It is hard to overestimate the role of a national cybersecurity or information security strategy. Balancing between infinite ambitions and finite resources, these instruments legitimise demands, level expectations and reinforce rights and freedoms. Strategies constitute effective administrative tools to create a division of responsibility and labour between governmental agencies and between the public and private sector. This paper applies a normative reading to 106 national cybersecurity strategies, most of them adopted after the cyberattacks against Estonia in 2007, an event that marked a strong shift toward securitisation of the use of information and communication technologies (ICTs). The paper identifies and discusses countries’ qualifications of afforded and expected standards of behaviour in the context of both national and international cybersecurity. The analysis is intended to contribute to the international debate around cybernorms and responsible behaviour in state use of ICTs.