What is the ENISA European Vulnerability Database - and why does it matter?

The same EU agency that decides if you’re compliant under NIS2, CRA, and DORA also runs Europe’s official vulnerability database, and most security teams aren’t using it. ENISA’s European Union Vulnerability Database (EUVD) is the authoritative reference point for how the EU tracks, categorizes, and responds to cyber threats - including a Known Exploited Vulnerabilities (KEV) list that flags the vulnerabilities attackers are actively exploiting right now. Working from EUVD intelligence essentially aligns your exposure management program and your regulatory obligations from the start. That institutional alignment is what makes the EUVD fundamentally different from other intelligence sources - and why EU organizations should be paying close attention.

The EUVD KEV list: Knowing what attackers are exploiting right now

The EUVD’s Known Exploited Vulnerabilities (KEV) list identifies vulnerabilities that have been confirmed as actively exploited in the wild. A vulnerability earns KEV classification when real attackers are using it against real targets, not just when security researchers have demonstrated it is theoretically possible. This categorization matters because not every vulnerability is equally dangerous. Thousands of CVEs are published every year, and security teams can’t remediate all of them with equal urgency. The EUVD KEV list cuts through that noise, telling you which vulnerabilities have already crossed the line from theoretical risk to active weaponization. 

For security teams working with exposure management, the KEV list is exactly the kind of signal that turns reactive patching into proactive defense. Vulnerabilities on this list should be treated as immediate priorities, not items in a backlog.

Why ENISA ownership changes everything

ENISA doesn’t just maintain the EUVD, it’s also the agency receiving your incident and vulnerability reports under NIS2 and the CRA. The same institution defining what counts as a serious vulnerability is the one evaluating whether you caught it. 

That changes what the EUVD KEV list actually represents. It’s not a generic threat feed. It’s a real-world exploitation signal coming from the body that sees cross-border incident reports across the EU CSIRT Network and direct CRA disclosures from manufacturers within 24 hours of discovery. When ENISA flags a vulnerability as actively exploited, regulators are already watching it.

The practical consequence: if a vulnerability is on the EUVD KEV list and you haven’t detected or addressed it, that’s exactly the gap an auditor will find. If your exposure management program is drawing from EUVD intelligence, your security posture and your compliance reporting tell the same story- because they’re built on the same source.

EUVD and EU compliance: Where it applies

The NIS2 Directive, Cyber Resilience Act, and DORA are among the most prominent and widely applicable EU cybersecurity frameworks in force today - but they are not the only ones. Organizations may also operate under sector-specific frameworks, national transpositions of other EU directives, ISO 27001 requirements, or contractual obligations with public-sector clients. The EUVD is relevant across all of these contexts, because it represents the EU’s authoritative view of the vulnerability landscape. The three frameworks below are highlighted because they carry the most direct and explicit obligations around vulnerability identification, reporting, and management for mid-market EU organizations.

The NIS2 Directive

NIS2 requires organizations in essential and important sectors to establish robust vulnerability handling and disclosure processes. This means identifying significant vulnerabilities in a timely manner and ensuring they are managed - not just catalogued. Using EUVD intelligence ensures that your identification process is anchored to an authoritative, regulation-aligned source. When your NIS2 reporting draws from the same database that ENISA itself maintains, the credibility and consistency of your ENISA vulnerability reporting is significantly stronger. 

Read more about where exposure management meets ENISA and NIS2.

CRA

The Cyber Resilience Act (CRA) introduces a demanding vulnerability disclosure timeline. Manufacturers of products with digital elements must notify ENISA of actively exploited vulnerabilities within 24 hours of discovery - a requirement that sits alongside NIS2’s own 24-hour early warning obligation for significant incidents, though the two apply to different entities and different trigger conditions. In either case, missing that window is not just a compliance failure - it is a signal that your vulnerability detection process is not fit for purpose. Integrating EUVD intelligence, including the EUVD KEV classification, directly into automated vulnerability assessments ensures that these high-priority vulnerabilities surface immediately, without requiring a manual review step.

Read more about the CRA and its relation to NIS2.

DORA

The Digital Operational Resilience Act (DORA) applies to financial entities and their critical ICT service providers. Its requirements around ICT risk management and incident reporting have a direct dependency on the quality and timeliness of an organization’s vulnerability intelligence. The EUVD contributes to both dimensions: it broadens the intelligence base that informs risk assessments, and it ensures that the vulnerabilities most relevant to EU financial sector threats are given appropriate visibility.

Read more about DORA and how it complements NIS2.

Taken together, these frameworks collectively point European organizations toward the same need: an exposure management process that is continuous, intelligence-driven, and anchored to authoritative EU vulnerability intelligence sources - like the EUVD.

EU cybersecurity is no longer just a European conversation

The EUVD is gaining weight not just within Europe, but on the global stage - and that trajectory matters for any organization thinking about the long-term relevance of their intelligence sources. 

ENISA has progressively taken on a larger role in the global system for tracking and cataloguing vulnerabilities. It is now being onboarded by CISA to become a Top-Level Root CVE Numbering Authority - a status currently only held by CISA and MITRE, the two organizations that effectively govern how vulnerabilities are identified and classified worldwide. If granted, ENISA would sit alongside those two organizations at the top of the global CVE program, with the authority to help set policy and governance for the entire framework. ENISA leadership has publicly stated the goal is to achieve this status in 2026 or early 2027. 

