On 13 May 2025, the European Commission announced the launch of the European Vulnerability Database (the EUVD), developed by the European Union Agency for Cybersecurity (ENISA) which is now officially operational.
In this blog post, we discuss what the EUVD is, who it is for, how it works and whether similar initiative is on the horizon in the UK.
What is EUVD?
The EUVD was created under Article 12(2) of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, commonly referred to as the NIS2 Directive. The directive sets out measures for achieving a high common level of cybersecurity across the European Union.
The database’s purpose is to enable entities and their suppliers of network and information systems to voluntarily disclose and register publicly known cybersecurity vulnerabilities in Information and Communication Technology (ICT) products or services. This supports improved transparency, coordination and awareness across the cybersecurity ecosystem.
What are vulnerabilities?
Vulnerabilities are weaknesses or mistakes in computer systems that can be exploited to undermine the security of the affected systems. These flaws may allow for unauthorised access, data breaches or other malicious activities. Addressing vulnerabilities promptly is essential and the process of identifying and disclosing them plays a critical role in maintaining robust cybersecurity.
By providing a centralised, EU-governed repository, the EUVD aims to enhance trust and cooperation across EU member states, industry stakeholders and the broader cybersecurity community.
Who is the EUVD for?
The EUVD is publicly accessible. It is also intended to serve:
- suppliers of network and information systems and entities using their services
- competent national authorities such as the EU CSIRTs network (network comprised of EU member states’ appointed CSIRTs (Computer Security Incident Response Teams) and CERT-EU (Computer Emergency Response Team for the EU)
- private companies
- researchers
How does EUVD work?
This database compiles information from publicly available open-source databases. Additional information is also added via advisories and alerts from national CSIRTs, guidance on mitigation and patching published by vendors and indicators showing whether vulnerabilities have been actively exploited.
The EUVD displays vulnerability data through interactive dashboards, offering 3 different dashboard views:
- Critical vulnerabilities
- Exploited vulnerabilities
- EU-coordinated vulnerabilities
Critical vulnerabilities are vulnerabilities with severe implications.
Exploited vulnerabilities are vulnerabilities currently being exploited.
EU-coordinated vulnerabilities are vulnerabilities coordinated by European CSIRTs.
Each database entry provides an overview of the vulnerability in question, identifies the affected ICT products or services or affected versions, the severity of the vulnerability and how it could be exploited and lists any available fixes or recommended mitigations steps.
ENISA plans to further improve and developed the EUVD in 2025.
Comment: Is something similar coming in the UK?
The UK does not currently have an equivalent to the EUVD. However, the UK’s National Cyber Security Centre (NCSC) continues to play a central role in tackling vulnerabilities, including through its Vulnerability Disclosure Toolkit. This Toolkit is designed to help organisations implement internal vulnerability disclosure processes. It focuses on the essential components needed to get the organisations started, but it is not intended to serve as a comprehensive guide for creating and implementing a vulnerability disclosure process.
The UK’s post-Brexit regulatory landscape has evolved independently from the EU’s, leaving it uncertain whether a public vulnerability database akin to the EUVD will be created. That said, with the increasing focus on supply chain risks, digital resilience and cyber threats, there may be growing pressure for the UK to establish a structured and transparent system for reporting and sharing vulnerability information – either under the NCSC’s oversight or through legislative development.
If you need advice on vulnerabilities in the context of software procurement, please do not hesitate to contact us here and we would be happy to assist.
