At the same time, the European Union quietly made history. The European Vulnerability Database (EUVD), led by ENISA under the NIS2 Directive, entered public beta-offering API access, CVSS v3.1 and EPSS scores, and a coordinated European approach to vulnerability disclosure.
EUVD vs. NVD: A Quick Comparison
| Feature | EUVD (Europe) | NVD (USA) |
|---|---|---|
| Operator | ENISA | NIST (CVE data via MITRE) |
| Status | Live (Beta) | Fully operational, but CVE funding issues emerged |
| API Support | ✅ Yes | ✅ Yes |
| Scoring | CVSS 3.1 + EPSS | CVSS (inklusive 4.0) |
| Description Quality | Often short | Generally detailed |
| Interoperability | CVE ID in “Alternative IDs” field | CVE ID primary |
| Vendor Participation | Apache, Mozilla, and EU-based vendors | Broad, global participation |
| Legal Framework | Required by NIS2 | Voluntary, reliant on funding continuity |
What the CVE Crisis Means
The temporary uncertainty surrounding the CVE program reminds us how dependent we are on centralized systems, and how vulnerable those systems are to administrative or funding shifts.
The CVE system is the “source of truth” for most security operations: It anchors SIEM alerts, scanner signatures, ticketing systems, and patch management routines. A disruption in that pipeline isn’t just theoretical, it can slow vulnerability response, delay risk communication, and degrade automated defenses.
Why the EUVD Matters Now More Than Ever
With the CVE ecosystem showing signs of strain, EUVD offers both an alternative and a complement:
- It supports machine-readable formats (CSAF), easing integration.
- It includes EPSS scores, offering a probability-based exploitability view.
- It adheres to a legal framework (NIS2), giving it regulatory resilience.
- It fills regional gaps, especially for European vendors and infrastructure sectors.
- While the descriptions are often less detailed than NVD entries, EUVD is expected to evolve quickly as feedback is gathered from the security community.
Best Practice: Use Both
For robust, resilient vulnerability management:
- Use the NVD for structured metadata and mature ecosystem support.
- Use the EUVD for exploitability scores (EPSS), European context, and redundancy.
The two systems aren’t competitors, they’re safety nets for each other in a volatile threat landscape.
Final Thoughts
The near-shutdown of the CVE program wasn’t just a bureaucratic hiccup, it was a reminder that global cybersecurity hinges on a few critical, often underfunded, pieces of infrastructure. At the same time, the EUVD’s launch marks a significant step toward decentralizing and diversifying that infrastructure.
As Europe matures its own vulnerability intelligence capabilities, organizations now have more options, and more responsibility to adapt.
Explore the EUVD (beta): https://euvd.enisa.europa.eu
How We are Integrating EUVD and EPSS into Our Services
At OSM-S, we’ve already begun integrating EUVD vulnerability IDs and EPSS scores directly into our vulnerability assessment and penetration testing toolsets. By enriching our reports with exploitability predictions and referencing both NVD and EUVD sources, we provide our clients with more actionable insights and regional compliance awareness, especially for organizations affected by NIS2. This dual-source approach enhances our ability to prioritize vulnerabilities based on both technical severity and real-world exploit likelihood.
Learn more about our Vulnerability Assessment Services
See how we conduct Penetration Testing
Update: EUVD API Challenges
While integrating data from the EU Vulnerability Database (EUVD), we encountered a few hurdles in retrieving a full list of vulnerabilities via the API. Unlike sources such as the NVD, which offer downloadable datasets for local querying, EUVD requires retrieving paginated results through the search endpoint. This posed two main issues:
- Filtering behavior: Some filters have unexpected defaults. For example, the toEPSS filter defaults to 1, meaning only vulnerabilities with very low exploitability are returned unless the filter is explicitly set. This can lead to misleadingly smaller result sets if not adjusted.
- Sorting logic: Results are sorted by the last update date, not by ID or publication date. This makes it difficult to detect changes or resume partial retrievals, as the order is dynamic and not stable across requests.
To overcome this, we had to send requests for every page (around 4000) while ensuring all filters were correctly configured to include the full dataset. Unlike other databases that support bulk access, this significantly increases the complexity and time required to mirror or locally search EUVD data. Additionally, the API documentation does not clearly specify parameter defaults, which adds to the trial-and-error nature of initial integration.
0 responses
Hi there!
How did you manage to integrate EUVD to your testing toolset?
I’ve tried too but had troubles with their API.
Having a hard time fetching a complete set of vulns, it always seems like some are missing…
Hey!
Good question! We also had some trouble retrieving a full list of vulnerabilities through the EUVD API. We did not want to query the API for every single vulnerability in our reports, so we had to find a way to download a full list and then run searches locally, same as we do for other sources like the NVD (which provide file downloads exactly for this purpose).
Two things that we stumbled over are the way the filters of the search API endpoint work, and how the vulnerabilities contained in API paged responses are sorted. If you want to retrieve all vulnerabilities, you need to send a request for every single page (around 4000 requests) and apply the right filters. For example, you would assume the default for the toEPSS filter is 10, but actually it is 1 so by default, the API only returns vulnerabilities that are unlikely to be exploited. Setting the right filters should return the full set of vulnerabilities. Sorting is done by the date a vulnerability is updated, not the ID or the date the vulnerability is published, which makes it a bit harder to keep track of whats been retrieved already and what is missing unfortunately.
Cheers,
Sebastian
Hi and thanks for the reply!
I was on the right track with requesting all the single pages but I didn’t check the filters. Thanks for the hint with the filters, I got it working now!
Best regards!