One year after ENISA quietly switched on the European Union Vulnerability Database (EUVD) in May 2025, the project has moved from contingency plan to permanent fixture of the bloc's cyber architecture. What began as a Brussels insurance policy — a hedge against the wobble in U.S. funding for the MITRE-run Common Vulnerabilities and Exposures (CVE) program — is now an operational catalogue ingesting advisories from national CSIRTs, vendors, and CVE itself, and is woven directly into obligations under the NIS2 Directive. The policy question for 2026 is no longer whether Europe should have its own vulnerability registry. It is whether the EUVD will harden the global system that defenders actually rely on, or fragment it.
From contingency to infrastructure
The EUVD's launch was accelerated by a near-miss in Washington. In April 2025, MITRE publicly warned that its contract to operate the CVE program was about to lapse, prompting a 48-hour scramble before the U.S. Cybersecurity and Infrastructure Security Agency (CISA) extended funding. The episode laid bare a structural fact most defenders had taken for granted: the world's de facto vulnerability identifier system runs on a single U.S. government contract. ENISA, which had been mandated under Article 12 of NIS2 to maintain a European registry of vulnerabilities, used the moment to bring the EUVD online faster than originally planned.
The database currently aggregates entries with the EU's own "EUVD-" prefix while cross-referencing the corresponding CVE identifier where one exists. Crucially, the EUVD is not (yet) a rival numbering authority: it consumes CVE data, layers on additional context from ENISA, national CERTs and vendors, and enriches entries with exploitation status drawn from public sources. That design choice — additive rather than substitutive — is the right one, and Brussels should resist pressure to drift away from it.
What NIS2 actually requires
NIS2, which Member States were obliged to transpose by October 2024, requires "essential" and "important" entities across roughly eighteen sectors to manage vulnerabilities as part of their cybersecurity risk-management obligations. The directive also empowers ENISA to coordinate coordinated vulnerability disclosure (CVD) at EU level and to maintain the registry that became the EUVD. The Cyber Resilience Act (CRA), adopted in late 2024, layers on top: manufacturers of products with digital elements will, from its phased application beginning in 2026 and full effect in 2027, have to report actively exploited vulnerabilities to ENISA within 24 hours of awareness and to issue security updates throughout a defined support period.
That regulatory stack creates real value: a single reporting destination for an EU-wide market beats twenty-seven uncoordinated national hotlines. But it also concentrates sensitive pre-disclosure information in one institution, which is why ENISA's recently published vulnerability disclosure policy — and the EUVD's handling of embargoed entries — deserves continued scrutiny from industry and civil society alike.
The interoperability test
The risk that hangs over the project is duplication. If EUVD identifiers begin to drift from CVE entries — different severity scores, different affected-version metadata, different disclosure timelines — defenders will be forced to reconcile two authoritative views of the same flaw. Patch-management vendors will quietly absorb the cost; smaller organisations will not.
The encouraging signal is that ENISA and MITRE have publicly committed to interoperability, and the EUVD currently mirrors CVE IDs rather than minting competing ones for the same bug. The discouraging signal is political: voices in Brussels increasingly frame "digital sovereignty" as a goal in its own right, sometimes irrespective of whether the underlying system is actually broken. A vulnerability database is the wrong place to fight that fight. Adversaries do not respect jurisdictional carve-outs, and an open, shared identifier scheme is one of the few pieces of cybersecurity infrastructure that genuinely works at planetary scale.
A pro-innovation path forward
The proportionate policy response is to use the EUVD's existence to strengthen the global system rather than splinter it. Three principles should guide the next phase:
- One identifier, many enrichments. CVE IDs should remain the universal primary key. The EUVD adds enormous value as a Europe-specific enrichment layer — exploitation status in EU networks, affected critical entities, national CERT advisories — without minting parallel numbers.
- Funded redundancy, not forked governance. The right lesson from the April 2025 funding scare is that the CVE program needs multi-jurisdictional, multi-year funding commitments — ideally including EU contributions — not a competing registry. Redundancy in operations is healthy; fragmentation in identifiers is not.
- Proportionate disclosure obligations. The CRA's 24-hour reporting clock for actively exploited vulnerabilities is workable, but the requirement to notify before a patch exists carries real risk if pre-disclosure data leaks. ENISA's implementation should err on the side of tight access controls and narrow definitions of "actively exploited", and Member State authorities should resist the temptation to demand broader feeds.
Europe is right to want resilience. It is right to invest in ENISA's capacity. It would be wrong to mistake the EUVD for a sovereignty trophy. The global vulnerability ecosystem is a rare example of cross-border public goods provision that mostly works — and the most innovation-friendly cyber policy Brussels can pursue in 2026 is to keep it that way.