The CVE database of the American MITRE recently threatened to collapse. An independent alternative from the European Union appeared last week. This is a good thing, although fragmentation will have its disadvantages.
EUVD (European Union Vulnerability Database) is the unsurprising name of the new database for software vulnerabilities. It was launched by the European Union Agency for Cybersecurity (ENISA). Its nature as an emergency measure to serve as a backup for the MITRE database is immediately apparent. In addition to IDs such as EUVD-2025-15991, there is an “alternative” ID with the classic CVE naming convention from MITRE and CISA. An equivalent of the CVSS score has not been determined: it is simply taken from the American database, which at any rate is the result a global effort anyway.
Read more about the EUVD: Europe launches its own security database after CVE uncertainty
Lightweight
Sites such as CVE.org and its EUVD counterpart are, of course, simple in design. Both sites are clearly optimized and stripped of as many frills as possible. What is striking, however, is that the minimalism of the European version goes even further. For example, there is no cookie statement and there are only two prominent pages: the list filtered by the most recently added vulnerabilities and a search engine. At CVE.org, the main page is essentially useless, apart from a non-functional stat counter that is supposed to add up all vulnerabilities ever reported. In short, it seems that some lessons have been learned by presenting the EUVD as quickly and simply as possible.
In a broader sense, there is more at stake. Anouck Teiller, Chief Strategy Officer at the European security company HarfangLab, tells us that such a vulnerability database is about more than just a technical reference. “It is a strategic component of a secure digital Europe. ENISA’s initiative to establish a European vulnerability database is a decisive step towards strengthening the EU’s digital sovereignty and cyber resilience.”
The European initiative thus appears to be more than a practical necessity to replace the MITRE database. Such a motivation alone was already reason enough to act, to be fair: for a moment, it seemed that the entire security community would have to set up an alternative to CVE.org within a few days. The cause of this was CISA’s contract running out for the database’s funding, which was extended by twelve months at the eleventh hour. Had it not been, this would have had major consequences and undoubtedly required emergency changes to various security solutions immediately. After all, the CVE list is essential for informing organizations as quickly as possible about software problems. The EUVD version could now come to the rescue.
European autonomy
Teiller explains why the new database could become an important component for European autonomy. And, perhaps just as importantly, that there is enthusiasm for it. A survey of 750 IT decision-makers at European SMEs shows that the vast majority prefer European cybersecurity partners, as cited by the HarfangLab CSO. In addition, 74 percent are in favor of prioritizing European solutions. “This is not just about proximity,” says Teiller. “It’s about understanding regional threats, ensuring compliance with EU legislation such as the GDPR and NIS2, and building trust in a fragmented and volatile geopolitical landscape. The message is clear: sovereignty matters.”
Incidentally, Teiller is not (yet) talking about fully replacing the CVE list as we know it. Rather, she refers to “strategic diversification.” ENISA is also positioning itself as a real leader in ensuring cybersecurity on the continent on a daily basis – at long last. “For ENISA, this new database is also an opportunity to grow into a genuine, reliable third party that mediates between national and private CSIRTs, something that has long been lacking in the fragmented European cybersecurity landscape,” says Teiller. She continues: “If implemented with transparency, interoperability, and trust within the community, it could significantly strengthen cross-border threat response and preparedness across Europe.”
She concludes that geopolitical adversaries and (it has to be mentioned in an article at some point) AI are creating new challenges that make European autonomy more than a luxury. “It is essential.”
We also recognize this necessity, by the way. Not just that, but the EU can take a step toward action beyond regulation. Laws like DORA, NIS2, and various privacy regulations are considered forward-looking globally, but they are not particularly inventive or a foundation for innovation per se. Nobody’s envious of being the chief regulator in the world if there’s no innovation or self-sufficiency to back it up. To achieve this, Europe does need to build its own ecosystem for proactive reporting of vulnerabilities, European security players, and new solutions to cyber threats. The EUVD is a good start.