EU Stakes Out Digital Sovereignty With Vulnerability Database
Depending on who’s doing the talking, the new European Vulnerability Database (EUVD), set up by the European Union Agency for Cybersecurity (ENISA) and which recently went operational, is a much-needed alternative to EU dependency on MITRE. Or it’s one more vulnerability database to maintain. Or it’s both.
For now, like most of the security pros who checked in on this, I’m in the “both” camp.
“One clear benefit is reducing the reliance on the U.S. National Vulnerability Database (NVD) as a single source of truth,” says Boris Cipot, senior security engineer at Black Duck, before adding that EUVD “is yet another database must now be monitored and referenced,” which is sure to “add complexity for organisations that must stay on top of multiple sources, understand their differences and ensure comprehensive coverage.”
Created to meet the requirements of the NIS2 Directive, the database aims to aggregate reliable and actionable information — including mitigation measures and the exploitation status of cybersecurity vulnerabilities that impact information and communication technology products and services — from the likes of CSIRTs, vendors and existing databases.
Because the EUVD is an interconnected database, officials believe it will make for better analysis and ultimately improved cybersecurity risk management through the correlation of vulnerabilities using open-source software , Vulnerability-Lookup. A trio of dashboard views — for critical vulnerabilities, exploited vulnerabilities and the ones coordinated by the EU.
In addition to identifying vulnerabilities, the database will identify the products and services affected, their severity and means of exploitation. It will also include guidance from authorities on addressing risk and information on patches.
Keeper Security CEO and Co-founder Darren Guccione sees the EUVD as “a significant milestone in building and maturing cybersecurity defenses for Europe, as well as the global cybersecurity community.”
Guccione credits ENISA with making the vulnerability database a “powerhouse of knowledge” by working with CISA, the U.S. cyber defense agency and MITRE to bring to bear relevant data from their Known Exploited Vulnerabilities (KEV) catalog and Common Vulnerabilities and Exposures database. It “is a great example of what large-scale collaboration can produce.”
Julian Brownlow Davies, vice president, advanced services, at Bugcrowd, says the EUVD points to a broader trend of “governments asserting digital sovereignty in cybersecurity infrastructure.” But while Europe investing in its own vulnerability coordination is welcomed, he says “the challenge will be staying operationally relevant.”
The database will need “tight integration and real-time rigor to be more than just a parallel record,” unlike its counterparts KEV or private sources like VulnDB, “which offer enriched context and exploit prioritization.”
Otherwise, there is “a real risk of fragmentation,” Davies says, noting that rather than additional databases, security teams “need better signal.”
Still, the EUVD is a “win for the global cybersecurity community,” says Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace. Jones expects some operational kinks but contends “the basics of maintaining information from MITRE’s CVE Program and CISA’s KEV are encouraging.” That the EU is taking on CNA status “will help to address historic coordination gaps,” he says. “It’s also sound risk management to avoid single points of failure in global vulnerability reporting and can help reduce lags in reporting time.”
Perhaps, too, timing works in its favor as the Trump administration backburners cybersecurity, undercuts CISA and seems to have taken a myopic view of homeland security, focusing primarily on the border. “Because of the present administration’s ‘defund the cyber-police’ policies and actions, the future of this program is in extreme jeopardy,” said Token CEO John Gunn. “Because of the critical importance of stopping cyberattacks from Russia and other enemy nations, it is good news that the EU is taking this action, even if it means that they will set the agenda and priorities instead of the U.S.”
