ENISA'S EUVD offers a centralised platform for tracking cybersecurity threats.
ENISA has officially launched the European Vulnerability Database (EUVD).
Following a period of beta testing, the database has been developed by ENISA as part of the new NIS2 directive to offer a centralised platform for tracking cybersecurity threats. The EUVD will aggregate information about vulnerabilities, their exploitation status, and recommended mitigation steps.
This data will be sourced from a variety of contributors, including Computer Security Incident Response Teams (CSIRTs), software vendors, and existing databases such as the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability Catalog and the MITRE Common Vulnerabilities and Exposures (CVE) program.
According to ENISA, the “EUVD offers therefore a trusted, more transparent and broader source of information and further improves situational awareness while limiting exposure to threats.”
Consult Information
The database is accessible to the public to consult information related to vulnerabilities impacting IT products and services. To support users in navigating the wealth of data, the EUVD offers three distinct dashboards: one for critical vulnerabilities, another for exploited vulnerabilities, and a third for those coordinated within the EU through CSIRTs.
Each entry includes a unique EUVD identifier, and may also list other identifiers such as the CVE ID, GitHub Security Advisories (GHSA), or entries from the Global Security Database (GSD) by the Cloud Security Alliance.
Juhan Lepassaar, executive director at ENISA said: “ENISA achieves a milestone with the implementation of the vulnerability database requirement from the NIS 2 Directive. The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it.
“The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures.”
Positive Move
The launch of the database comes after last month’s controversy, where MITRE's contract with DHS to maintain the CVE library faced a potential sudden end, before the contract was extended at the last moment, when CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.
Stephen Fewer, principal security researcher at Rapid7 called this development a positive move; both for the EU in terms of its resilience against dependencies from other countries, and for the broader cybersecurity community worldwide, who will benefit from an additional source of truth for vulnerability information.
“This development presents an opportunity to strengthen international security by creating resilience from a diversity of sources,” he said. “A broader and more distributed set of trusted vulnerability databases will help ensure transparency and accessibility for all stakeholders.
“As we see more global databases emerge, it will be important to ensure they complement, rather than fragment, the global vulnerability disclosure ecosystem. This is why the focus needs to be on transparency and bridging public and private sector efforts. Through this, Europe and the wider cyber community can strengthen collective resilience and avoid the risks of siloed approaches.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
