# Reference Transition Scenario — canonical regression scenario (NOT a test fixture). # ANONYMIZED ARCHETYPE ONLY — no real company names are stored in the system; illustrative. # Each RTS pins an Expected Outcome so every commit must reproduce it (identical or better). id: RTS-001 archetype: "Automotive supplier with a mature ISMS — embedded electronics + software, CE products, OEM supply chain" note: "Anonymized typical starting situation; illustrative only." reference_company: sector: automotive_supply known_certifications: [TISAX, ISO27001] product_traits: is_machine: false # component / embedded supplier is_component: true has_embedded_software: true connected_to_internet: true has_remote_access: true generates_usage_data: null # UNKNOWN -> a deciding question, not an assertion market: [EU] transition_goal: from: [TISAX, ISO27001] to: - target: CRA pattern: TP-ISO27001-CRA-v1 # executed through RS-005 below - target: MaschinenVO pattern: null note: pattern_pending # no MaschinenVO pattern yet expected_outcome: cra: pattern: TP-ISO27001-CRA-v1 # The mature ISMS reduces effort here (most info-security capabilities probably covered). expected_likely_covered_at_least: - incident_management - supplier_security - secure_development_lifecycle - asset_and_configuration_management - security_logging_and_monitoring - access_control_and_authentication # ... but the CRA product-cyber delta remains. expected_delta_at_least: - sbom_creation - coordinated_vulnerability_disclosure - security_update_support_period - secure_signed_update_distribution - exploited_vuln_and_incident_reporting - product_cyber_risk_assessment - ce_conformity_assessment_and_technical_documentation data_act: expectation: uncertain # NEVER a fixed gilt/gilt-nicht deciding_questions: [generates_usage_data, connected_product, data_act_scope] rationale: "A connected component MAY fall under the Data Act; applicability depends on usage-data generation + scope. The engine must SURFACE this uncertainty and ask, not assert."