Europe Launches EUVD to Challenge CVE, but Can It Deliver Real-Time Defense?

In a move signaling Europe’s push for cybersecurity sovereignty, the EU Agency for Cybersecurity (ENISA) has launched the European Vulnerability Database (EUVD)—a bold attempt to rethink how vulnerability intelligence (VI) is curated, distributed, and trusted. But while the effort underscores growing frustration with legacy systems like MITRE’s CVE program, many industry voices caution that meaningful disruption will take more than a new database—it will require a complete transformation of how we track and act on software risk.

The EUVD debuts at a moment of acute uncertainty for the U.S.-led Common Vulnerabilities and Exposures (CVE) system. Its recently announced contract extension only runs through March 2026, raising alarms among security professionals who rely on CVE and the National Vulnerability Database (NVD) for global coordination. Backlogs, funding volatility, and delays have plagued both platforms—creating dangerous blind spots in an age of zero-day exploits and mass ransomware campaigns.

“This is a wake-up call for the global cybersecurity community,” said Tom Hofmann, Chief Intelligence Officer at Flashpoint. “Organizations can’t afford to depend on delayed or incomplete data when critical vulnerabilities are being exploited in real time.”

A New Database, Old Expectations?

At its core, the EUVD is positioned as a European counterpart—or alternative—to the CVE system. It’s public, centralized, and part of the EU’s broader ambition to shape digital sovereignty. But critics argue that unless the platform offers deeper context, faster updates, and better risk modeling, it risks replicating the same structural weaknesses of its predecessors.

“The industry doesn’t just need coverage—we need actionability,” Hofmann added. “At Flashpoint, we track over 400,000 vulnerabilities, including more than 4,500 with known exploits or in-the-wild activity. That’s the kind of real-time intelligence defenders need on the frontlines.”

By comparison, EUVD currently tracks around 1,266 known exploited vulnerabilities—a number dwarfed by commercial offerings and even the U.S. CISA’s KEV catalog (1,377). The implication: scope matters, but speed, relevance, and depth matter more.

Legacy Systems Under Fire

CVE and NVD have long been considered the backbone of vulnerability classification, but their effectiveness has come under scrutiny. Industry experts say the systems—originally designed for a different era—have not evolved fast enough to handle today’s complex threat landscape, which includes widespread supply chain attacks and highly targeted exploits.

Part of the problem is structural. CVE is managed by MITRE under U.S. government sponsorship, making it subject to political and budgetary flux. The EU’s decision to build its own system stems in part from this instability—but also from years of perceived stagnation.

Despite this, Flashpoint notes that the EU’s effort isn’t just a reactive move. EUVD has been in development since a 2016 EU directive and gained further traction with policy mandates in early 2024—well before the current CVE funding uncertainties gained traction in Washington.

A Long Road Ahead

The introduction of EUVD is, at the very least, a positive signal that vulnerability intelligence is entering a new phase—one driven by resilience and regional autonomy. But can it deliver innovation fast enough to be more than a symbolic shift?

Flashpoint’s take is blunt: the security stakes are too high to wait. Its VulnDB platform, pitched as “the world’s most comprehensive and independent vulnerability intelligence resource,” emphasizes proactive discovery, enriched context, and exploitability modeling. It pulls from thousands of sources worldwide—without waiting for vendor confirmation or government publication schedules.

“The challenge isn’t just having a database—it’s having the right intelligence, at the right time, in the right context,” said Hofmann. “The future of vulnerability management is real-time, not retrospective.”

Bottom Line

The EUVD may mark a turning point in the decentralization of global vulnerability tracking, but it’s entering a crowded—and critical—arena. As defenders race to patch, prioritize, and protect, they’ll be watching closely to see if EUVD evolves into a true game-changer… or just another node in an outdated system.

Until then, security leaders seem united on one point: trusting a single source for vulnerability data is no longer viable.