The European Union now has its own vulnerability database. The ENISA European Vulnerability Database (EUVD), mandated by NIS2 Article 12, launched in 2024 as Europe’s authoritative source for vulnerability intelligence. For organizations operating in the EU, understanding the EUVD isn’t optional — it’s a compliance requirement.

This guide explains what the EUVD is, what data it provides, how it compares to existing databases, and how to use it in practice.

What is the EUVD?

The European Vulnerability Database is maintained by the European Union Agency for Cybersecurity (ENISA) under the mandate of the NIS2 Directive. Specifically, NIS2 Article 12 requires ENISA to establish and maintain a European vulnerability database to support EU member states and organizations with vulnerability intelligence.

The EUVD provides:

Exploited vulnerability tracking — Identifies vulnerabilities actively exploited in the wild, similar to CISA’s KEV catalog but from a European perspective
CVSS severity scores — Provides its own CVSS assessments, useful as a fallback when NVD enrichment is delayed
EU-contextualized advisories — Vulnerability information with relevance to European infrastructure and regulations
API access — RESTful API for automated integration into vulnerability management tools

The EUVD is accessible at euvd.enisa.europa.eu.

Why does the EU need its own vulnerability database?

Three primary reasons drove the creation of the EUVD:

1. Reducing dependency on US infrastructure

The global vulnerability management ecosystem has historically depended on two US-operated resources: the NIST National Vulnerability Database (NVD) and MITRE’s CVE program. Both have faced operational challenges:

NVD backlog crisis (2024-2026): NIST significantly reduced its CVE enrichment rate, leaving ~44% of new CVEs without CVSS scores or CPE matching
CVE program funding uncertainty: The MITRE-operated CVE program has faced documented funding concerns
US Cloud Act exposure: Organizations relying solely on US-hosted vulnerability data face potential data sovereignty issues

For EU organizations subject to NIS2, depending exclusively on US-operated databases creates a single point of failure in their vulnerability management process.

2. NIS2 regulatory mandate

NIS2 Article 12 explicitly mandates a European vulnerability database. This isn’t a suggestion — it’s a legal requirement that ENISA maintain this resource for the benefit of essential and important entities across the EU.

3. European context

The EUVD can provide vulnerability intelligence contextualized for European infrastructure, regulatory requirements, and threat landscapes. As the EU cybersecurity ecosystem matures, having a European perspective on which vulnerabilities are most relevant to EU organizations becomes increasingly valuable.

EUVD vs. NVD vs. CISA KEV: How they compare

Feature	ENISA EUVD	NIST NVD	CISA KEV
Operated by	ENISA (EU)	NIST (US)	CISA (US)
Primary purpose	EU vulnerability intelligence	Global CVE enrichment	US exploited vulnerabilities
Exploited tracking	Yes	No (references only)	Yes (primary purpose)
CVSS scores	Yes	Yes (primary global source)	No (references NVD)
Mandate	NIS2 Article 12	US federal requirement	CISA BOD 22-01
API access	REST API	REST API 2.0	JSON feed
Scope	EU-relevant CVEs	All CVEs (~250K+)	Confirmed exploited (~1,500)

Key takeaway: These databases are complementary, not competing. The most resilient vulnerability management approach uses all three.

How SentriKat integrates the EUVD

SentriKat uses the EUVD in two ways:

Exploited vulnerability tracking

SentriKat syncs EUVD exploited vulnerabilities alongside CISA KEV entries daily. This provides dual-continent coverage: vulnerabilities flagged by both US (CISA) and EU (ENISA) authorities are matched against your software inventory.

When a vulnerability appears in both CISA KEV and EUVD exploited lists, SentriKat shows both designations — giving you full visibility into which authorities consider a vulnerability actively exploited.

CVSS score fallback chain

SentriKat’s multi-source CVSS enrichment uses the EUVD as a tertiary scoring source:

NVD (primary) — Industry standard, most comprehensive
CVE.org + CISA Vulnrichment (secondary) — CNA-provided and ADP-enriched scores
ENISA EUVD (tertiary) — European scores, critical when NVD enrichment is delayed

Every CVE score includes a cvss_source provenance tag so you always know where your severity data comes from. If the NVD hasn’t scored a CVE yet, SentriKat automatically falls back to CVE.org, then EUVD — ensuring you’re never blind to severity just because one database is behind.

Practical implications for EU organizations

If your organization falls under NIS2 as an essential or important entity:

You need structured vulnerability handling — Article 21(2)(e) requires it. Using a tool that integrates EUVD demonstrates alignment with the EU’s own vulnerability intelligence infrastructure.
Data sovereignty matters — Running your vulnerability management platform on-premises (not in a US cloud) with European data sources strengthens your compliance posture.
Multi-source intelligence is resilience — No single database is perfectly reliable. By combining CISA KEV, NVD, CVE.org, and EUVD, you eliminate single points of failure in your vulnerability intelligence pipeline.
Audit trail is required — NIS2 demands demonstrable compliance. SentriKat’s per-CVE source attribution (cvss_source: nvd, cvss_source: euvd) provides the provenance trail auditors expect.

Getting started

SentriKat integrates ENISA EUVD out of the box — no configuration required. EUVD sync runs automatically alongside CISA KEV and EPSS updates.

To learn more about SentriKat’s multi-source vulnerability intelligence architecture, read our technical deep-dive: Why We Stopped Trusting a Single Vulnerability Database.

For NIS2 compliance specifically, see our guide: NIS2 Vulnerability Management: What European SMBs Need to Know.

What Is the ENISA European Vulnerability Database (EUVD)? A Practical Guide