Regulators worry about the speed and scale at which banks, insurers and investment firms are moving critical functions and market operations onto a handful of cloud platforms.
A glitch at one cloud company could potentially bring down services across many financial firms, regulators have said.
The EU Council, which represents the 27 member states, said it has completed the bloc's final approval stage for the new Digital Operational Resilience Act, known as DORA.
Banks and other financial firms already have plans for IT security but more was needed so they stay resilient through a severe disruption, said Zbynek Stanjura, finance minister for the Czech Republic, which holds the EU presidency.
"Thanks to the harmonised legal requirements which we adopted today, our financial sector will be better able to continue to function at all times," Stanjura said.
The requirements will apply to financial firms and "critical" third parties supplying cloud based services.
"If a large-scale attack on the European financial sector is launched, we will be prepared for it," Stanjura said.
The bloc's securities, insurance and banking watchdogs will write technical rules to implement the new law.
The European Parliament, which had joint say, has already given the green light and the law will come into force around the end of 2024.
Britain, no longer in the EU, said in June its regulators will be given powers to designate which outsourced services can come under direct supervision of the Bank of England and Financial Conduct Authority.
(Reporting by Huw Jones; Editing by Alexander Smith)
By Huw Jones