The European Union Agency for Cybersecurity (ENISA) has launched the European Vulnerability Database (EUVD), as mandated by the NIS2 Directive. The database, which is now operational, is managed by ENISA and aims to provide comprehensive and actionable data on cybersecurity vulnerabilities in Information and Communication Technology (ICT) products and services.
The EUVD aggregates information from various sources, including Computer Security Incident Response Teams (CSIRTs), vendors, and existing databases, to support enhanced cybersecurity risk management. By facilitating the open-source software Vulnerability-Lookup, the platform enables improved analysis and correlation of vulnerabilities. This interconnected approach aims to improve situational awareness and reduce exposure to cybersecurity threats.
The database is publicly accessible, offering information on vulnerabilities affecting IT products and services. It targets suppliers of network and information systems, entities using these services, national authorities such as the EU CSIRTs network, private companies, and researchers. The EUVD presents data through dashboards, highlighting critical vulnerabilities, exploited vulnerabilities, and those coordinated by European CSIRTs.
“The EU Vulnerability Database is a major step towards reinforcing Europe’s security and resilience,” said European Commission tech sovereignty, security and democracy executive vice-president Henna Virkkunen. “By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.”
The EUVD compiles vulnerability information from open-source databases and supplements it with advisories and alerts from national CSIRTs, vendor guidelines on mitigation and patching, and exploited vulnerability markings. Data records in the EUVD may include descriptions of vulnerabilities, affected ICT products or services, severity levels, exploitation methods, and guidance on risk mitigation.
ENISA’s collaborative efforts with global partners
To align with the NIS2 Directive, ENISA collaborates with various EU and international organisations, including MITRE’s CVE Programme. ENISA is engaging with MITRE to assess the impact of funding announcements for the Common Vulnerabilities and Exposures Program.
Data from the CVE Programme, ICT vendor advisories, and CISA’s Known Exploited Vulnerability Catalogue are automatically integrated into the EUVD. Member States support this initiative through national Coordinated Vulnerability Disclosure (CVD) policies, designating a CSIRT as a coordinator to enhance the EUVD’s reliability.
Starting January 2024, ENISA, as a CVE Numbering Authority (CNA), will register and support the disclosure of vulnerabilities discovered by EU CSIRTs or those reported for coordinated disclosure, provided they are not under another CVE Numbering Authority’s jurisdiction.
By September 2026, manufacturers will be required to notify actively exploited vulnerabilities. This notification will pertain to vulnerabilities affecting hardware and software products with digital components. The Single Reporting Platform (SRP), as outlined in the Cyber Resilience Act (CRA), will be the designated tool for this process. It is important to note that the SRP is distinct from the EUVD established under the NIS2 Directive.
Read more: ENISA’s Cyber Europe 2024 tests resilience of EU Energy Sector
