{"id":3149,"date":"2025-05-13T16:43:17","date_gmt":"2025-05-13T16:43:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3149"},"modified":"2025-05-13T16:43:17","modified_gmt":"2025-05-13T16:43:17","slug":"new-eu-vulnerability-database-will-complement-cve-program-not-compete-with-it-says-enisa","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3149","title":{"rendered":"New EU vulnerability database will complement CVE program, not compete with it, says ENISA"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

From this week, the global technology industry has a new database to check for the latest software security flaws: the European Union Vulnerability Database (EUVD).<\/p>\n

Made operational by the European Union Agency for Cybersecurity (ENISA) to fulfil the EU\u2019s NIS2 cybersecurity Directive, EUVD joins a small but important group of global vulnerability tracking platforms headed by the world-famous US Common Vulnerabilities and Exposures (CVE) program.<\/p>\n

The obvious first question is why the world needs another vulnerability tracking system when the industry long ago standardized on CVEs as a way of identifying software flaws.<\/p>\n

According to ENISA, the EUVD and its new identification system is meant to complement the CVE program rather than rival it.<\/p>\n

Vulnerabilities will be given an EUVD tracker<\/a> if they are first reported by European companies or CERTs and have some relevance in that context, for example affecting critical infrastructure or companies in the EU itself.<\/p>\n

However, EUVD flaws will be cross-referenced with a CVE identifier where one is available. If no CVE has been assigned \u2014 presumably a rare event given the agreed principles of disclosure coordination \u2014 the EUVD identifier will stand on its own.<\/p>\n

For example, a critical vulnerability affecting SAP\u2019s NetWeaver Visual Composer Metadata Uploader reported this week can be tracked as EUVD-2025-14349<\/a> or CVE-2025-42999<\/a>.<\/p>\n

A second concern is that the EU is able to track its obligations under NIS2 legislation<\/a> using an independent system. The European Commission\u2019s executive vice-president for tech sovereignty, security and democracy, Henna Virkkunen, made this point in the official news release:<\/p>\n

\u201cThe EU Vulnerability Database is a major step towards reinforcing Europe\u2019s security and resilience. By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy,\u201d she said.<\/p>\n

Near-death experience<\/h2>\n

Although it\u2019s been promised for a while, the arrival of the EUVD might also be a case of good timing.<\/p>\n

For a few hours in April, it looked as though there was a chance that the CVE program might shut down after a quarter of a century when the US Department of Homeland Security (DHS) failed to renew the contract with the non-profit that operates it, MITRE Corporation.<\/p>\n

That unthinkable possibility was only averted after the Cybersecurity and Infrastructure Security Agency (CISA) stepped in to fund the program\u2019s continuation<\/a>.<\/p>\n

In cybersecurity terms, defunding the world\u2019s foremost vulnerability-tracking system would be akin to abolishing the US dollar in commerce, which is why it didn\u2019t happen.<\/p>\n

Nevertheless, the near-death experience has reminded the industry of criticisms that have been levelled at the CVE program, which operates in conjunction with the US National Vulnerability Database (NVD), run separately by NIST.<\/p>\n

These include that it depends too much on US government largesse and doesn\u2019t help organizations understand which vulnerabilities to prioritize beyond giving them a general CVSS score.<\/p>\n

However, that doesn\u2019t mean that everyone is celebrating EUVD\u2019s arrival.<\/p>\n

\u201cThe creation of EUVD is a mix of good and bad traits,\u201d said Morey J. Haber, chief security advisor at security vendor BeyondTrust. \u201cThis is a complementary service that could improve response times and bridge gaps in CVE coverage,\u201d he said, but \u201closing MITRE CVE as a global authority is disheartening.\u201d<\/p>\n

While Haber said that treating the CVE system as a \u201csingle source of truth\u201d is no longer viable in a globalized vulnerability environment, the arrival of the EUVD \u201ccould create scoring conflicts, risk prioritization issues, and conflicts within multinational organizations attempting to remediate software flaws.\u201d<\/p>\n

According to Boris Cipot, senior security engineer at Black Duck (formerly Synopsys), the arrival of a new vulnerability system will create more work for security professionals.<\/p>\n

\u201cYet another database must now be monitored and referenced. This adds complexity for organizations that must stay on top of multiple sources, understand their differences, and ensure comprehensive coverage,\u201d said Cipot.<\/p>\n

\u201cOrganizations that rely solely on the US National Vulnerability Database should evaluate how their software composition analysis (SCA) tools incorporate new sources like the EUVD.\u201d<\/p>\n

\u201cAlternatively, they may need to establish manual processes to monitor the EUVD directly, especially to remain compliant with potential EU regulations or to meet the requirements of EU-based customers and projects.\u201d<\/p>\n

The current EUVD website is still in its beta phase. We asked ENISA to clarify how long this might last but received no comment at press time.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

From this week, the global technology industry has a new database to check for the latest software security flaws: the European Union Vulnerability Database (EUVD). Made operational by the European Union Agency for Cybersecurity (ENISA) to fulfil the EU\u2019s NIS2 cybersecurity Directive, EUVD joins a small but important group of global vulnerability tracking platforms headed […]<\/p>\n","protected":false},"author":0,"featured_media":3150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3149"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3149"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3150"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}