Business Continuity Management Systems

As a business leader, security leader, or IT decision-maker, you’re already spinning multiple plates: managing risk, meeting regulatory requirements, and making sure your systems are secure without slowing the pace of business. So, when something fundamental changes in how we track cyber threats—like the CVE database—it’s completely fair to ask: "Do I need to worry about this?”
Let us explain what’s happening, why it matters, and how PGI makes sure it doesn’t become your problem to solve.
The CVE (Common Vulnerabilities and Exposures) programme provides a universal, standardised way to identify and reference vulnerabilities, enabling faster, clearer, and more effective security responses across industries. Before its introduction, different vendors and researchers would often describe the same issue using different names or formats, making it difficult to track or respond to security threats effectively. This lack of standardisation led to confusion, slower patching, and an increased risk of oversight.
With standardisation, the industry has been able to collaborate more effectively; organisations can quickly understand the issue at hand so it can be patched much faster and ultimately meaning threat actors have fewer access points for causing disruption or reputational damage and stealing data or other monetary assets.
Read more: What’s the difference between a vulnerability assessment and a penetration test?
In recent days, you may have heard rumours of a new CVE programme. While US-based organisation, MITRE, has maintained the CVE database since its creation in 1999, the European Union Agency for Cybersecurity (ENISA) is forming a new organisation with a similar purpose and mission: The EU Vulnerability Database (EUVD), designed to enhance the EU's ability to independently track and manage vulnerabilities. Does this send us back to chaotic pre-CVE times where there is no longer one standardised source of truth to identify and reference vulnerabilities? Does this mean organisations will require US and EU reports with similar, but subtly different reporting? Thankfully, the European and US organisations plan to cooperate and maintain mirrored entries. Think of this as having a strong redundancy - a back-up to make sure we will always have access to the ever-growing list of vulnerabilities that security professionals the world over rely on.
Right now, MITRE and ENISA are working together to keep both databases aligned. But looking ahead, organisations like yours may face:
Back to those spinning plates, you have enough going on. But, it's important to be aware and future proof for these changes -which is why we’re keeping such a close eye on what’s next and how this may impact your industry.
The Cyber Resilience Act and NIS2 Directive will require organisations to report, act on, and disclose vulnerabilities in more structured and auditable ways. For CISOs and security teams, this could mean:
Aligning internal processes with these evolving standards
Needing compliance and disclosure support from your vendors
Treating vulnerability management as a compliance priority
Our role is to make sure our clients never have to worry about which vulnerability database to use, or how global changes affect local compliance. Here’s what you can expect from us:
Cybersecurity shouldn’t be your full-time job. It’s ours. We track shifts like this to make sure your defences are strong, your reporting is aligned, and your team can focus on what matters most: running your business with confidence.
Have questions or want to know what this means for your specific organisation? Let’s talk.
The April 2025 M&S cyberattack continues to make headlines and has reinforced the need for organisations to invest in developing cyber incident response and crisis management plans that align with a comprehensive resilience strategy.
Now a quarter of the way into the 21st century, the world stands at a defining juncture in its digital evolution.
As organisations strengthen their technical defences, cyber criminals are adapting their tactics by targeting other digital vulnerabilities, like the availability of Personally Identifiable Information online.