Why the future of vulnerability standards matters to your organisation

As a business leader, security leader, or IT decision-maker, you’re already spinning multiple plates: managing risk, meeting regulatory requirements, and making sure your systems are secure without slowing the pace of business. So, when something fundamental changes in how we track cyber threats—like the CVE database—it’s completely fair to ask: "Do I need to worry about this?”

Let us explain what’s happening, why it matters, and how PGI makes sure it doesn’t become your problem to solve.

First: What is a CVE and why does it matter?

The CVE (Common Vulnerabilities and Exposures) programme provides a universal, standardised way to identify and reference vulnerabilities, enabling faster, clearer, and more effective security responses across industries. Before its introduction, different vendors and researchers would often describe the same issue using different names or formats, making it difficult to track or respond to security threats effectively. This lack of standardisation led to confusion, slower patching, and an increased risk of oversight. 

With standardisation, the industry has been able to collaborate more effectively; organisations can quickly understand the issue at hand so it can be patched much faster and ultimately meaning threat actors have fewer access points for causing disruption or reputational damage and stealing data or other monetary assets.

Read more: What’s the difference between a vulnerability assessment and a penetration test?

So what’s changed?

In recent days, you may have heard rumours of a new CVE programme. While US-based organisation, MITRE, has maintained the CVE database since its creation in 1999, the European Union Agency for Cybersecurity (ENISA) is forming a new organisation with a similar purpose and mission: The EU Vulnerability Database (EUVD), designed to enhance the EU's ability to independently track and manage vulnerabilities. Does this send us back to chaotic pre-CVE times where there is no longer one standardised source of truth to identify and reference vulnerabilities? Does this mean organisations will require US and EU reports with similar, but subtly different reporting? Thankfully, the European and US organisations plan to cooperate and maintain mirrored entries. Think of this as having a strong redundancy - a back-up to make sure we will always have access to the ever-growing list of vulnerabilities that security professionals the world over rely on.

What could this mean for your business?

Right now, MITRE and ENISA are working together to keep both databases aligned. But looking ahead, organisations like yours may face:

• Regulatory uncertainty. Will your regulator expect you to use one database or both?
• Compliance complications. Will your internal teams need to monitor two systems to stay compliant?
• Confusion or delay. If vulnerability information isn’t consistent or up to date, response times could slow—and risk could increase.

Back to those spinning plates, you have enough going on. But, it's important to be aware and future proof for these changes -which is why we’re keeping such a close eye on what’s next and how this may impact your industry. 

The Cyber Resilience Act and NIS2 Directive will require organisations to report, act on, and disclose vulnerabilities in more structured and auditable ways. For CISOs and security teams, this could mean:

• Aligning internal processes with these evolving standards

• Needing compliance and disclosure support from your vendors

• Treating vulnerability management as a compliance priority

How PGI protects you from emerging complexities

Our role is to make sure our clients never have to worry about which vulnerability database to use, or how global changes affect local compliance. Here’s what you can expect from us:

• Up-to-date intelligence: Whether it’s MITRE, ENISA, or something new, we use the latest trusted sources to guide our work; from penetration testing to configuration reviews.
• Regulatory alignment: We help you stay compliant, no matter how standards evolve, and we tailor our advice to your region and sector.
• Clarity and simplicity: You’ll get clear, actionable insights—never jargon or ambiguity.

You don’t need to follow cybersecurity politics—we do that for you

Cybersecurity shouldn’t be your full-time job. It’s ours. We track shifts like this to make sure your defences are strong, your reporting is aligned, and your team can focus on what matters most: running your business with confidence.

Have questions or want to know what this means for your specific organisation? Let’s talk.