EUVD is also intended for competent national authorities such as the EU CSIRTs network as well as private companies and researchers.
How does it work?
The aggregated information of the database is displayed through dashboards. The EUVD offers three dashboard views: for critical vulnerabilities, for exploited ones, and for EU coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.
The collected and referenced vulnerability information comes from open-source databases. Additional information is added via advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, together with exploited vulnerability markings. EUVD data records may include:
- A description of the vulnerability;
- ICT products or ICT services affected and/or affected versions, the severity of the vulnerability and how it could be exploited;
- Information of existing relevant available patches or guidance provided by competent authorities including CSIRTs, and addressed to users on how to mitigate risks.
The role of ENISA in the vulnerability ecosystem
To meet the requirement of the NIS2 Directive, ENISA initiated a cooperation with different EU and international organisations including MITRE’s CVE Programme. ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program. CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information such as CISA’s Known Exploited Vulnerability Catalogue are automatically transferred into the EUVD. This will also be achieved with the support of Member States who established national Coordinated Vulnerability Disclosure (CVD) policies and who designated one of their CSIRTs as the coordinator, ultimately making the EUVD a trusted source for enhanced situational awareness in the EU.
As a CVE Numbering Authority (CNA), ENISA can register vulnerabilities and support vulnerability disclosure since January 2024, in relation to:
- vulnerabilities in IT products discovered by EU CSIRTs themselves; and
- vulnerabilities reported to EU CSIRTs for coordinated disclosure as long they are not in the scope of another CVE Numbering Authority.
What is the difference between the EUVD and the CRA Single Reporting Platform?
Notifying actively exploited vulnerabilities will become mandatory for manufacturers by September 2026. This notification process will apply to vulnerabilities impacting hardware and software products with digital elements. The Single Reporting Platform (SRP) provided for by the Cyber Resilience Act (CRA) will be the tool to use for such purpose. It is important to highlight the SRP is therefore different from the EUVD established by the NIS2 Directive.
What’s next?
2025 will be dedicated to further improve and develop the EUVD and all related services. For this purpose, ENISA will gather feedback.
Contextual information
Coordinated Vulnerability Disclosure (CVD)
CVD can be described as a vulnerability disclosure model that attempts to limit the threat of vulnerability exploitation, by ensuring vulnerabilities are disclosed to the public after the responsible parties have been granted adequate time to develop a fix, a patch, or provide mitigation measures.
Common Vulnerabilities and Exposures (CVE) Programme
The mission of the CVE programme is to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalogue. The vulnerabilities are discovered, then assigned and published by organisations from around the world that have partnered with the CVE Programme. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritise and address the vulnerabilities.
CVE Numbering Authorities (CNAs)
CNAs are organisations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. ENISA is now authorised to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs, in line with their dedicated coordinator roles.
Common Security Advisory Framework (CSAF)
CSAF is a standard for machine-readable security advisories. Such standardised format for ingesting vulnerability advisory information simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will reduce the time required for enterprises to understand organisational impact and drive timely remediation.
- EU Vulnerability Database
- Vulnerability Disclosure — ENISA (europa.eu)
- ENISA Added as CNA | CVE News Item
- Developing National Vulnerabilities Programmes — ENISA (europa.eu)
- GitHub – enisaeu/CNW: Advisories, guidance, best practice documents and more issued by members of the EU CSIRTs network, a network composed of EU Member States’ appointed CSIRTs and CERT-EU.