# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
id: RTS-002
archetype: "Classic machine builder with only a QMS — precision systems, CE products, no ISMS"
note: "Anonymized typical starting situation; illustrative only. Contrast to RTS-001: a much LARGER delta."

reference_company:
  sector: mechanical_engineering
  known_certifications: [ISO9001]
  product_traits:
    is_machine: true
    is_component: false
    has_embedded_software: true
    connected_to_internet: false   # often not connected -> Data Act less likely, still a question
    has_remote_access: null
    generates_usage_data: null
    market: [EU]

transition_goal:
  from: [ISO9001]
  to:
    - target: CRA
      pattern: TP-ISO9001-CRA-v1
    - target: MaschinenVO
      pattern: null
      note: applies_machine_safety    # is_machine: true -> settled second target (machine safety side)

expected_outcome:
  cra:
    pattern: TP-ISO9001-CRA-v1
    # A QMS gives only process discipline...
    expected_likely_covered_at_least:
      - document_and_change_control
      - supplier_evaluation
      - release_and_approval_process
    # ...so the CRA delta is LARGE — nearly the whole security set.
    expected_delta_at_least:
      - product_cyber_risk_assessment
      - secure_development_lifecycle
      - technical_vulnerability_management
      - coordinated_vulnerability_disclosure
      - sbom_creation
      - security_update_support_period
      - secure_signed_update_distribution
      - exploited_vuln_and_incident_reporting
      - ce_conformity_assessment_and_technical_documentation
    expected_delta_much_larger_than: RTS-001   # regression: ISO9001 leaves more open than ISO27001
  maschinenvo:
    expectation: applies              # is_machine: true -> settled (not uncertain like RTS-001's component)
    expected_delta_at_least:
      - machine_safety_risk_assessment
      - mechanical_safety_and_guards
      - operating_instructions_and_safety_information
    low_convergence_note: >
      Unlike RTS-003, a QMS-only builder gets almost NO CRA<->MaschinenVO convergence: with no ISMS the
      cyber side is entirely in the delta, so few capabilities are shared between the two regulations.
      The convergence USP rewards companies that ALREADY have an ISMS — that is the honest contrast.
  data_act:
    expectation: uncertain
    deciding_questions: [connected_product, generates_usage_data, data_act_scope]
    rationale: "Often not a connected product, but applicability is not assumed either way — the engine must ask."