As high-level European Union (EU) policy documents call for investment in active cyber defence capabilities, the legal and political powers for their use remain ill-defined. To demonstrate their commitment to principles of responsible state behaviour and due diligence, the EU and its member states have a duty to establish the normative foun­dations for the use of active cyber defence measures ahead of their deployment, while carefully managing the risk of a gradual militarisation of the cyber and information domain.