{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T15:20:20Z","timestamp":1773415220023,"version":"3.50.1"},"reference-count":55,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T00:00:00Z","timestamp":1773360000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Small-and-medium-sized enterprises (SMEs) increasingly depend on business partnerships to access markets and scale operations, yet they often face trust barriers during contract formation due to the complexity of the verification of their cybersecurity posture and compliance status by their partners. This problem is intensified by rising regulatory expectations, notably the EU Cyber Resilience Act (CRA), which many SMEs struggle to interpret and operationalize under constraints of budget, skills, and fragmented responsibilities. This study adopts a Design Science Research approach to blueprint and evaluate a lightweight mapping framework that links commonly implemented security controls to CRA requirements and to widely recognized benchmarks (ISO\/IEC 27001 and CIS). Grounded in Institutional Theory and Socio-Technical Systems Theory, the artefact translates regulatory obligations into actionable, evidence-backed controls and produces partner-facing outputs that support transparency in negotiations and service level agreements. The framework is iteratively co-created with a multidisciplinary expert community. Expected contributions include a practical mechanism for making cybersecurity maturity visible, accelerating partnership formation, and enabling sustainable interorganizational relationships while remaining feasible for resource-constrained SMEs.<\/jats:p>","DOI":"10.3390\/jcp6020053","type":"journal-article","created":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T11:12:25Z","timestamp":1773400345000},"page":"53","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Security Compliance as a Catalyst for Sustainable Partnerships: A Design Science Approach for SMEs"],"prefix":"10.3390","volume":"6","author":[{"given":"Francisco","family":"Concei\u00e7\u00e3o","sequence":"first","affiliation":[{"name":"School of Science and Technology, Institute of Polytechnic Studies of Gaya, Av. dos Descobrimentos 333, 4400-103 Vila Nova de Gaia, Portugal"}]},{"given":"Manuel","family":"Rocha","sequence":"additional","affiliation":[{"name":"School of Science and Technology, Institute of Polytechnic Studies of Gaya, Av. dos Descobrimentos 333, 4400-103 Vila Nova de Gaia, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6758-4843","authenticated-orcid":false,"given":"Fernando","family":"Almeida","sequence":"additional","affiliation":[{"name":"School of Science and Technology, Institute of Polytechnic Studies of Gaya, Av. dos Descobrimentos 333, 4400-103 Vila Nova de Gaia, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,13]]},"reference":[{"key":"ref_1","unstructured":"World Bank (2015). SMEs, Age, and Jobs: A Review of the Literature, World Bank Group."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Gherghina, \u0218.C., Botezatu, M.A., Hosszu, A., and Simionescu, L.N. (2020). Small and medium-sized enterprises (SMEs): The engine of economic growth through investments and innovation. Sustainability, 12.","DOI":"10.3390\/su12010347"},{"key":"ref_3","first-page":"1","article-title":"Cybersecurity guide for SMEs: Protecting small and medium-sized enterprises in the digital era","volume":"16","author":"Papathanasiou","year":"2025","journal-title":"J. Inf. Secur."},{"key":"ref_4","first-page":"99","article-title":"Empirical analysis of NIS2 adoption in EU SMEs: Challenges for critical infrastructure in Germany","volume":"5","author":"Joswig","year":"2025","journal-title":"J. Next-Gener. Res."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"245","DOI":"10.1007\/s10207-025-01090-4","article-title":"Digital sovereignty in practice: Analyzing the EU\u2019s NIS2 directive","volume":"24","author":"Kianpour","year":"2025","journal-title":"Int. J. Inf. Secur."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"102650","DOI":"10.1016\/j.techsoc.2024.102650","article-title":"When traditional SME managers encounter cybersecurity","volume":"78","author":"Hoong","year":"2024","journal-title":"Technol. Soc."},{"key":"ref_7","first-page":"1","article-title":"One size does not fit all: Exploring the cybersecurity perspectives and engagement preferences of UK-based small businesses","volume":"34","author":"Wilson","year":"2025","journal-title":"Inf. Secur. J."},{"key":"ref_8","first-page":"1","article-title":"Weathering the storm: Examining how organisations navigate the sea of cybersecurity regulations","volume":"34","author":"Proudfoot","year":"2024","journal-title":"Eur. J. Inf. Syst."},{"key":"ref_9","first-page":"78","article-title":"Impact of Cybersecurity Disclosures on Stakeholder Intentions","volume":"64","author":"Bansal","year":"2024","journal-title":"J. Comp. Inf. Syst."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1016\/j.ijis.2020.02.002","article-title":"Third-party relational governance and collaborative innovation performance","volume":"4","author":"Bai","year":"2020","journal-title":"Int. J. Innov. Stud."