Skip to main content
Back to News
CRA Cyber Threat Intelligence ENISA EUVD NIS2 NVD Vulnerability Management

NIST Is Triaging. Europe Is Not Ready. The Vulnerability Intelligence Gap Just Got Real.

Philipp KĂĽhn
14 min read

Summary

NIST announced it can no longer enrich every CVE in the National Vulnerability Database. For European organizations facing CRA and NIS2 deadlines, the timing could not be worse.

On April 15, 2026, NIST quietly changed the rules of vulnerability management. Not by launching something new, but by admitting that the old model no longer works. The National Vulnerability Database will no longer enrich every CVE it receives. After a 263% surge in submissions between 2020 and 2025, and with early 2026 running a third higher than the same period last year, NIST is shifting to risk-based triage.

If you work in vulnerability management, threat intelligence, or compliance anywhere in Europe, this matters. Not as a distant infrastructure problem, but as something that directly affects the data your tools ingest, the scores your scanners report, and the intelligence your analysts rely on every day.

What NIST Actually Changed

The announcement lays it out clearly. Going forward, NIST will prioritize enrichment for three categories of CVEs:

  1. Vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with a target of enrichment within one business day.
  2. CVEs affecting software used by the U.S. federal government.
  3. Vulnerabilities in “critical software” as defined by Executive Order 14028.

Everything else still appears in the NVD, but gets marked “Not Scheduled” instead of receiving the usual enrichment: CVSS scoring, CWE classification, CPE applicability statements, and reference links. NIST will also stop routinely generating its own severity scores when the CVE Numbering Authority (CNA) already submitted one. Roughly 18,000 previously deferred CVEs are being reclassified, and all backlogged CVEs published before March 1, 2026, move into the “Not Scheduled” category.

Users can request enrichment of specific CVEs by emailing nvd@nist.gov. How quickly those requests get processed remains an open question.

The NVD’s own process documentation makes clear what enrichment adds: CVSS scores, CWE mappings, CPE applicability data, and curated references. These are the layers that turn a CVE identifier into something operationally useful. Without them, a CVE record is a stub: a name, a description, and whatever the CNA provided at submission time.

This Is Not the First Warning

Anyone paying attention saw this coming. In April 2025, the MITRE CVE program nearly lost its funding entirely when the U.S. government’s contract was about to lapse. CISA extended funding at the last minute, and a group of CVE Board members launched the CVE Foundation as a nonprofit to prevent future single-point-of-failure scenarios.

The lesson from that episode was clear: global vulnerability infrastructure that depends on a single government’s funding and priorities is structurally fragile. NIST’s April 2026 announcement is the same lesson, playing out differently. The CVE program survived its funding scare. The NVD survived its 2024 processing backlog. But each time, the response has been to narrow scope rather than expand capacity. The trajectory is unmistakable.

Why Europe Should Pay Close Attention

NIST’s triage criteria are defined by U.S. federal interests. EO 14028’s definition of “critical software” reflects U.S. government procurement. The KEV catalog, while valuable globally, is maintained by CISA based on exploitation observed in or relevant to U.S. federal networks. Software used by the U.S. federal government is, by definition, a U.S.-centric lens.

This creates a structural bias. Software from European vendors, open-source projects popular in European enterprises but less common in U.S. government environments, and vulnerabilities in systems deployed primarily in EU-regulated industries are more likely to land in “Not Scheduled.” The enrichment gap is not random. It is shaped by the priorities of the institution doing the enrichment.

For European organizations subject to NIS2, DORA, or the Cyber Resilience Act, this has operational consequences. NIS2 requires significant incident reporting within 24 hours. DORA mandates four-hour reporting for critical financial entities. And starting September 11, 2026, the CRA requires manufacturers to report actively exploited vulnerabilities within 24 hours through ENISA’s Single Reporting Platform, with full notification within 72 hours and a final report within 14 days.

Meeting those timelines requires context. You need to know whether a vulnerability is being actively exploited, which products are affected, and how severe the impact is. If the primary public source for that context just announced it will no longer provide it for a large share of CVEs, the compliance calculus changes. Organizations need to either produce that intelligence themselves or source it from somewhere other than the NVD.

The EUVD: Right Idea, Wrong Timeline

Europe saw this dependency risk coming. Article 12 of the NIS2 Directive mandates a European Vulnerability Database (EUVD), operated by ENISA. The database is live, ENISA is operational as a CVE Numbering Authority, and the agency is working toward becoming a top-level root CNA for the CVE Program.

