Beyond NVD: bringing EU and UK vulnerability context to every CVE
Most vulnerability data is tracked by US-based organisations — NVD assigns the CVE‑ID, MITRE owns the CWE catalogue, CISA decides what counts as “actively exploited.” That’s fine for US infrastructure. It misses things if you’re running operations in Europe or the UK, where a parallel set of authorities and regulations applies.
The US-centric default
If you’ve been reading CVE write-ups for a while, you’ve probably absorbed the US default without noticing it. NVD is run by NIST. CWE is run by MITRE under a US Department of Homeland Security contract. The KEV catalogue is curated by CISA. Even the “vendor advisory” you click through to is usually a US-headquartered vendor speaking to a US audience. The data is solid — we still build most of this site on top of it — but it’s blind to a parallel European layer that NIS2, the Cyber Resilience Act, and DORA now make legally relevant for any organisation operating inside the EU. UK organisations live under the post-Brexit UK NIS Regulations 2018 and look to NCSC, not CISA, for guidance on what’s being exploited against UK targets.
What ENISA and NCSC actually add
ENISA published the European Vulnerability Database (EUVD) in 2025 under NIS2 Article 12. It doesn’t replace NVD; it re-keys CVEs with EUVD identifiers and layers in links to national CSIRT advisories from BSI (Germany), ANSSI CERT-FR (France), CCN-CERT (Spain), NCSC-NL, CERT-EU, CERT-PL, and a dozen smaller national teams. For some products — industrial control systems, energy, telecoms — these national teams go further than NVD’s vendor-supplied data. Our backfill found EU CSIRT references on about 1,450 of 350,000 CVEs to date — sparse overall, but concentrated on the CVEs that matter most to European operators.
The UK NCSC doesn’t maintain a KEV-style structured list. It publishes individual advisories — about ten a month that cite specific CVEs — usually high-impact, often co-signed with CISA. We scrape the public RSS feed under the UK Open Government Licence and extract CVE references from advisory bodies, so any CVE referenced by NCSC now gets a UK chip on its detail page.
Regulations differ. Exploit paths differ. Readers differ.
Three regulatory regimes shape what an EU or UK organisation has to do when a vulnerability hits them: NIS2 (24-hour early warning, 72-hour update, 1-month final report for operators of essential and important entities); the EU Cyber Resilience Act (mandatory coordinated disclosure for manufacturers of products with digital elements once exploitation is known); DORA (4-hour initial notification for major ICT-related incidents at EU financial entities). The UK NIS Regulations 2018 impose broadly equivalent timelines on UK operators of essential services. None of this shows up on a default US-centric CVE write-up — but for the right reader it changes the urgency and the obligations a CVE triggers.
What we changed
- A European-emphasis toggle in the nav. It defaults ON when your browser advertises a European locale (DE, FR, ES, IT, NL, PL, PT, the Nordics, en-GB, en-IE, and others). It defaults OFF for everyone else. Anyone can flip it either way and the choice persists.
- An “EU & UK references” section on every CVE detail page. Always rendered (not toggle-gated): ENISA EUVD entry, national-CSIRT advisory links with country flags, NCSC advisory links if any.
- An NCSC-Alert chip next to the existing CISA KEV chip whenever the UK NCSC has flagged the CVE in an advisory.
- Inline regulatory-context blurbs on high-severity CVEs — collapsed by default, auto-expanded when the toggle is ON. They explain what NIS2, CRA, DORA, or UK NIS Regs timelines apply if your organisation is in scope.
- A “European context this week” panel on the homepage (toggle-gated): how many CVEs published this week have EU advisories, EUVD-flagged exploitation counts, and the most active national CSIRTs over the last month.
- The same code path on all three sites. kjoelensecurity.com, security-resilience.ai, and ai-hype.ai run identical logic; the toggle lives in every header. The only differences between the sites stay where they belong — in branding and visuals.
What we deliberately didn’t build
- IP-based geolocation. Processing IP for
anything beyond essential service delivery puts us into GDPR
territory and triggers cookie-banner obligations. We use
browser
Accept-Languageonly. No cookies. No analytics. No third-party scripts. - A separate EU site. Tempting, but it means duplicating logic. The user-visible toggle lives on every domain, identical behaviour everywhere.
- An EUVD-Exploited badge. ENISA’s exploited list and CISA KEV are essentially the same set — 1,603 vs 1,599 entries today, with an overlap above 99 percent. A peer chip would say “yes” twice on every actively-exploited CVE. We still ingest the EUVD flag, and a monthly canary check watches for the day the two lists diverge by more than 1 percent. If that happens, the chip comes back.
- Reproduction of CSIRT advisory text. We link out. The advisories themselves stay in their source language on their authors’ sites.
Informational only. The regulatory blurbs explain what timelines and obligations may apply. They are not legal advice. Confirm with your DPO or general counsel for jurisdiction-specific requirements.
TL;DR
- European-emphasis toggle in the header — ON by default for EU/UK browsers, OFF elsewhere. Anyone can flip it.
- Every CVE page now shows ENISA EUVD + national-CSIRT advisories + UK NCSC references when they exist.
- High-severity CVEs surface inline NIS2 / CRA / DORA / UK NIS Regs context.
- No IP tracking. No cookies. No third-party scripts. No new GDPR exposure.
- EUVD-Exploited is intentionally not a peer chip to CISA KEV — the two lists are 99 percent identical today. We watch monthly for divergence.
Generated 02 June 2026 14:43 UTC . Data sources: ENISA EUVD (CC BY 4.0), UK NCSC under Open Government Licence v3.0, NVD, CISA KEV, MITRE CWE.