# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
id: RTS-002
archetype: "Classic machine builder with only a QMS — precision systems, CE products, no ISMS"
note: "Anonymized typical starting situation; illustrative only. Contrast to RTS-001: a much LARGER delta."

reference_company:
  sector: mechanical_engineering
  known_certifications: [ISO9001]
  product_traits:
    is_machine: true
    is_component: false
    has_embedded_software: true
    connected_to_internet: false   # often not connected -> Data Act less likely, still a question
    has_remote_access: null
    generates_usage_data: null
    market: [EU]

transition_goal:
  from: [ISO9001]
  to:
    - target: CRA
      pattern: TP-ISO9001-CRA-v1
    - target: MaschinenVO
      pattern: null
      note: pattern_pending

expected_outcome:
  cra:
    pattern: TP-ISO9001-CRA-v1
    # A QMS gives only process discipline...
    expected_likely_covered_at_least:
      - document_and_change_control
      - supplier_evaluation
      - release_and_approval_process
    # ...so the CRA delta is LARGE — nearly the whole security set.
    expected_delta_at_least:
      - product_cyber_risk_assessment
      - secure_development_lifecycle
      - technical_vulnerability_management
      - coordinated_vulnerability_disclosure
      - sbom_creation
      - security_update_support_period
      - secure_signed_update_distribution
      - exploited_vuln_and_incident_reporting
      - ce_conformity_assessment_and_technical_documentation
    expected_delta_much_larger_than: RTS-001   # regression: ISO9001 leaves more open than ISO27001
  data_act:
    expectation: uncertain
    deciding_questions: [connected_product, generates_usage_data, data_act_scope]
    rationale: "Often not a connected product, but applicability is not assumed either way — the engine must ask."