At the same time, the European Union quietly made history. The European Vulnerability Database (EUVD), led by ENISA under the NIS2 Directive, entered public beta-offering API access, CVSS v3.1 and EPSS scores, and a coordinated European approach to vulnerability disclosure.
EUVD vs. NVD: A Quick Comparison
| Feature | EUVD (Europe) | NVD (USA) |
|---|---|---|
| Operator | ENISA | NIST (CVE data via MITRE) |
| Status | Live (Beta) | Fully operational, but CVE funding issues emerged |
| API Support | ✅ Yes | ✅ Yes |
| Scoring | CVSS 3.1 + EPSS | CVSS (inklusive 4.0) |
| Description Quality | Often short | Generally detailed |
| Interoperability | CVE ID in “Alternative IDs” field | CVE ID primary |
| Vendor Participation | Apache, Mozilla, and EU-based vendors | Broad, global participation |
| Legal Framework | Required by NIS2 | Voluntary, reliant on funding continuity |
What the CVE Crisis Means
The temporary uncertainty surrounding the CVE program reminds us how dependent we are on centralized systems, and how vulnerable those systems are to administrative or funding shifts.
The CVE system is the “source of truth” for most security operations: It anchors SIEM alerts, scanner signatures, ticketing systems, and patch management routines. A disruption in that pipeline isn’t just theoretical, it can slow vulnerability response, delay risk communication, and degrade automated defenses.
Why the EUVD Matters Now More Than Ever
With the CVE ecosystem showing signs of strain, EUVD offers both an alternative and a complement:
- It supports machine-readable formats (CSAF), easing integration.
- It includes EPSS scores, offering a probability-based exploitability view.
- It adheres to a legal framework (NIS2), giving it regulatory resilience.
- It fills regional gaps, especially for European vendors and infrastructure sectors.
- While the descriptions are often less detailed than NVD entries, EUVD is expected to evolve quickly as feedback is gathered from the security community.
Best Practice: Use Both
For robust, resilient vulnerability management:
- Use the NVD for structured metadata and mature ecosystem support.
- Use the EUVD for exploitability scores (EPSS), European context, and redundancy.
The two systems aren’t competitors, they’re safety nets for each other in a volatile threat landscape.
Final Thoughts
The near-shutdown of the CVE program wasn’t just a bureaucratic hiccup, it was a reminder that global cybersecurity hinges on a few critical, often underfunded, pieces of infrastructure. At the same time, the EUVD’s launch marks a significant step toward decentralizing and diversifying that infrastructure.
As Europe matures its own vulnerability intelligence capabilities, organizations now have more options, and more responsibility to adapt.
Explore the EUVD (beta): https://euvd.enisa.europa.eu
How We are Integrating EUVD and EPSS into Our Services
At OSM-S, we’ve already begun integrating EUVD vulnerability IDs and EPSS scores directly into our vulnerability assessment and penetration testing toolsets. By enriching our reports with exploitability predictions and referencing both NVD and EUVD sources, we provide our clients with more actionable insights and regional compliance awareness, especially for organizations affected by NIS2. This dual-source approach enhances our ability to prioritize vulnerabilities based on both technical severity and real-world exploit likelihood.
Learn more about our Vulnerability Assessment Services
See how we conduct Penetration Testing