← Back to blog

EUVD Explained — What the EU Vulnerability Database Means for NIS2 Compliance

A developer's guide to the EU Vulnerability Database (EUVD): what it is, how it differs from NVD, and why it matters for NIS2 compliance.

EUVDNIS2complianceCVEENISA

In June 2024, the European Union Agency for Cybersecurity (ENISA) launched the EU Vulnerability Database (EUVD). Most developers outside of EU regulatory circles haven’t heard of it. That’s going to change.

If you build software that runs in Europe, or if your organization is subject to NIS2 — and far more organizations are than realize it — the EUVD is now a relevant part of your security compliance picture.

This post explains what the EUVD is, how it differs from the US-centric NVD, what NIS2 actually requires, and what practical steps developers should take.

What Is the EUVD?

The EU Vulnerability Database is a publicly accessible database of cybersecurity vulnerabilities, operated by ENISA — the European Union Agency for Cybersecurity, headquartered in Athens and Heraklion.

It was established under Article 12 of the NIS2 Directive, which mandates ENISA to establish and maintain a European vulnerability database to complement the national and sector-specific databases operated by member states.

The EUVD:

  • Aggregates vulnerability data from multiple sources, including CVE, NVD, and other national databases
  • Provides ENISA curation, context, and European-specific severity assessments
  • Tracks EU Coordinated Vulnerability Disclosure (EU CVD) disclosures
  • Supports the NIS2 vulnerability reporting obligations
  • Is freely accessible via both a web interface and a public API

Think of it as Europe’s answer to the US NIST National Vulnerability Database — but with a specifically European policy mandate and ENISA’s curation layer on top.

How EUVD Differs from NVD

The NVD (National Vulnerability Database), operated by the US National Institute of Standards and Technology (NIST), has been the global reference for vulnerability data since 2005. It provides CVE enrichment: CVSS scores, impact assessments, CWE mappings, and fix information.

The differences between EUVD and NVD are significant:

AspectNVDEUVD
OperatorNIST (US government)ENISA (EU agency)
Legal basisUS FISMA / NIST mandateNIS2 Directive (EU law)
ScopeGlobalEuropean context emphasis
CoordinationPrimarily US-centricEU Coordinated Vulnerability Disclosure
Regulatory tie-inNone directNIS2, CRA compliance
API accessFreeFree
Status in 2024Enrichment suspended monthsLaunched, actively maintained

That last row is worth emphasizing. In 2024, NIST suspended NVD enrichment due to resource constraints, leaving a backlog of thousands of CVEs without CVSS scores or impact data. For organizations that relied solely on NVD for vulnerability severity, this created genuine compliance gaps.

The EUVD launched into this context. For EU organizations, having a European-operated alternative with active ENISA maintenance is not just useful — it’s becoming expected.

What Is NIS2?

NIS2 (the Network and Information Security Directive 2) is EU legislation that came into force in January 2023. It required EU member states to transpose it into national law by October 2024.

NIS2 significantly expands the scope of the original 2016 NIS Directive. It now covers:

Essential entities (higher obligations):

  • Energy (electricity, gas, oil, district heating/cooling, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, labs, pharma manufacturers, medical device makers)
  • Drinking water and wastewater
  • Digital infrastructure (IXPs, DNS providers, TLD registries, cloud providers, data centers, CDNs, trust service providers, public electronic communications networks)
  • ICT service management (B2B managed service providers, managed security service providers)
  • Public administration (central government)
  • Space

Important entities (similar requirements, lighter supervision):

  • Postal and courier services
  • Waste management
  • Manufacturing of critical products (chemicals, food, medical devices, machinery, motor vehicles, electronics)
  • Digital providers (online marketplaces, online search engines, social networking platforms)
  • Research organizations

If you’re building software for any of these sectors — or if you’re a software supplier to organizations in these sectors — NIS2 compliance affects your customers and by extension your supply chain.

What NIS2 Requires

Article 21 of NIS2 outlines the cybersecurity risk management measures that covered entities must implement. They include:

  1. Policies on risk analysis and information system security
  2. Incident handling (prevention, detection, response, recovery)
  3. Business continuity and crisis management
  4. Supply chain security — including relationships with direct suppliers and service providers
  5. Security in network and information systems acquisition, development and maintenance — including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of security measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures on cryptography and encryption
  9. Human resources security, access control and asset management
  10. Use of multi-factor authentication

Points 4 and 5 are directly relevant to software composition analysis. “Supply chain security” for a software organization means knowing what third-party components you’re shipping and whether they’re vulnerable. “Vulnerability handling” means having a documented process for identifying, assessing, and remediating vulnerabilities — which requires a vulnerability database.

The EUVD is the canonical EU reference for that last part. ENISA operates it specifically to support NIS2 compliance.

EUVD + SBOM: Why Knowing Your Components Matters

A Software Bill of Materials (SBOM) is a machine-readable inventory of all components in a software product: libraries, frameworks, transitive dependencies, operating system packages, and their versions.

The EU Cyber Resilience Act (CRA) — adopted in October 2024 — mandates that manufacturers of “products with digital elements” (essentially any software product sold in the EU) must maintain and provide SBOMs. This applies to both commercial software and open-source software incorporated into commercial products.

