For more than two decades, the cybersecurity community has relied on a shared language to identify security flaws in software and hardware. That language is the Common Vulnerabilities and Exposures (CVE) system, a global catalogue of publicly disclosed vulnerabilities used by security researchers, vendors, and investigators.
Today, however, Europe has taken a major step toward building its own layer of vulnerability coordination. In May 2025, the European Union Agency for Cybersecurity officially launched the European Vulnerability Database (EUVD), a public platform designed to aggregate and analyse cybersecurity vulnerabilities affecting digital products and services across the European Union.
The launch represents an important shift in the governance of vulnerability intelligence. While the EUVD does not replace CVE, it introduces a European infrastructure that strengthens coordination, transparency, and regulatory alignment within the EU’s cybersecurity framework.
The global CVE system
The modern vulnerability ecosystem is built on CVE identifiers, which provide a standardized label for known software flaws. Each vulnerability receives a unique identifier such as CVE-2025-XXXX, allowing organizations to track threats, coordinate patches, and exchange threat intelligence across the global cybersecurity community.
The system is maintained by the MITRE Corporation and funded by the Cybersecurity and Infrastructure Security Agency. Through a network of CVE Numbering Authorities (CNAs), vendors, security firms, and research institutions can assign CVE identifiers when they discover new vulnerabilities.
This framework has become essential for vulnerability scanners, patch management systems, security advisories, and incident response workflows worldwide.
The launch of the European Vulnerability database
On 13 May 2025, ENISA launched the European Vulnerability Database (EUVD) as part of the EU’s broader cybersecurity strategy. The platform was created under the mandate of the NIS2 Directive, which requires stronger vulnerability management and disclosure coordination across critical sectors in the European Union.
The EUVD is now operational and accessible to the public. It aggregates vulnerability intelligence from multiple sources, including:
- European CSIRT networks
- Software vendors and security advisories
- Existing vulnerability repositories such as CVE
- Threat intelligence sources reporting exploited vulnerabilities
The goal is to provide actionable vulnerability intelligence for organizations operating in the EU, including mitigation guidance, exploitation status, and risk indicators.
How the EUVD works
Unlike CVE, which primarily assigns identifiers, the EUVD functions as a vulnerability intelligence platform. It collects and enriches data from different sources to give security teams a clearer picture of active threats.
The database includes several specialized dashboards:
- Critical vulnerabilities
- Actively exploited vulnerabilities
- EU-coordinated vulnerabilities managed through the EU CSIRT network
Each entry can include severity ratings, mitigation steps, and indicators of whether a vulnerability is currently being exploited in the wild.
Vulnerabilities in the system receive an EUVD identifier, such as EUVD-2025-XXXXX, and are often cross-referenced with CVE identifiers when applicable.
This dual identification model allows the EUVD to remain interoperable with the global CVE ecosystem while adding European-specific context.
Europe's growing role in vulnerability coordination
The launch of the EUVD reflects a broader shift toward digital sovereignty and cyber resilience within Europe. In recent years, European policymakers have introduced several major cybersecurity initiatives, including:
- The NIS2 Directive
- The Cyber Resilience Act
These frameworks require organizations to maintain stronger vulnerability management practices and improve transparency around security flaws affecting digital products.
The EUVD helps support these goals by providing a centralized vulnerability intelligence resource tailored to the European regulatory environment.
Not a replacement for the CVE
Despite the headlines describing it as a “European CVE,” the EUVD is not designed to replace the existing global system. Instead, it functions as a complementary platform that enriches vulnerability data, supports coordinated disclosure in Europe, and integrates threat intelligence with EU cybersecurity regulations.
Importantly, ENISA itself also participates in the CVE ecosystem as a CVE Numbering Authority, allowing vulnerabilities discovered by EU Computer Security Incident Response Teams to receive official CVE identifiers. This cooperative model ensures that vulnerabilities can still be tracked globally while benefiting from additional regional analysis.
A new layer in the vulnerability ecosystem
Cybersecurity governance is evolving. What once relied on a single global vulnerability catalogue is gradually becoming a multi-layered ecosystem, combining international standards with regional intelligence platforms.
For investigators, security teams, and regulators, this development provides richer information about vulnerabilities, including exploitation trends, patch availability, and regional coordination efforts.
As cyber threats grow more complex and politically sensitive, vulnerability intelligence is becoming both a technical tool and a strategic asset. Understanding platforms like the EUVD will be increasingly important for anyone working in digital investigations, threat intelligence, or cybersecurity risk management.