Why Europe’s new vulnerability database matters more than you think

In early 2025, a near-shutdown of the Common Vulnerabilities and Exposures (CVE) program, which assigns software vulnerabilities standardised identifiers, triggered widespread concern. Observers worried that this ‘pillar of modern cybersecurity’, managed by the United States-based non-profit MITRE and funded by the US Cybersecurity and Infrastructure Security Agency (CISA), would be lost, resulting in uncoordinated chaos and possibly threats to national security. 

Though funding was eventually secured, the event highlighted the fragility of a system that underpins global software vulnerability management. CVE identifiers are ubiquitous in cybersecurity tooling, patch prioritisation, and threat intelligence feeds. When that system faltered – even briefly – the ripple effects were global.

In May 2025, the European Union Agency for Cybersecurity (ENISA) launched the European Vulnerabilities Database (EUVD), a public repository of software vulnerabilities, mapped to CVE identifiers but managed independently by European authorities who also assign vulnerabilities a separate EUVD ID. It sources data from open vulnerability feeds, national computer security incident response teams, vendor advisories, and public exploit databases. In principle, it is designed to enhance visibility into software risk across the EU and increase responsiveness to regional needs.

In this context, the launch of the EUVD can be understood as more than a technical capacity-building exercise or a redundant, duplicative database. Rather, viewed through the lens of sovereign resilience, it suggests a strategic attempt to reduce systemic dependency on a single ‘foreign’ source of digital risk classification and tracking. The issue is not that CVE will imminently fail, but rather that critical infrastructure cannot remain vulnerable to the fragilities of a single external political structure. Cybersecurity capabilities and infrastructure must be diversified to safeguard critical systems, just like supply chains need to be diversified to mitigate risk.

The broader context: Retrenchment and risk

Interdependence is a fundamental attribute of cyberspace; as such, cyber risk is highly contagious. Threat actors exploit shared infrastructure and vulnerabilities and compromises affect systems across borders. No single entity can be considered secure if the whole system is not resilient.

The EUVD emerges during a time of wider concern about Europe’s overreliance on external technology providers and infrastructures across the digital domain (and beyond). According to the industry-backed EuroStack report, over 80% of Europe’s digital technologies are imported. US companies dominate foundational tools, with Microsoft, Apple, and Google controlling over 90% of the European market for operating systems. Amazon, Microsoft, and Google account for nearly 70% of Europe’s cloud infrastructure market and 70% of foundational AI models have been developed in the United States, with another 15% in China. EU firms represent only 7% of global research and development spending in software and internet technologies, compared to 71% by US firms and 15% by Chinese firms.

Today, moreover, the global geopolitical context is shifting. US foreign policy appears increasingly focused on domestic priorities, with recent ‘America First’ narratives reshaping global alliances. In this environment, Europe’s heavy reliance on US-backed cybersecurity capabilities – from CVE and MITRE ATT&CK, which is used to classify cyberattacks, to CISA advisories, FBI indictments, and US Cybercommand ‘Hunt Forward’ engagements – raises strategic concerns. An overdependence on the US for cybersecurity resources and support is only a part of the general imbalance in interdependencies between Europe and the US.

But interdependence can also be viewed as a strength. The author Stephen Covey’s notion of maturity as a journey from dependence through independence to interdependence offers a useful conceptual lens. EUVD may be interpreted as a step toward Europe’s digital independence; not an end in itself, but a prerequisite for durable, voluntary interdependence. A more resilient global ecosystem will likely emerge only when infrastructure is distributed and governed by a broader set of actors. A central point of failure – like a single vulnerability tracking system – poses disproportionate risk and a toxic imbalance of power.

EuroStack: A federated alternative

One strategic response to this dependence is the EuroStack initiative. Championed by industry-connected think tanks and a cross-party coalition in the European Parliament, EuroStack describes a resilient, interoperable, and values-aligned digital ecosystem across Europe. Proposing a €300 billion [US$347 billion] investment and policy reforms, the initiative offers a concrete industrial policy framework to build autonomy in cloud, cybersecurity, data governance, and AI by promoting open standards, reducing vendor lock-in, and investing in regional innovation.

At its core, EuroStack aims to solve the underlying political and economic risks associated with dependency on non-European technology providers. It offers a blueprint for reducing the structural asymmetries that currently place critical European infrastructure at the mercy of foreign geopolitical and commercial interests. While not specifically identified in the EuroStack strategy, EUVD fits into this model as a critical element enhancing Europe’s ability to define, categorise, and respond to digital risk on its own terms.

What comes next

Initiatives like EUVD must mature, not as isolated projects but as components of a more federated and resilient global cyber ecosystem.

Early reviews of the EUVD note gaps in metadata, delayed publishing timelines, and lower overall volume compared to CVE and the US National Vulnerability Database (NVD), which aggregates and enhances CVE entries. These critiques are valid and suggest that EUVD remains in its early stages.

To fulfil its potential and attract participation from vendors, security researchers, and national incident response teams, the EUVD will need to offer a level and quality of service equivalent to the US NVD. This should include timely and precise vulnerability disclosures, entries enriched with metadata such as common weakness enumeration and common platform enumeration, robust and high-performance application programming interfaces, interfaces for automation, and seamless integration with existing security tools to avoid fragmenting the cybersecurity ecosystem.

Future development of the EUVD might entail investment in automation, engagement with global standards bodies, support for global initiatives like the FIRST.org Common Vulnerability Scoring System and Exploit Prediction Scoring System, structured programs for academic and private-sector collaboration, and outreach to the global cybersecurity community.

Resilience in cybersecurity, as in other domains, depends on redundancy. EUVD can be an element of that resilience, provided it remains open, adaptive, and globally interoperable.

Diversifying vulnerability tracking is essential

Vulnerability tracking is the metronome setting the daily rhythm for security defenders, making CVE and the NVD invaluable global resources. The EUVD initiative acknowledges this and seeks to reduce single points of failure.

While there is no formal policy declaring EUVD as a geopolitical instrument, its timing and context suggest such an interpretation. Whether by design or as a side effect, EUVD positions Europe as a slightly more autonomous actor in global cybersecurity.

In a world of uncertain alliances and increasing digital fragility, investing in diversified infrastructure is not duplication – it is survival.