AbstractWhilst Article 51 of the UN Charter as a rule indicates that an “armed attack” may trigger a State’s right of self-defense, the actual purport of armed attack remains a matter of interpretation and qualification. To improve the notion of the rule on self-defense and contribute to the jus ad bellum, more clarification as to what constitutes an armed attack in cyberspace is necessary. Therefore, policy norms—regarding when cyber-attacks reach the threshold of an armed attack—could guide State behavior. On the one hand, these policy norms could be used in the political decision-making processes for States that consider initiating cyber-attacks. On the other, they could help victim States in their decision-making processes in response to grave cyber-attacks. The aim of the paper is to propose a tangible guideline that outlines when cyber-attacks—perpetrated solely in or through cyberspace and not in conjunction with conventional military attacks—can qualify as an armed attack. By assessing the positions of States and leading academic opinions regarding the qualification of cyber-attacks as armed attacks, and applying international and interdisciplinary policy documents to transfer the legal debate into tangible options, a policy framework is deduced that can serve as a baseline for international cyber norms. This framework distinguishes three separate categories of armed attack in cyberspace, each with their own distinctive levels to determine when a cyber-attack can qualify as an armed attack. These absolute levels are tailored for the Netherlands but could also be suitable for other States when transferred to percentages of the gross national/domestic product and the population size.