The use of cyber operations during armed conflicts and the question of how international humanitarian law (IHL) applies to such operations have developed significantly over the past two decades. In their different roles in the Legal Division of the International Committee of the Red Cross (ICRC), the authors of this article have followed these developments closely and have engaged in governmental and non-governmental expert discussions on the subject. In this article, we analyze pertinent humanitarian, legal and policy questions. We first show that the use of cyber operations during armed conflict has become a reality of armed conflicts and is likely to be more prominent in the future. This development raises a number of concerns in today's increasingly cyber-reliant societies, in which malicious cyber operations risk causing significant disruption and harm to humans. Secondly, we present a brief overview of multilateral discussions on the legal and normative framework regulating cyber operations during armed conflicts, looking in particular at various arguments around the applicability of IHL to cyber operations during armed conflict and the relationship between IHL and the UN Charter. We emphasize that in our view, there is no question that cyber operations during armed conflicts, or cyber warfare, are regulated by IHL – just as is any weapon, means or methods of warfare used by a belligerent in a conflict, whether new or old. Thirdly, we focus the main part of this article on how IHL applies to cyber operations. Analyzing the most recent legal positions of States and experts, we revisit some of the most salient debates of the past decade, such as which cyber operations amount to an “attack” as defined in IHL and whether civilian data enjoys similar protection to “civilian objects”. We also explore the IHL rules applicable to cyber operations other than attacks and the special protection regimes for certain actors and infrastructure, such as medical facilities and humanitarian organizations.