},{"key":"ref_11","first-page":"157","article-title":"Examining collaborative buyer\u2013supplier relationships and social sustainability","volume":"322","author":"Kumar","year":"2022","journal-title":"Ann. Oper. Res."},{"key":"ref_12","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2022)."},{"key":"ref_13","first-page":"99","article-title":"Firm resources and sustained competitive advantage","volume":"17","author":"Barney","year":"1991","journal-title":"J. Manag."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"107","DOI":"10.2307\/25148626","article-title":"The resource-based view and information systems research","volume":"28","author":"Wade","year":"2004","journal-title":"MIS Q."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"169","DOI":"10.2307\/3250983","article-title":"A resource-based perspective on IT capability and firm performance","volume":"24","author":"Bharadwaj","year":"2000","journal-title":"MIS Q."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"283","DOI":"10.2307\/25148636","article-title":"Information technology and organizational performance","volume":"28","author":"Melville","year":"2004","journal-title":"MIS Q."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"102724","DOI":"10.1016\/j.cose.2022.102724","article-title":"Cybersecurity critical success factors","volume":"118","author":"Yeoh","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_18","first-page":"1","article-title":"Cybersecurity resilience in SMEs: A machine learning approach","volume":"64","author":"Arranz","year":"2024","journal-title":"J. Comput. Inf. Syst."},{"key":"ref_19","first-page":"681","article-title":"Strategic responses to institutional voids","volume":"61","author":"Luiz","year":"2021","journal-title":"Manag. Int. Rev."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"509","DOI":"10.1002\/(SICI)1097-0266(199708)18:7<509::AID-SMJ882>3.0.CO;2-Z","article-title":"Dynamic capabilities and strategic management","volume":"18","author":"Teece","year":"1997","journal-title":"Strateg. Manag. J."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1111\/j.1540-5915.2010.00287.x","article-title":"Understanding the elusive black box of dynamic capabilities","volume":"42","author":"Pavlou","year":"2011","journal-title":"Decis. Sci."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"147","DOI":"10.2307\/2095101","article-title":"The iron cage revisited","volume":"48","author":"DiMaggio","year":"1983","journal-title":"Am. Sociol. Rev."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"571","DOI":"10.2307\/258788","article-title":"Managing legitimacy","volume":"20","author":"Suchman","year":"1995","journal-title":"Acad. Manag. Rev."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"106009","DOI":"10.1016\/j.clsr.2024.106009","article-title":"Cyber Resilience Act 2022","volume":"54","author":"Shaffique","year":"2024","journal-title":"Comput. Law Secur. Rev."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"355","DOI":"10.2307\/1882010","article-title":"Job market signaling","volume":"87","author":"Spence","year":"1973","journal-title":"Q. J. Econ."},{"key":"ref_26","first-page":"39","article-title":"Signaling theory","volume":"37","author":"Connelly","year":"2011","journal-title":"J. Manag."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"141","DOI":"10.1287\/orsc.9.2.141","article-title":"Does Trust Matter? Exploring the Effects of Inter-Organizational and Inter-Personal Trust on Performance","volume":"9","author":"Zaheer","year":"1998","journal-title":"Organ. Sci."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1002\/smj.249","article-title":"Do formal contracts and relational governance function as substitutes or complements?","volume":"23","author":"Poppo","year":"2002","journal-title":"Strateg. Manag. J."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1002\/smj.4250160504","article-title":"Relational governance as an interorganizational strategy","volume":"16","author":"Zaheer","year":"1995","journal-title":"Strateg. Manag. J."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"703","DOI":"10.1016\/j.indmarman.2003.06.010","article-title":"The determinants of relational governance and performance","volume":"32","author":"Claro","year":"2003","journal-title":"Ind. Mark. Manag."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"17","DOI":"10.2307\/248710","article-title":"MIS problems and failures: A socio-technical perspective","volume":"1","author":"Bostrom","year":"1977","journal-title":"MIS Q."},{"key":"ref_32","unstructured":"Trist, E. (1981). The Evolution of Socio-Technical Systems, Ontario Quality of Working Life Centre. Occasional Paper."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1080\/17517575.2025.2529282","article-title":"A cybersecurity framework for enhancing Small and medium-sized enterprises (SMEs) security posture using user behaviour analytics","volume":"19","author":"Le","year":"2025","journal-title":"Enterp. Inf. Syst."},{"key":"ref_34","first-page":"89","article-title":"Cybersecurity challenges in SMEs","volume":"3","author":"Awan","year":"2025","journal-title":"J. Cybersecur. Risk Anal."