Closing the Security Gap: ENISA’s EUVD Drives Smarter Vulnerability Management with Unified Disclosure, Detection, and Defense

TechNadu spoke with the European Union Agency for Cybersecurity (ENISA), the region’s foremost authority on digital resilience, to explore what might just be Europe’s most strategic leap in vulnerability intelligence, the launch of the European Vulnerability Database (EUVD).

Vulnerabilities remain silent in digital environments until weaponized by adversaries. They have been the source of data thefts, denial-of-service attacks, ransomware deployment, and supply chain compromise. Not to forget, reputational damage.

What happens to thousands of organizations when patches don’t arrive on time? So teams could fix the issues before they escalate and strengthen Europe’s cyber self-reliance, ENISA launched the European Vulnerability Database (EUVD).

Born out of the NIS2 Directive in May 2025, the EUVD is Europe’s hub for vulnerabilities. It goes beyond and improves response, vendor advisories, and CSIRT reports while keeping everything connected.

ENISA urges defenders to automate where possible, share what’s essential, and align fast.

But what does “effective vulnerability management” look like across a continent, with thousands of entities, dozens of languages, and a swarm of emerging threats from AI-assisted exploits?

Read on to learn how ENISA helps organizations seal critical gaps before threat actors pry them open and turn exposure into chaos.

Vishwa: What are the most pressing challenges the EU Vulnerability Database (EUVD) could solve for organizations of various sizes across Europe? And what practical advice would ENISA provide to organizations addressing vulnerability management?

ENISA: Coordinated Vulnerability Disclosure is crucial for protecting users and strengthening cybersecurity in the EU. The discovery of vulnerabilities can leave users exposed to attacks designed to steal data or to disrupt critical systems. 

The database ensures a high level of interconnection of publicly available information coming from multiple sources, such as CSIRTs, vendors, as well as existing databases. 

The EUVD integrates CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and other relevant information, which are automatically transferred into the EUVD.

Vishwa: AI-driven threats, supply chain attacks, and critical infrastructure vulnerabilities pose a growing threat to the cyber landscape. What are your recommendations for Security Operations (SecOps) regarding secure system design and testing? Can you outline practical guidelines for effective vulnerability management for organizations across the European Union, including automation in vulnerability management?

ENISA: Effective vulnerability management can be enabled through various ways, including automation. The CSAF is a standard for machine-readable security advisories. 

Such a standardised format for ingesting vulnerability advisory information simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will reduce the time required for enterprises to understand organisational impact and drive timely remediation.

ENISA’s role is to support national competent authorities that will integrate vulnerability management and coordinated vulnerability disclosure (CVD) processes in their national cybersecurity strategies and policies. 

Vishwa: What are the cybersecurity tools and immediate steps organizations in critical sectors, particularly energy, should take to prevent potential threats by effectively leveraging the EU Vulnerability Database (EUVD) for real-time, proactive vulnerability management within their existing security operations?

ENISA: The automation of vulnerability management is an important tool that can support organisations. This is based on:

• A reliable product inventory 
• The retrieval of vulnerability advisories and 
• The prioritisation of patches and mitigative measures.

The prioritisation is based on the type of vulnerabilities and criticality of the systems impacted. For critical sectors, sectorial information sharing is also of key importance.

Vishwa: With the proliferation of IoT devices and increasing reliance on Managed Security Services (MSPs), what specific attack surface concerns should organizations prioritize? How would ENISA caution businesses against inadvertently introducing new cybersecurity risks through these technologies, and what actionable first steps does it recommend, especially in light of the EU IoT certification?

ENISA: Risk management remains an important tool for classifying and assessing current risks and threats. ENISA supports EU Member States with guidance on threats and risks; these guidance documents can be found here: NIS Cooperation Group | Shaping Europe’s digital future

In order to help SMEs and businesses integrate best practices and harmonise their approach to risk management, the EU Risk Management framework also compiles the results of interoperable risk assessment at sectorial or national levels. 

By leveraging this framework, companies can better align their risk assessments with broader standards, ensuring a more cohesive and effective risk management strategy across the EU.

The ENISA threat landscape provides recommendations on top threats and looks at the emerging technologies expanding the attack surface. 

Vishwa: As a CVE Numbering Authority (CNA), focusing on vendor behavior, can you share a message for vendors who shy away from admitting vulnerability exploitation within their digital ecosystem? What approach should they adopt while addressing various stages of vulnerability reporting?

