For the past few days, the European Union has had its own public basis in computer vulnerability management. Soberly called EUVD (European Vulnerability Database), this platform, now fully operational, intends to offer real -time visibility on critical faults and actively exploited in digital systems. If its launch is part of the European regulatory strengthening in terms of cybersecurity (Directive NIS2), it mainly intervenes in a context of weakening the American system CVE, so far global referential in the matter.
A structural response to a governance flaw
The EUVD base was announced by the European Union Agency for Cybersecurity (ENISA) in June 2024. Its objective is to improve transparency, coordination and reactivity in terms of vulnerability treatment, through a single dashboard for Member States and private actors. In particular, it makes it possible to follow critical vulnerabilities in real time, to verify their exploitation status and to directly access the recommended mitigation measures.
This initiative is part of a European desire to strengthen its own capacities, while the United States is experiencing a significant weakening of its technical governance in cybersecurity. The Common Vulnerability and Exhibitions program (CVE), managed historically by the Miter with the support of the CISA, has seen its funding threatened several times. At the end of April, its maintenance was only guaranteed in extremis, in a climate of uncertainty.
A switch to normative balances
For more than twenty years, the CVE has established itself as the global reference for vulnerability management. Each critical flaw received a standardized identifier there, integrated into the NVD base (National Vulnerability Database), accessible to the public. This system allowed fluid coordination between publishers, researchers, governments and businesses.
But for several months, the model has shown signs of saturation with publication delays, financing difficulties, a slowdown in updates, and more recently, the deletion of public alerts on the CISA website. From now on, these are relayed by RSS feed or via the social network X, a change which questions the commitment of the US administration to maintain continuous transparency.
In this partial emptiness, the European Union has deployed a different approach, more integrated into its institutions and its imperatives of sovereignty. The EUVD also incorporates CVE identifiers, but associates them with a clean repository, thus strengthening the cohabitation of several standards.
Towards a fragmentation of global normalization?
The stake goes beyond operational efficiency. The emergence of several bases of competing vulnerabilities could ultimately pose interoperability problems, in particular for companies operating internationally. If the Enisa remains for the moment a CVE NUMBERING AUTHORITY (CNA), capable of generating identifiers within the framework of the CVE system, it acknowledges that it has no visibility on the evolution of the American program beyond March 2025, the end date of the current contract between the CISA and the Miter.
Ultimately, the parallel existence of NVD bases, EUVD, but also of Chinese standards such as the CNNVD (China National Vulnerability Database), could redraw the lines of fracture of cyber governance, at the risk of a sustainable fragmentation of practices and tools.
An issue of sovereignty, but also of readability
Behind the technical issue hides a strategic dimension. The ability to IDrawing, classifying and treating vulnerabilities now constitutes a sovereign competence, in the same way as the protection of critical infrastructure or cybersurveillance. The European Union seems to want to assume this responsibility by creating its own standards, rather than depending on foreign infrastructure.
