The United States was on the verge of withdrawing from one of the key pillars of global cybersecurity: the funding of the CVE database. Although the US has now agreed to a temporary extension of eleven months, the underlying message remains unchanged. For Europe, this is yet another geopolitical wake-up call. Because what if the Americans do pull the plug next time, how do we find a solution then? And more importantly: how do we, as Europe, finally take control?
Governments, software vendors, security companies, and CERTs around the world rely on CVE numbers as the standard for managing vulnerabilities. Without that reference, no one knows anymore what’s truly urgent, where the biggest risks are, or what to patch first.
“And yet, since 1999, virtually everything behind the scenes has been running on American funding,” emphasizes Jort Kollerie, strategic advisor at Orange Cyberdefense. “In total, about 75 to 125 million dollars has been invested over 25 years. A relatively small amount, considering how much the world relies on it daily.”
The data from the CVE database is largely public. “But that doesn’t mean you can simply move the management somewhere else,” Kollerie explains. “Behind the database lies a complex system of thousands of CVE Numbering Authorities (CNAs) and established international agreements. This network is based on years of collaboration and a strong reputation as a neutral party.” Moreover, the US government can delay or block data transfer as part of broader geopolitical pressure. In short: this is not just a technical project, but a strategic and diplomatic issue.
Those who want to take over the management will need more than just access to the data. It requires a strong technical infrastructure, experienced personnel, a central coordination hub, and the trust of international software vendors, security companies, and CERTs.
Kollerie: “A European alternative is possible. But it will only succeed with solid preparation and execution. If we really want to work towards digital autonomy, we need to stop merely calling for more control over cybersecurity, and start being willing to invest in people, resources, and responsibility ourselves.”
The CVE database is managed by MITRE, an independent American non-profit organization. A European initiative is not a simple copy of what they do. It requires political willpower, long-term investments, and above all: trust from the international security community. According to Kollerie, a successful continuation of the CVE function in Europe would require at least the following building blocks:
A European Management Organization with Mandate and Authority
A central body must be appointed to coordinate daily operations, similar to MITRE’s role. ENISA (the European Union Agency for Cybersecurity) is a logical candidate due to its existing role in European cybersecurity coordination. Its role must be expanded with a formal mandate and sufficient capacity: technically, organizationally, and legally. This body must act as a neutral party among member states, companies, and researchers.
A Robust Network of CNAs Within Europe
CVE numbers are issued globally by CVE Numbering Authorities (CNAs): organizations that verify and publish reports. Europe already has several CNAs, but the network is incomplete and fragmented. We must work towards a representative, well-organized network of national CERTs, vendors, and research institutions capable of acting as CNAs. That requires standards, procedures, and coordination.
Clear Governance Rules on Ownership and Transparency
A vulnerability database must enjoy global trust. That’s only possible with full transparency on how vulnerabilities are validated, assigned, and published. Governance also means: who manages the data? What are the inclusion criteria? How do we prevent political interference or delays? Without clear and internationally supported rules, vendors and CERTs outside Europe may drop out.
A Scalable and Reliable Technical Infrastructure
MITRE’s existing infrastructure processes tens of thousands of reports per year. Europe will need to build its own platform for intake, verification, numbering, and publication of vulnerabilities. It must be secure, fast, and scalable, with open interfaces so vendors and other stakeholders can quickly integrate updates into their tools and products.
Structural Funding from the EU and/or Member States
MITRE’s estimated annual CVE management costs are only 3 to 5 million dollars. Still, ad-hoc funding is not an option. A structural budget is needed so management can be stable, independent, and professional. European funding via the EU budget makes sense, possibly supplemented by member state contributions or public-private partnerships with vendors.
Access to the Existing Database and Knowledge Infrastructure
While CVE data is largely public, the associated tools, processes, and networks are not. A European manager must either reach formal agreements with MITRE for data access and transfer or rebuild its own structure based on public data. The latter takes time and increases the risk of inconsistency. Without cooperation with MITRE or the US government, there’s a risk of double administration, or worse: international fragmentation of the system.
There have been first steps in Europe. For example, ENISA has launched the European Vulnerability Database (EUVD), its own public vulnerability database. The database is still in beta and far from a full-fledged CVE alternative. Still, Europe is signaling that there is now political and strategic awareness that digital security should not be solely dependent on American infrastructure. However, there is still a large gap between awareness and a mature alternative, and that gap, according to Kollerie, must now be bridged quickly.
“The actions of the US show that our digital infrastructure is vulnerable, no matter how reliable that country has been so far,” says Kollerie. “If we, as Europe, truly want to take digital sovereignty seriously, this is where it starts. Not by continuing to rely on American goodwill, but by taking matters into our own hands.”