ENISA: Coordinated Vulnerability Disclosure is crucial for protecting users and strengthening cybersecurity in the EU. The discovery of vulnerabilities can leave users exposed to attacks designed to steal data or to disrupt critical systems.

The European Vulnerability Database (EUVD) stores and publishes known vulnerabilities for public use. It integrates CVE data, data provided by ICT vendors disclosing vulnerability information via advisories, and relevant information such as CISA’s Known Exploited Vulnerability Catalogue.

Vendors should provide regular vulnerability information, including remediation advice, to their downstream customers and users. Vendors should consider publishing machine-readable descriptions of their upstream dependencies to their customers using commonly available standards.

The Cyber Resilience regulation proposes to actively record exploited vulnerabilities. Currently, manufacturers often fail to provide updates to address such vulnerabilities, leaving users exposed and helpless. The new requirements intend to ensure security is applied to the whole lifecycle of a product.

The cost of cybersecurity incidents and vulnerabilities in connected devices is not borne by manufacturers or distributors. Essential cybersecurity requirements by design and default could reduce the cost of ‘bad cybersecurity’ for the users.

ENISA therefore encourages vendors to share their knowledge and awareness of exploited vulnerabilities they see emerging within their digital ecosystem and communicate the risk to the customer adequately and contact their local CSIRTs or national authority, as local CSIRTs may also support with the communication.

Vishwa: Based on ENISA’s recent threat intelligence reports, what form of AI threats are being aggressively leveraged targeting European organizations? What specific cautions and actionable advice would you give them while handling user data, and to individuals who input their details into LLMs and AI models?

ENISA: Based on ENISA's monitoring of open-source material, threat actors continue to demonstrate consistent interest in AI systems, both as tools for facilitating malicious activity and as targets for exploitation.

State-nexus and cybercriminal threat actors were observed leveraging commercial large language models (LLMs) and other open-source generative AI (genAI) models to automate social engineering activities, craft convincing synthetic audio and video content, and accelerate malicious tool development; as of the time of writing, however, most publicly reported AI-enabled threat activity involves attempts by threat actors to use consumer-grade AI tools to augment existing skills rather than achieve breakthrough capabilities

Vishwa: The persistent and growing cybersecurity skills gap across Europe is a massive undertaking given the evolution of threats and technology. What specific initiatives does ENISA undertake and recommend to various organizations to address this challenge?

ENISA: ENISA is engaged in a variety of activities which support the development of cybersecurity skills and cybersecurity preparedness to help prevent or mitigate incidents, such as:

• The European Cybersecurity Skills Framework (ECSF) is one of the mechanisms ENISA has developed to address Europe’s growing need for a unified approach to defining roles and skills in the cybersecurity field.
  • The ECSF is a cornerstone for advancing Europe’s digital future, offering a practical tool to identify and articulate the tasks, competences, and knowledge associated with key cybersecurity roles.
• Endorsed by the European Commission's Communication on the Cybersecurity Skills Academy in April 2023, the ECSF is recognized as the EU’s reference point for defining and assessing cybersecurity skills.
  • It is promoted as the common language for cybersecurity professional competencies across the EU.
• The ECSF categorises the cybersecurity workforce into 12 distinct professional profiles, detailing the role, responsibilities, required skills, and interdependencies if applicable.
  • By fostering a shared understanding of cybersecurity roles, facilitating skill recognition and supporting the development of tailored training programmes, the ECSF has become an indispensable resource for organisations, professionals, and the academia throughout Europe.
• ENISA organises different cybersecurity exercises at the local, international, and EU-wide levels. These exercises test the EU's critical IT security infrastructure and its ability to coordinate cross-border responses.
  • The Agency also develops unique cyber exercise solutions, enabling stakeholders to tailor scenarios to their specific needs and even host their own exercises.

The Awareness-Raising in a Box tool is a comprehensive solution developed by ENISA. It provides for cybersecurity awareness activities designed to meet the needs of public bodies, operators of essential services, and both large and small private companies. 

It provides theoretical and practical knowledge on how to design and implement effective cybersecurity awareness programmes, including:

• A guideline on building custom awareness programmes for internal use within an organisation.
• A guideline on creating targeted awareness campaigns for external stakeholders.
• Instructions on selecting the appropriate tools and channels to effectively reach the target audience.
• Instructions on developing Key Performance Indicators to evaluate the effectiveness of a program or campaign.
• A guide for the development of a communication strategy, crucial for achieving awareness objectives.
• An awareness-raising quiz to test comprehension and retention of key information.
• An awareness-raising game provided in different versions and styles, along with a guide on how to play.

