# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
id: RTS-003
archetype: "Machine builder with an ISMS and networked products — connected machines that may generate usage data"
note: "Anonymized typical starting situation; illustrative only. Highlights the Data-Act uncertainty."

reference_company:
  sector: mechanical_engineering
  known_certifications: [ISO27001]   # ISMS ~ ISO 27001
  product_traits:
    is_machine: true
    is_component: false
    has_embedded_software: true
    connected_to_internet: true
    has_remote_access: true
    generates_usage_data: null       # UNKNOWN -> the Data-Act deciding question
    market: [EU]

transition_goal:
  from: [ISO27001]
  to:
    - target: CRA
      pattern: TP-ISO27001-CRA-v1
    - target: MaschinenVO
      convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1   # multi-target pattern now exists
      note: covered_by_convergence_pattern
    - target: DataAct
      pattern: null
      note: uncertain_hypothesis     # NOT asserted — see expected_outcome.data_act

expected_outcome:
  cra:
    pattern: TP-ISO27001-CRA-v1
    expected_likely_covered_at_least:
      - incident_management
      - technical_vulnerability_management
      - secure_development_lifecycle
      - access_control_and_authentication
      - security_logging_and_monitoring
    expected_delta_at_least:
      - sbom_creation
      - coordinated_vulnerability_disclosure
      - security_update_support_period
      - secure_signed_update_distribution
      - exploited_vuln_and_incident_reporting
      - product_cyber_risk_assessment
      - ce_conformity_assessment_and_technical_documentation
  maschinenvo:
    # The machine is in scope of the Machinery Regulation (is_machine: true) -> a real second target.
    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
    expected_delta_at_least:
      - machine_safety_risk_assessment                       # mechanical safety, ISO 12100
      - mechanical_safety_and_guards
      - operating_instructions_and_safety_information
      - protection_against_corruption_of_safety_functions    # Annex III 1.1.9 = the cyber-safety bridge
  convergence:
    # The USP: capabilities that satisfy CRA AND MaschinenVO at once (covers_targets [CRA, MaschinenVO]).
    convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
    targets: [CRA, MaschinenVO]
    expected_multi_target_at_least:
      - product_cyber_risk_assessment
      - protection_against_corruption_of_safety_functions
      - secure_signed_update_distribution
      - ce_conformity_assessment_and_technical_documentation
    rationale: >
      ONE capability covers requirements in BOTH regulations — the convergence finding. The engine must
      surface these as shared, so the customer sees "N of M new measures satisfy CRA and MaschinenVO at once".
  data_act:
    expectation: uncertain            # the core correction: a connected machine MAY fall under the Data Act
    deciding_questions: [generates_usage_data, connected_product, data_act_scope]
    rationale: >
      A networked machine is MORE likely to fall under the Data Act than a pure component, but it is NOT
      a settled fact — it depends on usage-data generation, user access, and scope. The Reference Suite
      checks that the engine recognises the RIGHT uncertainty and asks the deciding question, NOT that it
      writes a fixed gilt/gilt-nicht.