Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4efbfa45c4941b7d68035b301549b7a8fee314f3
breakpilot-compliance/backend-compliance/knowledge/reference_transition_scenarios/RTS-003.yaml
T
Benjamin Admin a0f72fc39b feat(rts): extend Reference Transition Scenarios to multi-regulation (CRA + MaschinenVO) 
Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the
convergence USP is a living regression, not just a one-off section.

- RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo
  expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1).
  Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING +
  4/4 expected multi-target caps converge. PASS.
- RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a
  machine; deciding question is_safety_component) — engine must never assert it applies. Honest,
  parallel to the Data-Act handling.
- RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS
  means the cyber side is entirely delta, so few caps are shared. The honest contrast that the
  convergence USP rewards companies who already run an ISMS.
- generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and
  reused. Data Act stays `uncertain` everywhere, never asserted.

All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0.
Non-runtime (knowledge + reference harness) -> no deploy (ADR-001).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-27 09:26:01 +02:00

75 lines
3.3 KiB
YAML
Raw Blame History

# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
id: RTS-003
archetype: "Machine builder with an ISMS and networked products — connected machines that may generate usage data"
note: "Anonymized typical starting situation; illustrative only. Highlights the Data-Act uncertainty."
reference_company:
sector: mechanical_engineering
known_certifications: [ISO27001] # ISMS ~ ISO 27001
product_traits:
is_machine: true
is_component: false
has_embedded_software: true
connected_to_internet: true
has_remote_access: true
generates_usage_data: null # UNKNOWN -> the Data-Act deciding question
market: [EU]
transition_goal:
from: [ISO27001]
to:
- target: CRA
pattern: TP-ISO27001-CRA-v1
- target: MaschinenVO
convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1 # multi-target pattern now exists
note: covered_by_convergence_pattern
- target: DataAct
pattern: null
note: uncertain_hypothesis # NOT asserted — see expected_outcome.data_act
expected_outcome:
cra:
pattern: TP-ISO27001-CRA-v1
expected_likely_covered_at_least:
- incident_management
- technical_vulnerability_management
- secure_development_lifecycle
- access_control_and_authentication
- security_logging_and_monitoring
expected_delta_at_least:
- sbom_creation
- coordinated_vulnerability_disclosure
- security_update_support_period
- secure_signed_update_distribution
- exploited_vuln_and_incident_reporting
- product_cyber_risk_assessment
- ce_conformity_assessment_and_technical_documentation
maschinenvo:
# The machine is in scope of the Machinery Regulation (is_machine: true) -> a real second target.
convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
expected_delta_at_least:
- machine_safety_risk_assessment # mechanical safety, ISO 12100
- mechanical_safety_and_guards
- operating_instructions_and_safety_information
- protection_against_corruption_of_safety_functions # Annex III 1.1.9 = the cyber-safety bridge
convergence:
# The USP: capabilities that satisfy CRA AND MaschinenVO at once (covers_targets [CRA, MaschinenVO]).
convergence_pattern: TP-ISO27001-CRA-MaschinenVO-v1
targets: [CRA, MaschinenVO]
expected_multi_target_at_least:
- product_cyber_risk_assessment
- protection_against_corruption_of_safety_functions
- secure_signed_update_distribution
- ce_conformity_assessment_and_technical_documentation
rationale: >
ONE capability covers requirements in BOTH regulations — the convergence finding. The engine must
surface these as shared, so the customer sees "N of M new measures satisfy CRA and MaschinenVO at once".
data_act:
expectation: uncertain # the core correction: a connected machine MAY fall under the Data Act
deciding_questions: [generates_usage_data, connected_product, data_act_scope]
rationale: >
A networked machine is MORE likely to fall under the Data Act than a pure component, but it is NOT
a settled fact — it depends on usage-data generation, user access, and scope. The Reference Suite
checks that the engine recognises the RIGHT uncertainty and asks the deciding question, NOT that it
writes a fixed gilt/gilt-nicht.
Reference in New Issue View Git Blame Copy Permalink