← CRA Glossary
Security Standards & Frameworks

National Vulnerability Database (NVD)

The National Vulnerability Database (NVD) is the US government's comprehensive repository of CVE records enriched with CVSS severity scores, CWE classifications, and CPE product identifiers, maintained by NIST. It is the primary machine-readable vulnerability intelligence source used by SCA tools and vulnerability scanners globally, including by EU manufacturers complying with the CRA.

The National Vulnerability Database (NVD) is the US government's comprehensive repository of CVE records enriched with CVSS severity scores, CWE classifications, and CPE product identifiers, maintained by NIST. It is the primary machine-readable vulnerability intelligence source used by SCA tools and vulnerability scanners globally, including by EU manufacturers complying with the CRA.

Security Standards & Frameworks
Free CVD portal →

What Is the National Vulnerability Database?

The National Vulnerability Database (NVD), maintained by the US National Institute of Standards and Technology (NIST), is the world's most widely used vulnerability intelligence repository. It builds on the CVE list maintained by MITRE, enriching each CVE entry with: a CVSS v3.x base score and vector string for severity assessment; Common Weakness Enumeration (CWE) classifications identifying the underlying software flaw type; Common Platform Enumeration (CPE) product identifiers for machine-matching against affected products; and reference links to vendor advisories and proof-of-concept resources. NVD data is freely available via a public API and is the primary data source for most commercial and open-source vulnerability management tools.

CRA reference:Article 13(3)(5)

Why the NVD Is Relevant to CRA Compliance

The CRA requires manufacturers to monitor for vulnerabilities in their products and components and to address them without undue delay. The NVD is the global reference database that most vulnerability scanning and SCA tools use to identify known vulnerabilities in software components. For EU manufacturers, maintaining a subscription to NVD data feeds — either directly via the NIST API or via tools that consume it — is the practical foundation of any vulnerability monitoring programme. CVSS scores from the NVD also provide the standardised severity ratings that manufacturers should use to prioritise remediation and to communicate vulnerability severity to users in security advisories.

CRA reference:Article 13(3), Annex I Part I(2)(f)

How Manufacturers Use the NVD

Manufacturers integrate NVD data into their vulnerability management workflow in several ways: (1) SCA tools query the NVD API to match components in a product's SBOM against known CVEs; (2) vulnerability scanners use NVD data to identify unpatched software versions; (3) PSIRT teams use NVD CVSS scores to prioritise remediation effort; (4) security advisories reference NVD CVE identifiers to provide users with standardised identifiers for vulnerabilities being addressed; and (5) CSAF advisories include NVD-sourced CVSS data to convey severity. The NVD's CPE dictionary helps automate the matching of disclosed vulnerabilities to specific product versions in the manufacturer's SBOM.

CRA reference:Article 13(3)(5)

Common Mistakes

Manufacturers relying solely on the NVD may miss vulnerabilities that are disclosed in vendor advisories or GitHub Security Advisories (GHSA) before NVD analysis is complete — NVD enrichment can lag CVE publication by days or weeks. The NVD backlog issues experienced in 2024 highlighted this risk. Manufacturers should supplement NVD monitoring with the OSV (Open Source Vulnerabilities) database and direct vendor advisory subscriptions for critical components. Another error is treating NVD CVSS base scores as definitive severity ratings without adjusting them with environmental and temporal metrics that reflect the product's specific deployment context.

CRA reference:Article 13(3)

CVD Portal makes National Vulnerability Database (NVD) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is the NVD a European database and does it cover EU-relevant vulnerabilities?+

The NVD is a US government database maintained by NIST, but it is a global resource covering vulnerabilities in software and hardware products used worldwide. ENISA and the European Commission reference NVD CVE data in their guidance materials. EU manufacturers should use the NVD as a primary vulnerability intelligence source, supplemented by ENISA's own vulnerability resources, the OSV database for open-source components, and relevant national CSIRT advisories.

How does the NVD relate to the CVE list?+

The CVE (Common Vulnerabilities and Exposures) list, maintained by MITRE and administered through CVE Numbering Authorities (CNAs), is the authoritative identifier system for publicly disclosed vulnerabilities. The NVD takes CVE records from MITRE and enriches them with CVSS severity scores, CWE classifications, CPE product mappings, and reference links. The CVE list provides the identifiers; the NVD provides the enriched analytical data that makes those identifiers actionable for vulnerability management.

What should manufacturers do when the NVD has not yet scored a newly published CVE?+

There is frequently a lag between CVE publication on the MITRE list and the NVD completing its analysis and assigning a CVSS score. Manufacturers should not wait for NVD enrichment before beginning vulnerability assessment. If a CVE affects a component in a shipped product, manufacturers should conduct their own preliminary severity assessment using the available description, vendor advisory, and CVSS calculator — and initiate triage immediately. Waiting for NVD completion before acting can cause manufacturers to exceed the CRA's 'without undue delay' remediation standard.

Related terms

Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.Common Vulnerability Scoring System (CVSS)CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10. Manufacturers use CVSS scores to prioritise remediation and to communicate risk in security advisories required under the CRA.Common Vulnerability Scoring System (CVSS) — Full GuideThe Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assessing and communicating the severity of software vulnerabilities using a numerical score from 0 to 10. CVSS scores are referenced throughout the CRA compliance ecosystem — in vulnerability advisories, SBOM tooling, CSAF documents, and PSIRT triage processes — and are the primary language for communicating vulnerability severity under the regulation.CISA Known Exploited Vulnerabilities (KEV) CatalogueThe CISA Known Exploited Vulnerabilities (KEV) catalogue is a curated list maintained by the US Cybersecurity and Infrastructure Security Agency that identifies CVEs for which there is credible evidence of active exploitation in the wild. For EU manufacturers, the KEV catalogue is the highest-priority vulnerability intelligence source — any KEV entry affecting a shipped product triggers the CRA's 24-hour ENISA notification obligation.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how National Vulnerability Database (NVD) fits into your complete CRA compliance programme.

View checklists →