Member states have agreed that energy, health, finance and transport companies will have to report serious cyber-breaches. The new law follows reports that many security violations are hidden from the public.
The legislation agreed on Tuesday sets out security and reporting obligations for large government institutions and companies in cases of severe breaches of cybersecurity.
The new law seeks to ensure essential services from traffic control to electricity grid management are robust enough to withstand online attacks.
It follows several high profile breaches against high-tech government infrastructure and multi-national companies, and as fears mount that many assaults go unreported.
The new proposals, known as the Network and Information Security Directive, threatens severe penalties if organizations don't comply.
In July, Germany passed a similar law requiring critical infrastructure institutions to introduce tougher security practices or face fines of up to €100,000 ($108,000.)
"This agreement is a major step in raising the level of cybersecurity in Europe," the European's Union's digital commissioner Guenther Oettinger said on his blog.
"I will not sit back and let these criminals and cyber terrorists attack our businesses, intrude into our private lives and destroy trust in our digital economy and society," he said.
Under the measure, internet companies such as Google, Amazon, eBay and Cisco - but not social networks like Facebook - will also be required to report serious incidents to national authorities. Small digital companies will be exempted.
Web firms will be subject to less stringent obligations, than, say, airports or oil pipeline operators.
The European Commission first proposed the legislation two years ago but the text has faced hold-ups over which industries would be required to report attacks.
Many security experts believe the agreement has been too watered down and won't give the the EU's new digital security agency ENISA enough powers to manage the threat effectively.
European businesses and the overall economy lose hundreds of billions of euros a year to cybercrime and cyberattacks.
The European Commission's digital chief, Andrus Ansip, told Reuters the new law would build up consumers' trust in Internet services, especially cross-border services, which Brussels is keen to promote.
"The Internet knows no border - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction," he said.
The bloc's first major cybersecurity law still needs to be formally approved before being turned into national law in the EU's 28 states.
In May, Germany revealed that theBundestag's IT infrastructure had come under attack, leading to the theft of an unknown amount of data. Reports suggest millions of euros is being spent to tighten security on several of Berlin's vital computer systems.
Tuesday's announcement didn't include single outcyber security against foreign surveillance, which Brussels has also been planning to tighten.
mm/jil (AFP, Reuters)