"A milestone has been achieved: we have agreed on the first ever EU-wide cyber-security rules, which the Parliament has advocated for years," European Parliament (EP) rapporteur Andreas Schwab said in a press release, late on Monday.
Under the new rules, online marketplaces, search engines and cloud database providers, including eBay, Amazon and Google, will be required to maintain their infrastructure's security and report any "major incidents" to national governments. Social networks are said to be excluded from the directive.
The Network and Information Security Directive, subject to formal approval from the European Parliament, is said to harmonize the fragmented cybersecurity regulations of the European Union's 28 member states. A strategic cooperation group has been established to exchange information, draft guidelines and assist member states in building cybersecurity capacity.
Essential operators will be specifically identified based on their importance to society and the economy, their dependence on network and information systems, and the scope of a cyberattack's impact on the company's operations and public safety.
EU officials estimate that security incidents caused by human and technical error, as well as malicious attacks, cost the bloc up to $370 billion annually.
The European Commission first proposed the Network and Information Security Directive in 2013.