Due to heightened threat perceptions, states are currently expanding their coercive power in cyberspace. They attempt to reduce the risk of escalation in (cybered-)conflict through traditional norms building. At the same time, their strategic actions remain the biggest threat to stability. Cyber-exploitations are a major part of the problem, hindering the removal of known insecurities, thus reducing the effectiveness of any future order. At the same time, the forceful role that states aspire to play in cyber-security has led to questions of legitimacy. The security arrangements that emerged in the 1990s, focused on protection and risk management, had a high degree of legitimacy because they built on a pragmatic solution of distributed security provision. Unless a future order in cyberspace takes into account the interests of companies and consumers who shape this domain in peacetime, it will be met with considerable resistance, with high costs for all sides.