In April 2025, the IT security world was on the verge of chaos: funding for the CVE program from the US government was not extended as expected. It was only at the last minute that the US authority CISA stepped in and prevented the standstill. But the uncertainty remains. This event has once again highlighted how fragile the global security infrastructure is when it is based on a single government-funded system.
CVE crisis as a wake-up call for Europe
The CVE program, operated by MITRE on behalf of the US government, has been the central data source for identifying IT vulnerabilities for decades. But when it became known in spring 2025 that this system, of all things, could be left without a budget, the risks of a single point of failure became apparent. IT experts worldwide warned: Without CVE IDs, security processes, patch management and automated vulnerability analyses would collapse.
The dependence on a US-based system, the continued existence of which is politically uncertain, shows that Europe must go its own way. And this is precisely where the European Union Vulnerability Database (EUVD) comes in.
EUVD: Sovereignty through own vulnerability intelligence
The EUVD was announced in June 2024 as part of the NIS2 implementation(https://digital-strategy.ec.europa.eu/de/news/eu-launches-european-vulnerability-database-boost-its-digital-security ) and officially went into full operation in May 2025(https://euvd.enisa.europa.eu/ ). Its aim is to create a central, European platform for IT vulnerability information that is operated independently of third countries. It delivers:
Own EUVD IDs, supplemented by CVE references
Up-to-date information on affected products, exploit status, CVSS scores and patch availability
Data aggregation from CVE, CERTs, manufacturer advisories and CISA lists
Automated entries updated almost in real time
The EUVD does not replace the CVE system, but complements it in a meaningful way: it offers redundancy, regional relevance and greater resilience.
Why the EUVD must be supported now
The CVE funding crisis has shown how quickly a globally used security system can falter. This results in a clear call to action for Europe:
Expand investments in EUVD to secure long-term independence
Accelerate integration into European legislation (e.g. Cyber Resilience Act)
Sensitize companies to also align their systems with EUVD data
Only with a strong EUVD can Europe ensure that critical security information is available even if the CVE system temporarily falters. A trustworthy vulnerability database supported by European interests is no longer an alternative – it is a strategic necessity.
Conclusion: EUVD is more than a project – it is a security promise
Europe can and should learn the lessons from the CVE crisis. The EUVD is a functioning, transparent and independent infrastructure that needs to be strengthened and further developed. It is not only an instrument of technical security, but also a symbol of digital sovereignty. Investing in the EUVD today means investing in the resilience of Europe’s digital future.
This text was written as part of our work on the European research project CRACoWI Cyber Resilience Act Compliance Wizard). The aim of the project is to support companies – especially SMEs – with digital tools to implement the EU Cyber Resilience Act. It quickly became clear that without reliable information about current vulnerabilities, it is impossible to carry out a well-founded security assessment. This is precisely where the European Union Vulnerability Database (EUVD) comes into play. As a European-operated, independent vulnerability database, it provides the basis for many of the security-relevant processes that CRACoWI aims to automate and facilitate. Our examination of the EUVD shows how important such infrastructures are for an independent, resilient cyber security strategy in Europe – and how much technical tools such as CRACoWI benefit from them.