The connection between SBOM and EUVD is direct:

  1. Generate an SBOM for your software (what components are you running?)
  2. Match SBOM components against EUVD (which of those components have known EU-context vulnerabilities?)
  3. Prioritize remediation based on ENISA severity assessments and EU regulatory context

This is exactly the workflow that OtterSight automates: Syft generates the SBOM, Grype identifies CVEs, and OtterSight enriches each finding with EUVD data.

How to Query the EUVD API

The EUVD exposes a public REST API at https://euvd.enisa.europa.eu/api/. The primary query is by CVE identifier:

GET https://euvd.enisa.europa.eu/api/vulnerability?cveId=CVE-2024-12345

The response includes:

  • ENISA identifier (if the vulnerability has an EU CVD record)
  • Description (European context)
  • CVSS scores (base, temporal, environmental)
  • Affected products
  • Fix information
  • Related advisories from EU member state CERTs/CSIRTs

For software composition analysis, the typical workflow is:

  1. Run a CVE scan (with Grype or equivalent)
  2. For each CVE found, query the EUVD API
  3. If an EUVD record exists, present the European severity assessment alongside the NVD data
  4. Flag vulnerabilities with ENISA-level severity assessments for priority treatment

This is exactly what @ottersight/cli does. When you run npx @ottersight/cli scan ., every CVE in the Grype output is cross-referenced against the EUVD API. If ENISA has a record, we surface it.

Practical Steps for Developers

Whether you’re subject to NIS2 directly or you’re building software for customers who are, here’s what you should do:

1. Generate an SBOM for Every Release

Use Syft, or integrate it into your CI pipeline:

syft . -o cyclonedx-json > sbom.json

Or use the OtterSight CLI:

npx @ottersight/cli scan . --format json > scan-report.json

Store the SBOM alongside your release artifacts. Under the CRA, you may need to provide it to customers on request.

2. Cross-Reference Against Both NVD and EUVD

Don’t rely solely on the NVD. The NVD’s enrichment gaps in 2024 demonstrated the risk of a single-source approach. The EUVD provides European context, ENISA curation, and often faster updates for vulnerabilities that EU-based researchers have disclosed.

3. Prioritize Using EPSS and KEV

Once you have a list of CVEs, don’t treat them all equally. Use:

  • EPSS score to assess exploitation probability in the next 30 days
  • CISA KEV catalog to identify actively exploited vulnerabilities
  • EUVD severity for EU regulatory context

A CVE with EPSS > 0.5 and KEV-listed needs to be patched this sprint. A CVE with EPSS < 0.001% and no KEV entry can go in the backlog.

4. Document Your Vulnerability Management Process

NIS2 Article 21 requires not just that you handle vulnerabilities, but that you have documented policies for doing so. Write down:

  • How frequently you scan your dependencies (schedule)
  • Who is responsible for reviewing vulnerability reports
  • What your severity thresholds are for emergency vs. scheduled fixes
  • How you track remediation

Scheduled scans in OtterSight Cloud generate the evidence trail automatically.

5. Set Up Alerting for New Critical Vulnerabilities

Vulnerability disclosure is continuous. A dependency you scanned as clean yesterday might have a KEV-listed CVE published today.

Set up notifications (via Slack, email, PagerDuty — OtterSight supports 300+ channels via Apprise) so your team is alerted immediately when a critical or high-severity vulnerability appears in your production dependencies.

How OtterSight Integrates EUVD

OtterSight is currently the only SCA scanner that directly integrates the EUVD into its enrichment pipeline.

When OtterSight processes a scan result:

  1. Syft generates a CycloneDX SBOM for your repository
  2. Grype matches SBOM components against NVD, GitHub Security Advisories, and OSV
  3. OtterSight enriches each CVE with:
    • EUVD record (if ENISA has catalogued it)
    • EPSS probability score
    • CISA KEV flag
  4. Results are displayed in a priority-ordered table with combined severity assessment

The EUVD enrichment means that when ENISA has context that the NVD lacks — EU-specific affected versions, CERT-EU advisories, or EU CVD disclosures — that information surfaces in your scan results.

The Regulatory Timeline

Here’s where the regulatory environment is heading:

  • October 2024: NIS2 transposition deadline for EU member states
  • Q3/Q4 2025: CRA delegated acts expected (detailed technical requirements)
  • 2027: CRA fully applies to manufacturers of products with digital elements
  • Ongoing: ENISA EUVD expansion and EU CVD process maturation

If you’re building software that will still be running in 2027 — and it will be — now is the time to build SBOM generation and EUVD-aware vulnerability scanning into your development workflow.

The good news: the tooling is available today, it’s open source, and it doesn’t require enterprise contracts.

Get Started with OtterSight

OtterSight brings EUVD, EPSS, KEV, and SBOM scanning together in a single tool — free CLI, hosted dashboard coming soon.

Become a Founding Member — €5/mo locked forever, 15 repos, 100 spots only. Founding Members help shape the compliance reporting features we’re building.

# Try the CLI today — no account required
npx @ottersight/cli scan .

Your dependencies are talking. The EUVD is listening. OtterSight translates.