This is a significant development. It means that ENISA’s perspective on what constitutes a significant vulnerability - how it should be categorized, and what response it warrants - will increasingly shape the global vulnerability management landscape, not just the European one. That makes EU vulnerability intelligence worth building into your stack now, before operating without it starts to look like a blind spot. 

For EU organizations, the most direct way to get ahead of that alignment is to work with a platform that already has EUVD intelligence built in - so that as ENISA’s authority grows, your vulnerability assessments grow with it. That growing authority is exactly why adding the EUVD to your intelligence stack is a forward-looking decision, not just a compliance one.

A stronger intelligence stack - not a replacement

The EUVD and CISA KEV are complementary sources, not competing ones. CISA’s Known Exploited Vulnerabilities catalog reflects the threat intelligence priorities of the US Cybersecurity and Infrastructure Security Agency, informed by visibility into attacks targeting US infrastructure. The EUVD KEV list reflects ENISA’s visibility into threats targeting European organizations and the EU’s digital ecosystem. For companies operating in Europe, both perspectives are valuable - but only one is directly tied to the regulator you answer to. 

There is also a practical redundancy component. If any single data source experiences delays, gaps, or changes in availability, an intelligence stack that includes multiple sources continues to function without interruption - and this is not a theoretical concern. In April 2025, CISA’s contract with98*- MITRE - the organization that runs the CVE program - briefly lapsed, raising the prospect of an interruption to one of the world’s most relied-upon vulnerability tracking systems. For organizations whose compliance and security operations depend on continuous, unbroken coverage, an intelligence stack that includes the EUVD as an independent, EU-maintained source is not a nice-to-have, but a safeguard.

What this means in the Holm Security platform

The EUVD and its KEV list are now built into every vulnerability assessment run in Holm Security’s platform. You do not need to configure a new feed, build a custom integration, or manually cross-reference an additional database. The intelligence is already there, contributing to every assessment automatically. 

This is what continuous, proactive exposure management looks like in practice. As the threat landscape evolves and the EU’s regulatory expectations become sharper - and as ENISA’s authority in global vulnerability governance grows - the depth and breadth of your vulnerability intelligence will matter more, not less. We are committed to ensuring that our customers always have the most authoritative, most current, and most compliance-relevant intelligence available. Integrating the EUVD is a significant step in that direction.

See it in action

Your vulnerability assessments are only as strong as the intelligence behind them. If you are operating under NIS2, the CRA, DORA, or any framework that requires demonstrable vulnerability management - or preparing for increased regulatory scrutiny - now is the right time to ensure your exposure management program is built on the right foundations. 

Book a demo to see how Holm Security’s platform, now enriched with EUVD intelligence, supports both your security operations and your compliance obligations. 

FAQ

1. What is the ENISA European Vulnerability Management Database (EUVD)?

   The EUVD is the European Union’s official vulnerability database, owned and maintained by the EU Agency for Cybersecurity (ENISA). It serves as the authoritative EU-level reference for tracking, categorizing, and communicating cybersecurity vulnerabilities - including a Known Exploited Vulnerabilities (KEV) list that identifies vulnerabilities confirmed to be actively exploited in the wild.
   
   

2. How is the EUVD different from the National Vulnerability Database (NVD) or CISA KEV?

   The key difference is institutional. The EUVD is maintained by ENISA, the EU’s own cybersecurity agency, while the NVD and CISA KEV are maintained by U.S. federal bodies with U.S. regulatory priorities in mind. The National Vulnerability Database (NVD), maintained by NIST, is global in scope and tracks vulnerabilities regardless of where they originate or where attacks occur. CISA KEV, maintained by the U.S. Cybersecurity and Infrastructure Security Agency, is similarly broad in coverage, but was designed with U.S. federal civilian agencies in mind. The remediation deadlines attached to CISA KEV are binding for U.S. government entities, not European ones. The EUVD KEV list, by contrast, reflects ENISA’s visibility into threats targeting European organizations and maps directly to EU regulatory obligations. For companies operating in Europe, all three sources have value - but only one is tied to the regulator you answer to and the framework you are required to report under.
   
   

3. Why does it matter that ENISA both owns the EUVD and receives incident reports?

   Because it closes the loop between security operations and compliance. The EUVD is a comprehensive registry of vulnerabilities across the board - not just the most critical ones. But when ENISA flags a vulnerability as actively exploited through its KEV classification, that is a direct signal of what regulators are already watching. When your vulnerability assessments draw from the same database ENISA maintains, your security posture and your regulatory reporting speak the same language.
   
   

4. How does the EUVD KEV list help with prioritization?
   

   The EUVD tracks thousands of vulnerabilities - far more than any security team can remediate at once. The KEV list identifies the vulnerabilities that have already been confirmed as actively exploited in the wild, meaning real attackers are using them against real targets. That distinction allows security teams to move the most dangerous risks to the top of the queue, rather than working through a backlog in order of discovery or severity score alone.
   
   

5. Which compliance frameworks does the EUVD support?

   The EUVD is relevant to any EU cybersecurity framework, but it is most directly actionable for organizations subject to NIS2 (vulnerability handling and disclosure), the Cyber Resilience Act (24-hour ENISA notification for actively exploited vulnerabilities), and DORA (ICT risk management for financial entities). It is equally relevant to organizations operating under ISO 27001, sector-specific directives, or national cybersecurity frameworks that reference ENISA guidance.
   
   

6. Is Holm Security’s EUVD integration automatic? 
   

   Yes. The EUVD and its KEV list are built into every vulnerability assessment run on the Holm Security platform. No additional configuration is required - the intelligence enriches your assessments automatically.