Students attend cyber defense class in the school in Poltsamaa, Estonia, December 4, 2015. [Photo/Agencies]

BRUSSELS - EU lawmakers and member states struck a deal on the bloc's first cyber-security law on Monday that will require Internet firms such as Google and Amazon to report serious breaches or face sanctions.

The deal, following five hours of negotiations between the European Parliament and EU governments, was reached in response to increasing worries about cyber attacks resulting in security and privacy breaches.

The European Commission's digital chief, Andrus Ansip, said the new law would build up consumers' trust in Internet services, especially cross-border services.

"The Internet knows no border - a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber-security solutions. This agreement is an important step in this direction," he said.

The new law, known as the Network and Information Security Directive, sets out security and reporting obligations for companies in critical sectors such as transport, energy, health and finance. Web firms will be subject to less stringent obligations, than, say, airports or oil pipeline operators.

Under the measure, Internet companies such as Google, Amazon, eBay and Cisco - but not social networks like Facebook - will be required to report serious incidents to national authorities, which in turn will be able to impose sanctions on companies that fail to do so.