The European Union Agency for Cybersecurity (ENISA) launched the European Vulnerability Database (EUVD or EU Vulnerability Database), as mandated by the NIS2 Directive. Now operational, the EUVD will be maintained by the agency and offers centralized, reliable, and actionable information on cybersecurity vulnerabilities affecting products and services, including relevant details, such as mitigation measures and the current exploitation status.
The EU Vulnerability Database aims to enhance the interconnection and integration of publicly available information on cybersecurity vulnerabilities from diverse sources, including Computer Security Incident Response Teams (CSIRTs), vendors, and existing vulnerability databases. To achieve this, the EUVD adopts a holistic and interconnected approach that supports deeper analysis and correlation of vulnerabilities. The platform enables more effective cybersecurity risk management by leveraging the open-source tool Vulnerability-Lookup. As a result, the EUVD provides a trusted, transparent, and comprehensive source of vulnerability data, improving situational awareness and helping reduce exposure to cyber threats.
“The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience,” Henna Virkkunen, executive vice-president for tech sovereignty, security, and democracy at the European Commission, said in a Tuesday media statement. “By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.”
“ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive,” Juhan Lepassaar, executive director at ENISA, stated. “The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it. The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
ENISA announced that 2025 will be dedicated to the continued enhancement and development of the European Vulnerability Database (EUVD) and its associated services. As part of this effort, the agency will actively collect and incorporate stakeholder feedback to ensure the platform evolves in line with operational needs, technological advancements, and the evolving cybersecurity threat landscape.
ENISA has been maintaining a vulnerability registry service since it became a CVE Numbering Authority (CNA) last January. By maintaining the registry service, ENISA further supports the EU CSIRTs in their coordination work. ENISA is a CNA for vulnerabilities in information technology (IT) products discovered by European Union CSIRTs or reported to EU CSIRTs for coordinated disclosure. Building upon the EU CSIRTs coordination work, ENISA is registered as a ‘Consortium’ organisation under the Partner List of the CVE Program.
The agency also highlighted that notifying of actively exploited vulnerabilities will become mandatory for manufacturers by September 2026. The notification process will apply to vulnerabilities impacting hardware and software products with digital elements. The Single Reporting Platform (SRP) provided for by the Cyber Resilience Act (CRA) will be the tool to use for such purpose. It is important to highlight that the SRP is therefore different from the EUVD established by the NIS2 Directive.
The EU Vulnerability Database is publicly accessible and serves various stakeholders, including the general public seeking information on vulnerabilities affecting IT products and services, suppliers of network and information systems, and organizations that rely on those systems and services. It is also intended for national authorities, such as members of the EU CSIRTs Network, as well as private sector entities and cybersecurity researchers looking for verified, actionable intelligence.
To meet the requirements of the NIS2 Directive, ENISA initiated a cooperation with different EU and international organisations, including MITRE’s CVE Programme. ENISA is in contact with MITRE to understand the impact and next steps following the announcement of the funding to the Common Vulnerabilities and Exposures Program.
CVE data, data provided by Information and Communication Technology (ICT) vendors disclosing vulnerability information through advisories, and relevant information, such as CISA’s Known Exploited Vulnerability Catalogue, are automatically transferred into the EU Vulnerability Database. This will also be achieved with the support of member states, who established national Coordinated Vulnerability Disclosure (CVD) policies and designated one of their CSIRTs as the coordinator, ultimately making the EUVD a trusted source for enhanced situational awareness in the EU.
Given its strategic importance in reinforcing the cybersecurity posture of the EU single market, ENISA has established a robust knowledge base on Coordinated Vulnerability Disclosure (CVD). Acting as the secretariat of the EU CSIRTs Network, ENISA facilitates cross-border collaboration among designated national CSIRTs, particularly when a reported vulnerability is assessed to pose a potentially significant risk to entities across multiple Member States.
To further support member states, ENISA publishes comprehensive guidelines, in-depth studies, and practical resources such as handbooks, best practice frameworks, and gap analyses. These materials are regularly updated to reflect the evolving legislative and policy landscape, including the Cybersecurity Act (2019), the NIS2 Directive (2022), and the Cyber Resilience Act (2024), which entered into force on 10 December 2024. Under the CRA, ICT products will bear the CE marking, signifying compliance with the regulation’s cybersecurity requirements. The primary obligations stemming from the CRA will become applicable from Dec. 11, 2027.
Notably, the NIS2 Directive underscores the critical role of CVD in the broader cybersecurity framework and further reinforces ENISA’s mandate. It requires the integration of CSIRTs into national CVD processes and entrusts ENISA with the development and ongoing maintenance of the EUVD. The centralized platform enables organizations and suppliers to voluntarily register and disclose vulnerabilities in their ICT products and services, fostering a more resilient and transparent digital ecosystem across the European Union.
The aggregated information within the EU Vulnerability Database is presented through interactive dashboards. The platform provides three distinct dashboard views: one for critical vulnerabilities, one for actively exploited vulnerabilities, and another for vulnerabilities coordinated at the EU level. The ‘EU Coordinated Vulnerabilities’ view highlights cases managed by European CSIRTs and includes contributions from members of the EU CSIRTs Network.
The vulnerability data compiled in the EU Vulnerability Database originates primarily from open-source databases. This information is further enriched with advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and indicators identifying whether a vulnerability is actively exploited.
Each EU Vulnerability Database entry may describe the vulnerability, outlining its nature and potential impact. It also provides information on the affected ICT products or services, including specific versions, the severity of the vulnerability, and how it could be exploited. Additionally, the entry may offer guidance on available patches or mitigation measures issued by competent authorities, such as CSIRTs, to help users reduce associated cybersecurity risks.
In March, ENISA released its initial NIS360 report that identifies areas for improvement and tracking of progress across NIS2 Directive sectors. The NIS360 assesses the maturity and criticality of NIS2 sectors, providing both a comparative and a more in-depth analysis. It provides a cross-sectoral overview and a detailed sector-by-sector analysis of the criticality and maturity of assessed sectors.
