The EU's new vulnerability database and consultation on their healthcare cybersecurity action plan show the EU's work to improve cybersecurity internally.
On May 13, 2025, the European Union (EU) announced that the European Vulnerability Database (EUVD) was now operational. The EUVD is part of the 2022 “Directive on measures for a high common level of cybersecurity across the Union” (also known as the NIS2 Directive), which strengthened cybersecurity requirements, simplified reporting rules, and increased information sharing and cooperation over cyber crises. In the Directive, the European Union Agency for Cybersecurity (ENISA) was charged with creating a vulnerability database that addresses “the unique challenges posed by risks to Union entities” by allowing any entities covered by the Directive to voluntarily disclose publicly known vulnerabilities without fear of repercussions.
The press release explains how a holistic approach helps the EUVD meet its goal of providing “aggregated, reliable, and actionable information” to the public at large. The database’s information comes from several sources: computer security incident response teams (CSIRTs), information and communication technology (ICT) vendors, and existing databases like MITRE’s Common Vulnerabilities and Exposures (CVE) records, and the US’s Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities Catalog (KEV). Coincidentally, CISA narrowly beat the deadline to provide MITRE funding for their CVE program in April 2025. The program’s funding was scrutinized as part of a larger federal effort to cut CISA’s size and expenses, but several cybersecurity experts rallied to support the initiative, leading CISA to release two statements also expressing the agency’s endorsement of MITRE’s CVE records.
ENISA expects the interconnection underlying the database to facilitate improved analysis and cybersecurity risk management with Vulnerability-Lookup, an open-source software that correlates vulnerabilities from a variety of sources. The EUVD data will include a vulnerability description, the ICT products or services that are affected, how they might be exploited, and information about how they may be patched, or the recommendations from CSIRTs or other relevant authorities. This database further establishes ENISA as a CVE Numbering Authority (CNA), officially tying it to other CNA’s (like CISA).
The EU’s Executive Vice-President for Tech Sovereignty, Security and Democracy, Henna Virkkunen praised the release of the EUVD: “The EU Vulnerability Database is a major step towards reinforcing Europe's security and resilience. By bringing together vulnerability information relevant to the EU market, we are raising cybersecurity standards, enabling both private and public sector stakeholders to better protect our shared digital spaces with greater efficiency and autonomy.” Already, the EUVD has started to collect vulnerabilities - even in its beta phase. ENISA is currently requesting feedback on the site so that the next version will be even more accessible to the public.
The EUVD is just one part of the European Commission’s recent efforts to improve the union’s cybersecurity. Following the Action Plan on the cybersecurity of hospitals and healthcare providers released on January 15, 2025, the EU shared a consultation survey in April to get more information from the public with the goal of refining the action plan. The action plan was developed in response to the increased number of cyber incidents in the EU’s healthcare sector. In 2023, more than 300 incidents were reported in the industry, with 54% of the cyberattacks involving ransomware. As such, the plan hinges on four priorities:
- Enhanced prevention: Share guidance on implementing crucial cybersecurity practices, give cybersecurity vouchers for financial assistance to smaller hospitals and healthcare providers, and create cybersecurity learning materials for healthcare professionals
- Better detection and identification of threats: Set up an EU-wide early warning system to give real time alerts by 2026
- Response to cyber attacks to minimize impact: Establish a rapid response service for the healthcare sector, offer national cybersecurity exercises beside playbooks to train healthcare organizations on dealing with cybersecurity threats, and encourage ransomware payment reporting
- Deterrence: protecting European healthcare: Discourage cyber threat actors by using the cyber diplomacy toolbox
The targeted audience for the questionnaire are: managerial staff of hospitals and healthcare providers, healthcare information technology (IT) professionals, healthcare professionals, healthcare authorities, patients and organizations representing patients, compliance and data privacy professionals, cybersecurity industry players, and healthcare industry players. The survey is available until June 30, 2025, and the EU plans to share recommendations based on public input to refine the action plan.
The EUVD and the consultation for healthcare cybersecurity are signs of the EU’s commitment to bolstering cybersecurity domestically - but the EU has also been looking to bolster their cybersecurity against international adversaries. A while before the survey was shared, the EU published an in-depth analysis, “EU capabilities in space: Scenarios for space security by 2050” that reflected on the precarious geopolitical landscape of space, citing the Russian cyberattack on ViaSta’s KA-SAT satellite network just before Ukraine was invaded. More recently, Russia’s cyberattacks are making headlines again.
On April 29, 2025, the French Foreign Ministry accused Russia’s military intelligence (specifically, GRU's APT28 unit) of intensifying their cyberattacks against French organizations since 2021 in a statement. The French National Cybersecurity Agency (ANSSI) reported that in 2024 nearly 4,000 cyberattacks came from Russian actors, which was still 15% more than the previous year. The 2024 data showed there was a steep increase in the cyber attacks on federal and local agencies in the French government, defense companies, aerospace firms, think tanks, and companies in the finance sector. Of course, France is just one country being attacked by Russia through the course of the war - much of the EU has been affected.
Hopefully, the EU’s work to strengthen their cybersecurity posture internally will also support a stronger cybersecurity posture against external threats like the Russian cyberattacks.