European Vulnerability Database (EUVDB)

The European Vulnerability Database (EUVDB) is a centralised EU vulnerability registry established under Article 12 of the Cyber Resilience Act and operated by ENISA. It serves as the primary EU-level repository for vulnerability information about products with digital elements sold on the EU market. The EUVDB aggregates: vulnerability notifications submitted by manufacturers per CRA Article 14 obligations; reports from national CSIRTs; and information from other sources including CVE databases and security researchers. The database is intended to provide EU market participants, regulators, and the security community with a comprehensive view of the vulnerability landscape for EU-market products — complementing but not replacing the US NVD/CVE programme.

CRA Article 14 requires manufacturers to notify ENISA (and, through ENISA, the EUVDB) when they become aware of an actively exploited vulnerability in their product. The notification timeline is: an early warning within 24 hours of becoming aware of the active exploitation; a fuller vulnerability notification within 72 hours; and a final report within 14 days, including details of the vulnerability, affected products, and remediation status. These notifications feed the EUVDB. Manufacturers must also report any severe incident that could affect the security of their product in the EU market, separate from individual vulnerability notifications. These obligations apply in addition to any NIS2 incident reporting obligations that may apply to the manufacturer as an operator.

The US National Vulnerability Database (NVD), operated by NIST and fed by the CVE programme, is the dominant global vulnerability reference. The EUVDB is designed to complement rather than replace the NVD/CVE system. The CRA explicitly states that ENISA shall cooperate with the CVE programme and other international vulnerability databases to avoid duplication. In practice, many vulnerabilities reported to the EUVDB will also be assigned CVE identifiers and appear in the NVD. The EUVDB adds EU-specific context: which products are on the EU market, which MSAs have been notified, and what remediation status has been reported by manufacturers operating under the CRA. Manufacturers should treat CRA notification as additional to, not a replacement for, CVE assignment.

Manufacturers can use the EUVDB proactively as a vulnerability intelligence source. By monitoring EUVDB entries for components used in their products (cross-referenced against their SBOM), manufacturers can identify upstream vulnerabilities they need to assess and potentially patch. The EUVDB also provides visibility into how competitors and component suppliers are handling their CRA obligations — a useful market intelligence tool. From a compliance perspective, the EUVDB serves as the primary record of a manufacturer's notification history. Manufacturers that have submitted timely and complete notifications demonstrate proactive compliance behaviour to MSAs. Gaps in notification history — vulnerabilities known to the industry but absent from the manufacturer's EUVDB submissions — may attract MSA attention.