The intent is sound. Nuno Rodrigues Carvalho, ENISA’s Head of Incident and Vulnerability Services, stated explicitly that “a global common good service of this importance should not depend excessively on a potential single point of failure,” regardless of the cause. That is exactly right.

But the EUVD is not ready to fill the gap that NIST just created. An empirical study published in February 2026 examined the EUVD’s actual state and found real gaps:

Geographic concentration. Spain’s INCIBE assigns more vulnerabilities than all other EU public authorities combined. Poland ranks second. Most member states have not meaningfully engaged.

Minimal ENISA coordination. ENISA itself has coordinated only about 2.1% of all vulnerabilities archived in the EUVD, despite being the mandated agency.

No exploitation assessment. Zero overlap exists between actively exploited vulnerability (AEV) entries and ENISA/CSIRT-coordinated entries. The study’s authors concluded that “the European CSIRT network and ENISA have not been active in assessing whether vulnerabilities are under active exploitation.”

Data quality inconsistencies. Four different CVSS versions coexist in the database. Exploitation assessment methodologies are undocumented. Open-source software coverage is sparse, with only 325 vulnerabilities carrying GitHub security advisory identifiers.

The study’s own title captures the situation: “The Baby Steps of the European Union Vulnerability Database.”

This is not a criticism of ENISA’s ambition. Building a continental vulnerability database from scratch is hard. But the timeline mismatch is the problem. NIST is triaging now. CRA enforcement starts in five months. The EUVD is still in beta, with incomplete member state participation and unresolved methodological standards. The dependency that Carvalho warned against is already materializing, and the European alternative is not yet mature enough to absorb the impact.

The Downstream Effect

The EUVD’s challenge is compounded by its relationship to the NVD. Much of the EUVD’s enrichment metadata is aggregated from existing sources, including the NVD. If NVD stops enriching a CVE, the EUVD has less to aggregate. The degradation cascades.

This means European organizations face a double gap: the NVD is providing less, and the EUVD cannot yet compensate independently. For the subset of CVEs that fall outside NIST’s priority categories and also lack ENISA/CSIRT coordination (which, based on the empirical data, is a large subset), there is currently no reliable public source for standardized enrichment.

That is a new situation. For over two decades, the assumption in vulnerability management has been that NVD would eventually normalize and enrich everything important enough to matter. Security tools, scanners, SIEMs, GRC platforms, and compliance frameworks were built on that assumption. NIST just formally retired it.

What Filling This Gap Actually Requires

The temptation is to frame NVD’s triage as a simple opportunity: if NIST stops enriching, someone else will. That is partly true, but it understates what “enrichment” actually involves.

NVD enrichment is not just slapping a CVSS score on a CVE record. It includes CPE applicability statements (which products and versions are affected), CWE classification (what type of weakness this is), curated references, and in many cases, reanalysis when upstream data changes. Replicating that at scale requires deep technical understanding, consistent methodology, and the ability to process tens of thousands of records per year.

Several signals can partially compensate for missing NVD enrichment. EPSS, the Exploit Prediction Scoring System maintained by FIRST, provides a probability-based estimate of exploitation within 30 days, updated continuously using machine learning. CISA’s KEV catalog provides a high-confidence signal for known exploitation, though it only covers a small fraction of exploited vulnerabilities. Vendor advisories, CNA-provided metadata, and exploit databases like Exploit-DB each contribute pieces.

But none of these, individually or together, replace what NVD enrichment provided as a unified, standardized layer. The gap is not just in data availability. It is in consistency, coverage, and the kind of structured metadata that allows automated tools to match vulnerabilities to specific products and environments.

Anyone stepping into that gap, whether a commercial vendor, an open-source project, or a government agency, will be held to the rigor bar that NVD set. Customers and regulators will want to know: where did a product match come from? Why is this CVE rated high priority without NVD enrichment? What evidence supports active exploitation? How confident is the system? NIST’s move creates room, but it also raises expectations.

Five Things That Change for Security Teams

The NVD becomes one source among several, not the backbone. Architecturally, security tools that treat NVD as the canonical source of truth need to adapt. The initial object should be the raw CVE plus CNA metadata, with enrichment layers from NVD, KEV, EPSS, vendor advisories, CISA alerts, exploit reporting, and independent analysis attached as they arrive. “NVD missing or delayed” is now a normal state, not an error condition.

