A new vulnerability database launched by the European Union could shake up an ecosystem long dominated by the United States. The centerpieces of that system have been the National Vulnerability Database (NVD), maintained by the U.S. National Institute of Standards and Technology (NIST), and the Common Vulnerabilities and Exposures (CVE) numbering system, maintained under cotract by U.S. corporation Mitre. Both the NVD and CVE have been plagued by problems in recent times, which has opened the door for the European offering.
Sylvain Cortes, vice president for strategy at Lyon, France-based Hackuity, said the new European Union Vulnerability Database (EUVD) being launched by the EU Agency for Cybersecurity (ENISA) is a solid initiative that can fill the gap caused by recent funding issues around Mitre's CVE program. He added that it is also uncertain whether the Mitre database will continue to exist after the company's new contract expires in 10 months’ time.
"It’s an even greater alternative when you consider the fact that the NVD has suffered backlogs in the past," Cortes said.
"Ultimately, we need a source for all vulnerabilities that is reliable and open, and we hope that the new EUVD will provide this."
—Sylvain Cortes
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, said the EUVD is "a signal" that it is a mistake to rely on a single vulnerability database.
"Europe wants a seat at the table when it comes to vulnerability coordination. For years, the world has relied almost exclusively on the CVE system. It has been working, but recent funding issues show the danger of putting all our trust in a single thread."
—Ferhat Dikbiyik
Dikbiyik said the EUVD brings resilience. "In cybersecurity, redundancy isn’t wasteful. It’s smart. It is a common practice in cybersecurity. So why not bring it to vulnerability tracking?"
Here's what your application security (AppSec) team needs know about the EUVD — and the bigger picture for the shakeup of the vulnerability database ecosystem.
[ Get up to speed fast: The 2025 Software Supply Chain Security Report ]
EUVD is not meant to stand alone
Technically, the EUVD is still in beta, Dikbiyik said, but the database's open design, use of machine-readable data, and public consultation process show it’s serious.
"The real challenge now is adoption. A new database is only as strong as the community behind it. If EUVD becomes a parallel track, aligned and interoperable with CVE, it could strengthen the global ecosystem. But if it drifts into fragmentation, it could complicate things. This is a strategic move, timely, necessary, and worth watching closely."
—Ferhat Dikbiyik
One key aspect of the EUVD is that it is not a standalone vulnerability management system. A statement by ENISA stresses that the EUVD's mission is to provide aggregated, reliable, and actionable information, such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting information and communication technology (ICT) products and services. Its objective: to ensure a high level of interconnection of publicly available information from multiple sources, such as computer security incident response reams (CSIRTs), vendors, and existing databases.
To meet that objective, the EUVD platform is adopting a holistic approach, which includes support for Vulnerability-Lookup, an open-source software application, ENISA said in its statement.
Gary Schwartz, senior vice president of NetRise, said that while the use of Vulnerability-Lookup could complement the other vulnerability databases globally by expanding visibility, the real value of the new database comes from contextualization and action. Effective risk management requires turning raw data into prioritized insights, especially with evolving regulations, he said.
"Automation and intelligent analysis are critical here. If the EUVD integrates with broader risk frameworks, it could enhance decision making, but it’s not a standalone solution. Ideally, there would be a consortium of organizations, both private and public, that would aggregate data from the many vulnerability databases that already exist."
—Gary Schwartz
To meet the requirements of the EU's Network and Information Security Directive 2 (NIS2), ENISA has initiated cooperation with various EU and international organizations, including Mitre's CVE program. In addition, CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information, such as the Known Exploited Vulnerability Catalog (KEV) from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), are automatically transferred into the EUVD.
EUVD data records will include a description of the vulnerability; ICT products or ICT services and their versions affected by the vulnerability; the severity of the vulnerability and how it could be exploited; and information on existing relevant available patches or guidance provided by competent authorities, including CSIRTs, and addressed to users on how to mitigate risks.
Vulnerability management thinks globally, acts locally
Nathaniel Jones, vice president for security and AI strategy at Darktrace, said the EUVD is a victory for the global cybersecurity community. While there will be operational issues to work out, he said, the basics of maintaining information from Mitre's CVE program and CISA’s KEV are encouraging.
"Additionally, the EU taking on CVE Numbering Authority [CNA] status will help to address historic coordination gaps. It’s also sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time."
—Nathaniel Jones
Darren Guccione, CEO of Keeper Security, called the EUVD a significant milestone in building and maturing cybersecurity defenses for Europe — and the global cybersecurity community. "Large databases like the EUVD offer enhanced transparency and shared knowledge while providing critical redundancy for existing databases," Guccione said.
"The EUVD is a great example of what large-scale collaboration can produce. ENISA has demonstrated teamwork and cooperation with CISA and Mitre — incorporating relevant data from the KEV catalog and Common Vulnerabilities and Exposures database. Together, these sources make the EUVD a powerhouse of knowledge to be consulted across the globe."
—Darren Guccione
Julian Brownlow Davies, vice president for advanced services at Bugcrowd, said that the EUVD reflects a broader trend of governments asserting digital sovereignty in cybersecurity infrastructure. "While it’s great to see Europe investing in its own vulnerability coordination, the challenge will be staying operationally relevant," Davies stressed.
"Unlike KEV or private sources, like VulnDB, which offer enriched context and exploit prioritization, the EUVD will need tight integration and real-time rigor to be more than just a parallel record. There is a risk of fragmentation here. Security teams don’t need more databases. They need better signal."
—Julian Brownlow Davies
Go beyond vulnerabilities: Upgrade your AppSec strategy
Policy experts noted that the changes to CVE program come at a tricky time, with the number of CVEs growing at an astonishing rate — and the resources available to analyze those CVEs are not, said Atlantic Council senior fellow Shane Miller.
“The number of reported CVEs is growing because of both the increasing rate of software development and increasing pressure to publicly report security vulnerabilities. The number of software developers worldwide grew by 45% in the last two years, from 26.8 million to 38.9 million. That’s 12 million more people creating and reporting software security vulnerabilities in just two years.”
—Shane Miller
This firehose of disclosed software vulnerabilities can act as a noisy distraction for security teams, with serious supply chain security gaps overlooked, experts stress. That's because chasing vulnerabilities is essentially a reactive exercise. A lot of time is spent patching software that might be better spent trying to address software supply chain threats before they manifest themselves.
A better approach to software supply chain security is to employ next-generation technologies such as complex binary analysis and reproducible builds to complement traditional AppSec testing tools such as static and dynamic application security testing (SAST and DAST), as well as software composition analysis (SCA).
The Enduring Security Framework, a public/private working group led by the National Security Agency (NSA) and CISA, has called for the use of binary analysis and reproducible builds to identify and manage risk. These more modern tools produce actionable threat information about the software and services deployed within IT environments. That includes the presence of active malware; evidence of software tampering; the absence of application hardening; and secrets exposure. This strategy makes security teams more proactive in their quest to mitigate risk.
In contrast, SAST and DAST typically apply only to a small subset of internally developed systems and applications at many organizations, said Saša Zdjelar, chief trust officer at ReversingLabs. He said the recommended use of binary analysis and reproducible builds marked a significant step forward in ensuring better software supply chain security
"Our ability to analyze binaries is key to understanding risk in third-party software."
—Saša Zdjelar
Keep learning
- Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
- Get the white paper: Go Beyond the SBOM. Plus: See the Webinar: Welcome CycloneDX's xBOM.
- Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our Webinar for discussion about the findings.
- Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and learn how RL discovered the novel threat,
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.