Technology firms and those running critical services will have to report cyber-breaches, under new rules proposed by MEPs.
The rules will also establish minimum standards of cybersecurity for banks, energy and water firms.
It is the first time Europe has created EU-wide rules on cybersecurity.
It comes in the wake of concerns that key infrastructure, such as airports or power stations, could be targeted by hackers.
The proposed laws – agreed by MEPs and ministers from the 28 EU countries – will also apply to some tech firms. The details of this have yet to be worked out but the rules are likely to include online marketplaces, such as eBay and Amazon, and search engines such as Google.
The Network and Information Security directive is an attempt to deal with the emerging threat of cyber-attacks.
Currently there is no common approach in Europe to digital network breaches, whether they are the result of human error, technical failures or malicious attacks.
The European Agency for Network and Information Security (Enisa) estimates that such breaches result in annual losses in the range of 260 billion to 340 billion euros.
Under the new rules, member states would have to co-operate more on cybersecurity, exchanging information about breaches, offering best practice and assisting member states in securing their infrastructures.
“Today, a milestone has been achieved: we have agreed on the first ever EU-wide cybersecurity rules, which the Parliament has advocated for years,” said German MEP Andreas Schwab, after the deal was agreed.
Digital affairs commissioner Guenther Oettinger added that it was a “major step in raising the level of cybersecurity in Europe”.
MEP Vicky Ford, who chaired the final round of talks, said that it was “a hugely complex piece of legislation”.
“We have set up a network which will enable experts from each of the 28 countries in the EU to share and develop best practice in network security, whilst not compromising any individual member state’s own national security measures.”
The deal still needs approval from the European Parliament and national governments. The vote is expected to take place in the spring, after which member states would have around two years to put the measures in place.