Enisa launches European vulnerability database
The European Union Company for Cybersecurity (Enisa) has debuted a European Union Vulnerability Database (EUVD) to offer “aggregated, dependable and actionable” info on newly disclosed cyber safety vulnerabilities in IT services.
The EUVD, which is remitted by the NIS2 Directive, is designed to assemble publicly accessible info from sources reminiscent of EU member state nationwide laptop safety incident response groups (CSIRTs), trade risk researchers, and different vulnerability databases, together with Mitre’s CVE Program.
Enisa stated that to satisfy this objective, it has constructed its platform on a holistic strategy as an interconnected database that it believes will permit for higher evaluation and assist the group correlate vulnerabilities. It stated this might in the end make it a extra reliable, clear and broader info supply.
“The EU Vulnerability Database is a significant step in direction of reinforcing Europe’s safety and resilience,” stated Henna Virkkunen, European Fee govt vice-president for tech sovereignty, safety and democracy.
“By bringing collectively vulnerability info related to the EU market, we’re elevating cyber safety requirements, enabling each personal and public sector stakeholders to higher shield our shared digital areas with better effectivity and autonomy.”
Enisa govt director Juhan Lepassaar added: “Enisa achieves a milestone with the implementation of the vulnerability database requirement from the NIS2 Directive. The EU is now geared up with a necessary software designed to considerably enhance the administration of vulnerabilities and the dangers related to them.
“The database ensures transparency to all customers of the affected ICT services and can stand as an environment friendly supply of data to seek out mitigation measures.”
Mitre CVE Program
The launch of the EUVD comes mere weeks after the safety group was rocked by the near-death expertise of Mitre’s long-running CVE Program, a US government-backed and -funded useful resource that over the previous 20 years has turn into a fixture within the safety world.
Though Mitre’s funding was, in the long run, restored on the final minute by the US authorities, the 24 hours of uncertainty prompted a lot soul-searching and plenty of cyber professionals have begun to contemplate or focus on the thought of options to a programme that’s in the end backed by a single authorities.
Though EUVD shouldn’t be designed to switch the US programme, Enisa stated it had labored with Mitre on its improvement, and continues to work alongside the non-profit physique to grasp the affect of the funding disaster on the EUVD mission.
For now, information on widespread vulnerabilities and exposures (CVE), information supplied by these disclosing vulnerabilities, and different sources such because the Cybersecurity and Infrastructure Safety Company’s (CISA’s) Recognized Exploited Vulnerabilities catalogue can be routinely transposed into EUVD with assist from EU member state CSIRTs.
For instance, CVE-2025-32709, a privilege escalation vulnerability in Home windows Ancillary Perform Driver for WinSock – disclosed this week on Patch Tuesday – seems within the EUVD with the designation EUVD-2025-14439.
Sylvain Cortes, technique vice-president at Hackuity, stated: “Enisa’s new EUVD is an efficient initiative when you think about the current funding points round Mitre’s CVE Program.
“There’s additionally nonetheless some uncertainty round whether or not the Mitre database will live on after the brand new contract expires in 10 months’ time, so having a European choice in place means the trade will be much less reliant on one vulnerability enrichment supply. It’s a fair better different when you think about the truth that the NVD [the US National Vulnerability Database] has suffered backlogs previously.
“In the end, we want a supply for all vulnerabilities that’s dependable and open, and we hope that the brand new EUVD guarantees will present this,” stated Cortes.
Crystal Morin, cyber safety strategist at Sysdig, additionally welcomed the launch as a part of the continuing effort to strengthen international cyber safety amid an unsure future. She stated she hoped the EUVD would complement the CVE Program.
“Having each in play means extra organisations dealing with CVE requests and, in the end, quicker public disclosure,” she stated.
“For safety groups, the EUVD is solely one other trusted supply for vulnerability intelligence. So long as vulnerability submissions are streamlined – solely submitted to at least one programme – we keep away from duplication and confusion, and acquire pace and resilience.”
