* Draft EU law would affect 42,000 companies
* Aimed at improving cyber security in vital sectors
* Firms worry about cost, possible reputation damage
By Ethan Bilby
BRUSSELS, Feb 6 (Reuters) - Around 42,000 firms in the European Union, including airports, banks and hospitals, would have to inform regulators whenever their computers are hacked, under a proposed EU law to be published on Thursday.
The law could set a global precedent for safeguarding critical infrastructure against digital attacks that have hit companies and government departments in an era of increasing "cyber-crime" and "cyber-terrorism".
But some businesses worry they face extra costs.
Under the draft law, EU member states would have to draw up a monitoring system for companies that are critical to the economy. Those firms would then have to report major online attacks to national authorities and reveal security breaches.
Almost 15,000 transport companies, 8,000 banks, 4,000 energy firms, and 15,000 hospitals will have to report cyber attacks if the proposals are approved by EU governments and the European Parliament.
Public administrations and operators of critical Internet services would also have to report. Firms with fewer than 10 employees would not be covered by the legislation.
"As the online world becomes a part of everything we do, securing that world is essential to ensuring a society that remains secure, prosperous and free," EU telecoms chief Neelie Kroes said in a speech last week.
Inefficient measures on cyber security carry an economic cost in lost trade, an EU poll showed. In 2012, 38 percent of the EU's Internet users said they were concerned about making payments online.
The proposed law would require all 27 EU states to appoint a national authority responsible for network and information security and to set up a computer emergency response team to handle security incidents.
Some firms say the regulations are too vague and could mean extra costs. They also worry that being forced to divulge attacks on their networks to a regulator could be bad for their reputations.
In deciding whether to make a cyber attack public, the national authority would have to weigh the public interest in knowing about the incident against possible reputation damage.
The proposed legislation leaves it up to national authorities to decide whether companies would face any penalty for failing to report a cyber-attack. "It is not about the criminalisation of attacks," one EU official said. (Additional reporting by Adrian Croft; Editing by Robin Pomeroy)