For two decades, the cybersecurity world has relied on a single source of truth: the US National Vulnerability Database (NVD). If a vulnerability existed, it had a CVE ID, and the NVD told you how bad it was. But in 2024 and 2025, that foundation cracked. Funding disputes and massive backlogs left the NVD largely stagnant, forcing the world to wake up to a dangerous reality: we had a single point of failure for global digital security.
In response, the European Union has just launched the European Vulnerability Database (EUVD), a move that signals a permanent shift toward digital sovereignty. But where does this leave the UK, caught between a faltering US giant and a new European fortress it has just left?
What these developments mean for vulnerability programs in the EU and the UK?
🇪🇺 The EU Perspective: Strategic Autonomy & Resilience
For the European Union, the launch of the EUVD (managed by ENISA) is not just a technical backup plan, it is a declaration of independence.
1. Decoupling from US Instability
The recent Reuters reports on US funding running out for the NVD highlighted a critical risk: European security cannot depend on the US Congress passing a budget. The EUVD allows European Critical Infrastructure (under the NIS2 Directive) to maintain situational awareness even if the US system goes dark. EU based organizations will likely start prioritizing EUVD data for compliance, especially as it will be tailored to European regulatory frameworks like the Cyber Resilience Act (CRA).
2. A “Regulated” Vulnerability Ecosystem
Unlike the US model, which is largely community driven and voluntary, the EUVD is backed by legislation. The Cyber Resilience Act mandates that vendors report exploited vulnerabilities to ENISA within 24 hours. The EUVD will likely become the fastest source of truth for exploited vulnerabilities (KEV) in Europe, potentially outpacing the NVD. Security teams in the EU will need to retool their scanners to ingest EUVD feeds, not just NVD feeds.
3. The “Brussels Effect” on Disclosure
The EU is setting a new global standard. By forcing vendors to disclose vulnerabilities to do business in the EU market, the EUVD will effectively become a global database. Global vendors (Microsoft, Apple, Cisco) will feed the EUVD to maintain market access, making the EU a “super regulator” of vulnerability data.
🇬🇧 The UK Perspective: The “Sovereignty Gap”
For the UK, this development exposes the awkward reality of the post Brexit landscape. The UK is no longer part of ENISA and therefore has no seat at the table for the governance of the EUVD, yet it faces the same risks from the NVD’s instability.
1. Risk of Information Asymmetry
While the EUVD is publicly accessible, the intelligence sharing behind it (among EU CSIRTs) is a closed loop for Member States. The UK National Cyber Security Centre (NCSC) is world class, but it is now an “outsider” looking in. UK vulnerability managers may find themselves checking three places for truth: the US NVD (for legacy/completeness), the EUVD (for speed/regulation), and NCSC advisories (for national context). This increases the operational burden on UK security teams.
2. Reliance on “Five Eyes” vs. Geography
The UK has traditionally leaned on its “Five Eyes” intelligence partnership with the US. However, if the US NVD continues to degrade due to funding issues, that partnership offers little help for routine vulnerability management. The UK may be forced to either essentially “freeload” off the EU’s open data or invest heavily in bolstering its own sovereign vulnerability tracking capabilitie, a costly endeavor that duplicates effort.
3. Regulatory Divergence for UK Businesses
UK businesses selling into the EU must still comply with the EU’s Cyber Resilience Act and report to ENISA/EUVD, but they also have to follow UK specific guidelines (like the PSTI Act). This creates a “double reporting” burden. A vulnerability found in a UK banking app might need to be reported to the UK Information Commissioner and potentially EU authorities if they have EU customers, with different timelines and formats.
What Should You Do Now?
The era of a single global vulnerability database is over. We are moving toward a multipolar world of threat intelligence (and in so many other fronts).
If you are a CISO or Security Manager (EU or UK):
-
Diversify your Feeds: Do not rely solely on NVD/CVE data. Ensure your Vulnerability Management (VM) tools can ingest data from the new EUVD.
-
Update Playbooks: Your incident response plan likely says “Patch Critical vulnerabilities (CVSS > 9.0).” You need to update this to account for where that score comes from. A “Medium” in the US might be “Critical” in the EU due to different risk weightings (e.g., privacy impact).
-
Monitor the UK’s Move: Watch closely for UK counterparts to the Cyber Resilience Act. The UK will likely attempt to align closely with the EU standards to reduce friction for business, but the reporting mechanisms will differ.
- Explore commerical options such as Vulncheck to enrich your intelligence feeds and provide you a different perspective.
It will be interesting to see how things develop and if the UK is going to build it’s own vulnerability database…