ENISA develope European Vulnerability Database (EUVD) as provided for by the NIS2 Directive
The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database - EUVD as provided for by the NIS2 Directive. The EUVD service, to be maintained by ENISA, is now operational.
The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services.
The objective of the EUVD is to ensure a high level of interconnection of publicly available information coming from multiple sources such as CSIRTs, vendors, as well as existing databases. In order to meet this objective, the platform is building on a holistic approach. As an interconnected database the EUVD allows for better analysis and facilitates the correlation of vulnerabilities by facilitating the open-source software Vulnerability-Lookup, thereby enabling enhanced cybersecurity risk management.
The EUVD offers therefore a trusted, more transparent and broader source of information and further improves situational awareness while limiting exposure to threats.
The aggregated information of the database is displayed through dashboards. The EUVD offers three dashboard views: for critical vulnerabilities, for exploited ones, and for EU coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.
The collected and referenced vulnerability information comes from open-source databases. Additional information is added via advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, together with exploited vulnerability markings. EUVD data records may include:
- A description of the vulnerability;
- ICT products or ICT services affected and/or affected versions, the severity of the vulnerability and how it could be exploited;
- Information of existing relevant available patches or guidance provided by competent authorities including CSIRTs, and addressed to users on how to mitigate risks.
To meet the requirement of the NIS2 Directive, ENISA initiated a cooperation with different EU and international organisations including MITRE’s CVE Programme. ENISA is in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program. CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information such as CISA’s Known Exploited Vulnerability Catalogue are automatically transferred into the EUVD. This will also be achieved with the support of Member States who established national Coordinated Vulnerability Disclosure (CVD) policies and who designated one of their CSIRTs as the coordinator, ultimately making the EUVD a trusted source for enhanced situational awareness in the EU.
As a CVE Numbering Authority (CNA), ENISA can register vulnerabilities and support vulnerability disclosure since January 2024, in relation to:
- vulnerabilities in IT products discovered by EU CSIRTs themselves; and
- vulnerabilities reported to EU CSIRTs for coordinated disclosure as long they are not in the scope of another CVE Numbering Authority.