EUVD: first step toward Europe’s cybersecurity sovereignty?

Launched in May 2025, the European Vulnerability Database (EUVD) is the EU’s first public database dedicated to vulnerability management. Designed as a complement to the U.S. CVE/NVD system, it aims to strengthen Europe’s digital sovereignty and meet new regulatory requirements introduced by NIS2 and the Cyber Resilience Act.

In May, the European Union Agency for Cybersecurity (ENISA) unveiled the EUVD — a first-of-its-kind initiative within the Union. Never before had the EU created a public platform dedicated to cataloging and managing software vulnerabilities.

“The EUVD comes at a time when the U.S. National Vulnerability Database (NVD), long considered the global benchmark, is facing major challenges. Budget cuts imposed by the Department of Government Efficiency (DOGE) have slowed its operations significantly, raising doubts about its reliability. For Europe, this created a strategic opening: the chance to build an independent, complementary database tailored to European needs,” says Maxime Alay-Eddine, co-founder of Cyberwatch and Galeax.

Traditionally, the NVD has analyzed vulnerabilities to define their characteristics, identify affected technologies, and assign a severity score. These details enrich the CVE (Common Vulnerabilities and Exposures) identifiers issued upstream by MITRE Corporation. The EUVD follows this same model: vulnerabilities listed in CVE and NVD now also receive a European identifier, ensuring interoperability across systems.

Linux Coverage Still Playing Catch-Up

“The EUVD is a major step forward for Europe, but its real value will come when it delivers richer technical details beyond the basic identifier. At present, the database is well developed for Windows environments but remains patchy when it comes to Linux. That’s where the open-source community could make a real difference, by contributing documentation and feeding EUVD with high-quality data,” notes Alay-Eddine.

A study by Markess for CNLL (the Union of Free and Open Digital Companies), Numeum and Systematic Paris-Region highlights open source as a driving force in fast-growing digital sectors such as AI, Big Data, IoT, IaaS, PaaS and cybersecurity. In France, the free software market has grown fortyfold in under two decades, now valued at €5.9 billion — making the country Europe’s open-source powerhouse.

“An open-source community can’t run on volunteer work alone. It needs structure and support. The goal isn’t to pay contributors directly, but to appoint a funded project lead to coordinate efforts and formally recognize contributions. Certification of participation, for example, would be a valuable credential for contributors in their professional careers,” Alay-Eddine adds.

Backed by NIS2 and the Cyber Resilience Act

The EUVD also reflects a regulatory push from Brussels. The NIS2 directive, which came into effect in 2024, tightened cybersecurity requirements across a wide swath of critical industries. Among its demands: coordinated reporting and sharing of vulnerabilities across the EU.

Meanwhile, the Cyber Resilience Act obliges software and hardware manufacturers to track and disclose vulnerabilities quickly. This regulatory framework directly supports the creation of a consolidated, sovereign database like EUVD. “The CRA introduces a transparency model comparable to food labeling: software publishers will need to disclose their components and any associated vulnerabilities. It’s a groundbreaking approach that gives users clearer insight into the security of digital products,” says Alay-Eddine.

The EUVD is built on international standards to ensure automation and interoperability. Central to this is the Common Security Advisory Framework (CSAF), which standardizes how security advisories are published and read — making it easier for companies to integrate alerts directly into their systems.

2025: A Transition Year for EUVD

ENISA has set 2025 as a year of adjustment and refinement, with an emphasis on feedback from CISOs, national CERTs, researchers and software vendors. Regular stakeholder consultations are planned to address gaps such as Linux coverage, technical depth and update speed. A feedback mechanism is already integrated, enabling users to flag inconsistencies, suggest features or provide additional details on vulnerabilities.

“The EU vulnerability database marks a major milestone in strengthening Europe’s security and resilience. By consolidating vulnerability information relevant to the European market, we are raising cybersecurity standards and enabling both public and private stakeholders to safeguard our digital space more effectively and autonomously,” concludes Henna Virkkunen, Executive Vice-President of the European Commission for Technological Sovereignty, Security and Democracy.