“Not Scheduled” is itself a signal. A CVE being present in NVD but not enriched is now a meaningful data point. Security teams should surface that state explicitly rather than treating it as an absence. “Present in CVE/NVD, no NVD enrichment, independent risk estimate available” is more useful than silence, because uncertainty becomes visible rather than hidden.

Scoring heterogeneity increases. With NIST no longer routinely generating separate severity scores when CNAs already scored the issue, data consistency across sources will vary more. Different CVSS versions, different scoring methodologies, different levels of completeness. Normalizing and reconciling these scores becomes part of the operational workflow rather than something NVD handled upstream.

Exploitation intelligence becomes the primary signal. NIST’s triage criteria center on KEV and nationally significant software, reinforcing the shift toward “is this being exploited, and does it matter in real environments?” as the central prioritization question. But KEV is only a subset of exploited risk. What matters is detecting exploitation signals before they reach KEV, and identifying exploitation relevant to your stack, not the U.S. federal government’s.

European organizations need independent intelligence capacity. This is not optional. With NVD triaging, EUVD immature, and CRA enforcement approaching, European security teams cannot rely on public infrastructure alone for timely, contextual vulnerability intelligence. The organizations that will meet their compliance obligations and actually manage risk effectively are the ones building or sourcing independent enrichment and prioritization capabilities now.

The Bigger Picture

Zoom out, and the pattern is clear. The CVE program nearly lost funding in April 2025. The CVE Foundation was created to prevent a single point of failure. NIST is narrowing NVD scope because volume outpaced resources. ENISA is building European alternatives, but they are early.

The common thread is that vulnerability infrastructure built for a world of thousands of CVEs per year is being asked to handle a world of tens of thousands, and the institutions behind it are adapting by becoming more selective rather than more comprehensive. That is a rational response to resource constraints. It is also a structural shift that the rest of the ecosystem needs to internalize.

Public infrastructure is not going away. The CVE program, the NVD, the KEV catalog, and the EUVD all remain essential. But they are becoming selective, not exhaustive. The gap between raw disclosure volume and usable intelligence is widening, and the institutions that maintained that bridge for two decades are openly saying they cannot maintain it at the old level.

Public baselines are necessary but no longer sufficient. Vulnerability intelligence that fuses multiple sources, maps to your actual environment, and moves at the speed compliance demands is not a premium. It is becoming the floor.

That is the shift. It has been building for years. This week, it became official.

References

  1. NIST. “NIST Updates NVD Operations to Address Record CVE Growth.” April 15, 2026.
  2. NIST. “CVEs and the NVD Process.” National Vulnerability Database.
  3. Krebs, B. “Funding Expires for Key Cyber Vulnerability Database.” Krebs on Security. April 2025.
  4. CVE Foundation. “CVE Foundation Launched to Secure the Future of the CVE Program.” April 16, 2025.
  5. Help Net Security. “NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward.” April 16, 2026.
  6. Help Net Security. “Coordinated vulnerability disclosure is now an EU obligation, but cultural change takes time.” Interview with Nuno Rodrigues Carvalho, ENISA. April 15, 2026.
  7. ENISA. “Consult the European Vulnerability Database to enhance your digital security!”
  8. Meneely, A. et al. “The Baby Steps of the European Union Vulnerability Database: An Empirical Inquiry.” arXiv. February 2026.
  9. European Commission. “Cyber Resilience Act: Reporting obligations.”
  10. Hogan Lovells. “EU Cyber Resilience Act: Key 2026 milestones toward CRA compliance.”
  11. European Commission. “NIS2 Directive: securing network and information systems.”
  12. FIRST. “Exploit Prediction Scoring System (EPSS).”
  13. CISA. “Known Exploited Vulnerabilities Catalog.”
  14. Infosecurity Magazine. “NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities.”
  15. The Hacker News. “NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions.”
  16. CyberScoop. “NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities.”
  17. MSSP Alert. “CISA Extends Funding for MITRE CVE Program Just as It was to Expire.” April 2025.
  18. European Commission. “Digital Operational Resilience Act (DORA).”
  19. NIS2 Directive, Article 12. “Coordinated vulnerability disclosure and a European vulnerability database.”
  20. NIST. “Executive Order 14028: Improving the Nation’s Cybersecurity.”

Ready to enhance your security operations?

Join security teams leveraging AI-powered intelligence to protect their organisations, from CSIRTs and SOCs to NIS2-regulated enterprises.

Get in Touch Learn More