diff --git a/application/controllers/ServicesController.php b/application/controllers/ServicesController.php
index 10bb051..444c174 100644
--- a/application/controllers/ServicesController.php
+++ b/application/controllers/ServicesController.php
@@ -647,7 +647,7 @@ class ServicesController extends BaseController
                 $orgId, $keyName, $keyPrefix, $keyHash,
                 json_encode(['read:all', 'write:all', 'admin:org', 'sso:login']),
                 $expiresAt,
-                'provision:' . ($caller['system'] ?? 'external'),
+                $userId,  // created_by: admin utente provisioned
             ]
         );
 
diff --git a/application/services/EmailService.php b/application/services/EmailService.php
index a95db9f..7dcc69a 100644
--- a/application/services/EmailService.php
+++ b/application/services/EmailService.php
@@ -609,7 +609,6 @@ class EmailService
                 'recipient'  => $to,
                 'subject'    => mb_substr($subject, 0, 255),
                 'status'     => $success ? 'sent' : 'failed',
-                'sent_at'    => date('Y-m-d H:i:s'),
             ]);
         } catch (\Throwable $e) {
             error_log('[EmailService] Errore log email: ' . $e->getMessage());
diff --git a/application/services/WebhookService.php b/application/services/WebhookService.php
index 379be82..f9dd929 100644
--- a/application/services/WebhookService.php
+++ b/application/services/WebhookService.php
@@ -237,7 +237,7 @@ class WebhookService
                 'title'           => $incident['title'],
                 'classification'  => $incident['classification'],
                 'severity'        => $incident['severity'],
-                'status'          => $incident['status'],
+                'status'          => $incident['status'] ?? 'detected',
                 'is_significant'  => (bool)$incident['is_significant'],
                 'detected_at'     => $incident['detected_at'],
                 'art23_deadlines' => [
diff --git a/simulate-nis2.php b/simulate-nis2.php
index d708182..1f5d735 100644
--- a/simulate-nis2.php
+++ b/simulate-nis2.php
@@ -809,13 +809,17 @@ foreach ($COMPANIES as $slug => $comp) {
 
         // Assessment fornitore
         if ($supId) {
+            // assessment_responses: array di {question, weight, value: yes|partial|no}
+            $highRisk = in_array($supDef['risk_level'], ['high', 'critical']);
             $assessRes = api('POST', "/supply-chain/{$supId}/assess", [
-                'has_security_controls'    => 1,
-                'has_incident_procedure'   => $supDef['risk_level'] !== 'low' ? 1 : 0,
-                'gdpr_compliant'           => 1,
-                'nis2_contractual_clauses' => $supDef['critical'] ? 1 : 0,
-                'last_audit_date'          => date('Y-m-d', strtotime('-6 months')),
-                'notes'                    => "Assessment automatico — fornitore {$supDef['service_type']}",
+                'assessment_responses' => [
+                    ['question' => 'Controlli sicurezza implementati',       'weight' => 3, 'value' => 'yes'],
+                    ['question' => 'Procedura gestione incidenti',           'weight' => 2, 'value' => $highRisk ? 'yes' : 'partial'],
+                    ['question' => 'Conformità GDPR',                        'weight' => 2, 'value' => 'yes'],
+                    ['question' => 'Clausole NIS2 nel contratto',            'weight' => 2, 'value' => $supDef['critical'] ? 'yes' : 'partial'],
+                    ['question' => 'Audit sicurezza negli ultimi 12 mesi',   'weight' => 1, 'value' => $highRisk ? 'yes' : 'partial'],
+                    ['question' => 'Piano business continuity documentato',  'weight' => 2, 'value' => 'partial'],
+                ],
             ], $jwt, $orgId);
             if (apiOk($assessRes, "supplier.assess")) {
                 ok("Assessment fornitore: {$supDef['name']}");