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Clark, A., and Mujeye, S. (2025). A critical analysis of SME cybersecurity policies and practices. Proceedings of the ACM International Conference on Information Security and Privacy, ACM.","DOI":"10.1145\/3725899.3725926"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"115","DOI":"10.1186\/s43093-024-00402-9","article-title":"The impact of cybersecurity disclosure on banks\u2019 performance: The moderating role of corporate governance in the MENA region","volume":"10","author":"Elsayed","year":"2024","journal-title":"Future Bus. J."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/cybsec\/tyac004","article-title":"Cybersecurity service level agreements","volume":"8","author":"Nugraha","year":"2022","journal-title":"J. Cybersecur."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Wallis, T., and Dorey, P. (2024). Collaboration practices for cybersecurity of supply chains. Appl. Sci., 14.","DOI":"10.3390\/app14135805"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"1285","DOI":"10.1007\/s10796-019-09959-1","article-title":"Investigating the security divide between SMEs and large companies","volume":"21","author":"Heidt","year":"2019","journal-title":"Inf. Syst. Front."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Khan, N., Furnell, S., Bada, M., Nurse, J., and Rand, M. (Inf. Comput. Secur., 2025). The hidden barriers to cyber security adoption amongst Small and Medium-Sized Enterprises, Inf. Comput. Secur., in press.","DOI":"10.1108\/ICS-04-2025-0135"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"El-Hajj, M., and Mirza, Z.A. (2024). Protecting Small and Medium Enterprises: A Specialized Cybersecurity Risk Assessment Framework and Tool. Electronics, 13.","DOI":"10.20944\/preprints202408.1691.v1"},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"2159","DOI":"10.1007\/s12525-022-00608-1","article-title":"Designing a feature selection method based on explainable artificial intelligence","volume":"32","author":"Zacharias","year":"2022","journal-title":"Electron. Mark."},{"key":"ref_43","first-page":"1","article-title":"Combining action research with design science","volume":"24","author":"Castro","year":"2025","journal-title":"Int. J. Qual. Methods"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"169","DOI":"10.1365\/s43439-024-00111-7","article-title":"More than malware: Unmasking the hidden risk of cybersecurity regulations","volume":"5","author":"Kianpour","year":"2024","journal-title":"Int. Cybersecur. Law Rev."},{"key":"ref_45","first-page":"325","article-title":"Adaptable security maturity assessment","volume":"39","author":"Ozkan","year":"2022","journal-title":"Inf. Syst. Manag."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Bernardo, L., Malta, S., and Magalh\u00e3es, J. (2025). Cybersecurity maturity aligned with NIST CSF. Electronics, 14.","DOI":"10.3390\/electronics14071364"},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"193","DOI":"10.1016\/j.eij.2020.08.001","article-title":"Adopting security maturity model to the organizations\u2019 capability model","volume":"22","author":"Helal","year":"2021","journal-title":"Egypt. Inform. J."},{"key":"ref_48","first-page":"103744","article-title":"ISO\/IEC 27001 and value creation","volume":"139","author":"Benaroch","year":"2022","journal-title":"Comput. Ind."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1007\/s44206-024-00129-8","article-title":"Enforcement design patterns in EU law","volume":"3","author":"Larsson","year":"2024","journal-title":"DISO"},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"126","DOI":"10.18261\/olr.8.3.2","article-title":"Security by design","volume":"8","author":"Bygrave","year":"2022","journal-title":"Oslo Law Rev."},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"53","DOI":"10.7250\/csimq.2022-33.04","article-title":"CyberSecurity Readiness: A Model for SMEs based on the Socio-Technical Perspective","volume":"33","author":"Perozzo","year":"2022","journal-title":"Complex Syst. Inform. Model. Q."},{"key":"ref_52","doi-asserted-by":"crossref","first-page":"206","DOI":"10.1007\/s10207-025-01121-0","article-title":"Voluntary cybersecurity standards","volume":"24","author":"Haig","year":"2025","journal-title":"Int. J. Inf. Secur."},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"100084","DOI":"10.1016\/j.dte.2025.100084","article-title":"A digital maturity model for assessing SMEs in the manufacturing sector","volume":"9","author":"Njah","year":"2026","journal-title":"Digital Eng."},{"key":"ref_54","first-page":"103104","article-title":"ISO\/IEC 27001 diffusion","volume":"136","author":"Mirtsch","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_55","first-page":"189","article-title":"Cybersecurity transparency and firm success","volume":"64","year":"2024","journal-title":"Account. Perspect."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/2\/53\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T11:39:33Z","timestamp":1773401973000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/6\/2\/53"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,13]]},"references-count":55,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["jcp6020053"],"URL":"https:\/\/doi.org\/10.3390\/jcp6020053","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,13]]}}}