Vishwa: Beyond resilience, can you detail how 'Cyber Europe' and other initiatives facilitate cross-border cyber collaboration, ensuring European organizations and others recover from large-scale incidents that transcend national borders?

ENISA: ‘Cyber Europe’ facilitates cross-border cyber collaboration because the pan-European exercise brings together leading cybersecurity experts from the EU and EFTA's public and private sectors, alongside European Institutions, Bodies, and Agencies, to strengthen their technical and operational capabilities.

Offering a series of large-scale, cross-border cyber crisis management exercises, Cyber Europe features complex, realistic scenarios inspired by real-case events and threats. 

ENISA develops these exercises in collaboration with European cybersecurity experts. Those exercises simulate large-scale cybersecurity incidents, escalating into cyber crises. 

They are performed to analyse advanced technical cybersecurity incidents and test participants' ability to handle complex situations and to share key information with their peers.

Participating in Cyber Europe is a great opportunity to:

• Raise awareness on cyber issues at all levels
• Identify gaps in existing operational procedures
• Test new cyber crisis management procedures or retest updated ones
• Evaluate the performance of teams under high pressure
• Identify skill gaps in teams
• Build stronger connections within the cyber response chain (internal and external)
• Develop shared understanding and terminology
• Enhance individual and collective skills, enhance resilience at the individual and team level
• Improve skills required for analysing advanced technical cybersecurity incidents
• Train how to deal with complex business continuity and crisis management situations

This exercise provides an opportunity to improve cyber incident response at all levels—strategic, operational, and technical—both nationally and internationally, without the risk of real-world consequences.

Cyber Europe 2026 will see the 8^th edition of the exercise, planned for June 2026, to test the capabilities of the rail & maritime sectors. Taking a significant step forward in strengthening the cyber preparedness of the EU’s critical infrastructure is part of ENISA’s mission to further contribute to a more secure and resilient Europe. 

Vishwa: When multiple organizations are detangling the same threat, there is fragmentation and regional splinternets of information. Can you share a future-oriented recommendation for seamlessly sharing information between governments, private companies, and research labs, considering their complementary roles?

ENISA: As a source of knowledge and experience, the private sector is an essential asset in terms of cybersecurity. This is why ENISA specifically developed the Cyber Partnership Programme (CPP) to enhance information sharing and build the cooperation needed to improve the cybersecurity landscape.

With the Cyber Partnership Programme, ENISA makes it possible to engage further with private sector organisations in order to support its mission to achieve a high common level of cybersecurity across the Union.

The Programme is focused on cooperation in relation to information exchange and situational awareness. A key objective of the programme is to improve our understanding of threats, vulnerabilities, incidents, and cybersecurity events in the Union and to further improve ENISA’s visibility on its work and expertise.

The main objectives of the Programme are: 

• To enhance preparedness and effective incident response and cooperation amongst Member States and EU institutions, including cooperation of technical, operational, and political actors during incidents or crises;
• To achieve common situational awareness before and during cyber incidents and crises across the Union;
• To support information exchange and cooperation, cross-layer and cross-border between Member States and as well as with EU institutions.

In addition, to further provide timely and accurate cyber situational awareness not only for ENISA as a recipient but also to other EUIBAs and to the Member States, ENISA has developed and operates an AI-enabled ‘Open Cyber Situational Awareness Machine’. 

This tool allows for the processing of daily amounts of data and provides aggregated and up-to-date information with regards to cyber threats.

Vishwa: As ENISA processes attack vectors, digital forensics, analyzes trends, and malware used for crimes, what information could you disclose to European entities about the pressing threats they must prepare against?

ENISA:  ENISA shares information on the cybersecurity challenges ahead of us: Reports ENISA published on the threat landscape and foresight include:

• ENISA Threat Landscape 2024
• ENISA Space Threat Landscape 2025
• ENISA Threat Landscape: Finance Sector
• ENISA Threat Landscape for DoS Attacks
• ENISA Threat Landscape: Health Sector
• ENISA Threat Landscape: Transport Sector
• Foresight Cybersecurity Threats for 2030 – Update 2024: Extended report