Cyber Resilience

Beyond NVD: bringing EU and UK vulnerability context to every CVE

Most vulnerability data is tracked by US-based organisations — NVD assigns the CVE‑ID, MITRE owns the CWE catalogue, CISA decides what counts as “actively exploited.” That’s fine for US infrastructure. It misses things if you’re running operations in Europe or the UK, where a parallel set of authorities and regulations applies.

The US-centric default

If you’ve been reading CVE write-ups for a while, you’ve probably absorbed the US default without noticing it. NVD is run by NIST. CWE is run by MITRE under a US Department of Homeland Security contract. The KEV catalogue is curated by CISA. Even the “vendor advisory” you click through to is usually a US-headquartered vendor speaking to a US audience. The data is solid — we still build most of this site on top of it — but it’s blind to a parallel European layer that NIS2, the Cyber Resilience Act, and DORA now make legally relevant for any organisation operating inside the EU. UK organisations live under the post-Brexit UK NIS Regulations 2018 and look to NCSC, not CISA, for guidance on what’s being exploited against UK targets.

What ENISA and NCSC actually add

ENISA published the European Vulnerability Database (EUVD) in 2025 under NIS2 Article 12. It doesn’t replace NVD; it re-keys CVEs with EUVD identifiers and layers in links to national CSIRT advisories from BSI (Germany), ANSSI CERT-FR (France), CCN-CERT (Spain), NCSC-NL, CERT-EU, CERT-PL, and a dozen smaller national teams. For some products — industrial control systems, energy, telecoms — these national teams go further than NVD’s vendor-supplied data. Our backfill found EU CSIRT references on about 1,450 of 350,000 CVEs to date — sparse overall, but concentrated on the CVEs that matter most to European operators.

The UK NCSC doesn’t maintain a KEV-style structured list. It publishes individual advisories — about ten a month that cite specific CVEs — usually high-impact, often co-signed with CISA. We scrape the public RSS feed under the UK Open Government Licence and extract CVE references from advisory bodies, so any CVE referenced by NCSC now gets a UK chip on its detail page.

Regulations differ. Exploit paths differ. Readers differ.

Three regulatory regimes shape what an EU or UK organisation has to do when a vulnerability hits them: NIS2 (24-hour early warning, 72-hour update, 1-month final report for operators of essential and important entities); the EU Cyber Resilience Act (mandatory coordinated disclosure for manufacturers of products with digital elements once exploitation is known); DORA (4-hour initial notification for major ICT-related incidents at EU financial entities). The UK NIS Regulations 2018 impose broadly equivalent timelines on UK operators of essential services. None of this shows up on a default US-centric CVE write-up — but for the right reader it changes the urgency and the obligations a CVE triggers.

What we changed

What we deliberately didn’t build

Informational only. The regulatory blurbs explain what timelines and obligations may apply. They are not legal advice. Confirm with your DPO or general counsel for jurisdiction-specific requirements.

TL;DR

  • European-emphasis toggle in the header — ON by default for EU/UK browsers, OFF elsewhere. Anyone can flip it.
  • Every CVE page now shows ENISA EUVD + national-CSIRT advisories + UK NCSC references when they exist.
  • High-severity CVEs surface inline NIS2 / CRA / DORA / UK NIS Regs context.
  • No IP tracking. No cookies. No third-party scripts. No new GDPR exposure.
  • EUVD-Exploited is intentionally not a peer chip to CISA KEV — the two lists are 99 percent identical today. We watch monthly for divergence.

Generated 02 June 2026 14:43 UTC . Data sources: ENISA EUVD (CC BY 4.0), UK NCSC under Open Government Licence v3.0, NVD, CISA KEV, MITRE CWE.