The European Union has launched its own vulnerability database, the European Union Vulnerability Database (EUVD), as an alternative to the United States’s MITRE CVE program. The expressed purpose of this database is to “ensure a high level of interconnection of publicly available information coming from multiple sources such as CSIRTs, vendors, as well as existing databases.” 

Below, security leaders share their thoughts on this news. 

Security Leaders Weigh In

Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace:

The launch of the EU Vulnerability Database is a win for the global cybersecurity community. While there will be operational kinks to work out, the basics of maintaining information from MITRE’s CVE Program and CISA’s KEV are encouraging. Additionally, the EU taking on CNA status will help to address historic coordination gaps. It’s also sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time.

Boris Cipot, Senior Security Engineer at Black Duck:

The introduction of a new vulnerability database brings both advantages and challenges. One clear benefit is reducing the reliance on the U.S. National Vulnerability Database (NVD) as a single source of truth. Today, multiple vulnerability databases exist, including the NVD (National Vulnerability Database), CNVD (Chinese National Vulnerability Database), and now the EUVD, a European implementation of a vulnerability database system.

While much of the information across these databases will overlap, each may also contain region-specific data. For example, the CNVD publishes a significant portion of its content in Chinese, posing a language barrier for global companies. This becomes particularly relevant for industries like automotive, where businesses operate in both Western and Asian markets and need to provide vulnerability information from both the NVD and CNVD to meet local requirements.

With the emergence of the EUVD, yet another database must now be monitored and referenced. This adds complexity for organizations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage.

Mr. Julian Brownlow Davies, Vice President, Advanced Services at Bugcrowd:

The launch of the EUVD reflects a broader trend: governments asserting digital sovereignty in cybersecurity infrastructure. While it’s great to see Europe investing in its own vulnerability coordination, the challenge will be staying operationally relevant. Unlike KEV or private sources like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases; they need better signal.

Darren Guccione, CEO and Co-Founder at Keeper Security:

The debut of the European Union Vulnerability Database (EUVD) by the European Union Agency for Cybersecurity (ENISA) marks a significant milestone in building and maturing cybersecurity defenses for Europe, as well as the global cybersecurity community. Large databases like the EUVD offer enhanced transparency and shared knowledge, while providing critical redundancy for existing databases. The EUVD is a great example of what large-scale collaboration can produce. ENISA has demonstrated teamwork and cooperation with CISA, the U.S. cyber defense agency, and the federally-funded research organization MITRE — incorporating relevant data from the organizations’ Known Exploited Vulnerabilities (KEV) catalog and Common Vulnerabilities and Exposures database. Together, these sources make the EUVD a powerhouse of knowledge to be consulted across the globe.