Skip to content
  • There are no suggestions because the search field is empty.

What is the EU Vulnerability Database (EUVD) and Known Exploited Vulnerabilities (KEV) list?

The EU Vulnerability Database (EUVD)

The European Union Vulnerability Database (EUVD), maintained by ENISA, is a central component of the EU’s cybersecurity framework, designed to support coordinated vulnerability disclosure and improve situational awareness across member states. In the context of both the NIS2 directive, and the Cyber Resilience Act (CRA), the EUVD serves as a trusted, authoritative platform for collecting, enriching, and disseminating information about vulnerabilities affecting ICT products and services.

NIS2 and CRA

Under NIS2, entities are required to strengthen their vulnerability handling and disclosure processes, ensuring that significant vulnerabilities are identified, managed, and reported in a timely manner. The EUVD facilitates this by providing a common reference point for vulnerability intelligence, enabling organizations and authorities to access consistent and up-to-date information. Similarly, the CRA introduces obligations for manufacturers and vendors to actively manage vulnerabilities throughout the lifecycle of their products, including reporting actively exploited vulnerabilities. The EU Cyber Resilience Act (CRA) mandates that manufacturers report actively exploited vulnerabilities in digital products within 24 hours of awareness, with a full report due within 72 hours.

Known Exploited Vulnerabilities (KEV)

A key feature of the EUVD is its categorization of vulnerabilities, including the designation of KEV (Known Exploited Vulnerabilities). Vulnerabilities that are confirmed to be actively exploited in the wild will be reported to the EUVD under this KEV category. This ensures heightened visibility and prioritization, allowing organizations to quickly identify and remediate the most critical threats. By aligning vulnerability reporting under NIS2 and CRA with the EUVD—particularly through the KEV classification—the EU strengthens its collective ability to respond to real-world cyber threats and enhances the overall resilience of the digital ecosystem.

The EUVD KEV list is found here (external link). Read more about ENISA here (external link).

EUVD and the KEV function are some of many sources of threat intelligence used by Holm to enrich vulnerability data and insights in Security Center.