# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored). id: RTS-003 archetype: "Machine builder with an ISMS and networked products — connected machines that may generate usage data" note: "Anonymized typical starting situation; illustrative only. Highlights the Data-Act uncertainty." reference_company: sector: mechanical_engineering known_certifications: [ISO27001] # ISMS ~ ISO 27001 product_traits: is_machine: true is_component: false has_embedded_software: true connected_to_internet: true has_remote_access: true generates_usage_data: null # UNKNOWN -> the Data-Act deciding question market: [EU] transition_goal: from: [ISO27001] to: - target: CRA pattern: TP-ISO27001-CRA-v1 - target: MaschinenVO pattern: null note: pattern_pending - target: DataAct pattern: null note: uncertain_hypothesis # NOT asserted — see expected_outcome.data_act expected_outcome: cra: pattern: TP-ISO27001-CRA-v1 expected_likely_covered_at_least: - incident_management - technical_vulnerability_management - secure_development_lifecycle - access_control_and_authentication - security_logging_and_monitoring expected_delta_at_least: - sbom_creation - coordinated_vulnerability_disclosure - security_update_support_period - secure_signed_update_distribution - exploited_vuln_and_incident_reporting - product_cyber_risk_assessment - ce_conformity_assessment_and_technical_documentation data_act: expectation: uncertain # the core correction: a connected machine MAY fall under the Data Act deciding_questions: [generates_usage_data, connected_product, data_act_scope] rationale: > A networked machine is MORE likely to fall under the Data Act than a pure component, but it is NOT a settled fact — it depends on usage-data generation, user access, and scope. The Reference Suite checks that the engine recognises the RIGHT uncertainty and asks the deciding question, NOT that it writes a fixed gilt/gilt-nicht.