diff --git a/public/admin/index.html b/public/admin/index.html
new file mode 100644
index 0000000..7f68254
--- /dev/null
+++ b/public/admin/index.html
@@ -0,0 +1,375 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Pannello Amministrazione - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        .admin-stats-grid {
+            display: grid;
+            grid-template-columns: repeat(4, 1fr);
+            gap: 16px;
+            margin-bottom: 24px;
+        }
+        .admin-stat-card {
+            background: var(--card-bg);
+            border-radius: var(--border-radius-lg);
+            box-shadow: var(--card-shadow);
+            padding: 20px;
+            transition: box-shadow var(--transition), transform var(--transition);
+        }
+        .admin-stat-card:hover {
+            box-shadow: var(--card-shadow-hover);
+            transform: translateY(-2px);
+        }
+        .admin-stat-label {
+            font-size: 0.7rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.04em;
+            color: var(--gray-500);
+            margin-bottom: 8px;
+        }
+        .admin-stat-value {
+            font-size: 2rem;
+            font-weight: 800;
+            color: var(--gray-900);
+            line-height: 1;
+        }
+        .admin-stat-icon {
+            width: 40px;
+            height: 40px;
+            border-radius: var(--border-radius);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            margin-bottom: 12px;
+        }
+        .admin-stat-icon svg {
+            width: 20px;
+            height: 20px;
+        }
+        .admin-stat-icon.blue { background: var(--primary-bg); color: var(--primary); }
+        .admin-stat-icon.green { background: var(--secondary-bg); color: var(--secondary); }
+        .admin-stat-icon.orange { background: var(--warning-bg); color: #d97706; }
+        .admin-stat-icon.red { background: var(--danger-bg); color: var(--danger); }
+        .admin-stat-icon.purple { background: #f3e8ff; color: #7c3aed; }
+        .chart-container {
+            padding: 24px;
+        }
+        .bar-chart {
+            display: flex;
+            align-items: flex-end;
+            gap: 32px;
+            height: 200px;
+            padding: 0 20px;
+            border-bottom: 2px solid var(--gray-200);
+        }
+        .bar-chart-item {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            flex: 1;
+            height: 100%;
+            justify-content: flex-end;
+        }
+        .bar-chart-bar {
+            width: 60px;
+            border-radius: 6px 6px 0 0;
+            transition: height 0.8s ease;
+            min-height: 4px;
+            position: relative;
+        }
+        .bar-chart-bar.free { background: var(--gray-400); }
+        .bar-chart-bar.professional { background: var(--primary); }
+        .bar-chart-bar.enterprise { background: #7c3aed; }
+        .bar-chart-value {
+            font-size: 0.875rem;
+            font-weight: 700;
+            color: var(--gray-700);
+            margin-bottom: 8px;
+        }
+        .bar-chart-label {
+            font-size: 0.75rem;
+            color: var(--gray-500);
+            margin-top: 12px;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .quick-link-card {
+            display: flex;
+            align-items: center;
+            gap: 16px;
+            padding: 20px 24px;
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius-lg);
+            cursor: pointer;
+            transition: all var(--transition-fast);
+            text-decoration: none;
+            color: inherit;
+        }
+        .quick-link-card:hover {
+            border-color: var(--primary);
+            background: var(--primary-bg);
+            color: var(--primary);
+            transform: translateY(-2px);
+            box-shadow: var(--card-shadow-hover);
+        }
+        .quick-link-icon {
+            width: 48px;
+            height: 48px;
+            border-radius: var(--border-radius);
+            background: var(--primary-bg);
+            color: var(--primary);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            flex-shrink: 0;
+        }
+        .quick-link-icon svg {
+            width: 24px;
+            height: 24px;
+        }
+        .quick-link-info h4 {
+            font-size: 0.9375rem;
+            font-weight: 600;
+            color: var(--gray-800);
+            margin-bottom: 2px;
+        }
+        .quick-link-info p {
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+        }
+        .quick-link-card:hover .quick-link-info h4 {
+            color: var(--primary);
+        }
+        .quick-links-grid {
+            display: grid;
+            grid-template-columns: repeat(2, 1fr);
+            gap: 16px;
+        }
+        @media (max-width: 1024px) {
+            .admin-stats-grid {
+                grid-template-columns: repeat(2, 1fr);
+            }
+        }
+        @media (max-width: 768px) {
+            .admin-stats-grid {
+                grid-template-columns: 1fr;
+            }
+            .quick-links-grid {
+                grid-template-columns: 1fr;
+            }
+            .bar-chart {
+                gap: 16px;
+            }
+            .bar-chart-bar {
+                width: 40px;
+            }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Pannello Amministrazione</h2>
+                <div class="content-header-actions">
+                    <span class="badge badge-danger">Super Admin</span>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Stats Row 1 -->
+                <div class="admin-stats-grid" id="stats-row-1">
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon blue">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M4 4a2 2 0 012-2h8a2 2 0 012 2v12a1 1 0 01-1 1H5a1 1 0 01-1-1V4z"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Totale Organizzazioni</div>
+                        <div class="admin-stat-value" id="stat-total-orgs">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon green">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Organizzazioni Attive</div>
+                        <div class="admin-stat-value" id="stat-active-orgs">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon blue">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Totale Utenti</div>
+                        <div class="admin-stat-value" id="stat-total-users">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon green">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 9a3 3 0 100-6 3 3 0 000 6zm-7 9a7 7 0 1114 0H3z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Utenti Attivi</div>
+                        <div class="admin-stat-value" id="stat-active-users">--</div>
+                    </div>
+                </div>
+
+                <!-- Stats Row 2 -->
+                <div class="admin-stats-grid" id="stats-row-2">
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon purple">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 2a1 1 0 000 2h2a1 1 0 100-2H9z"/><path fill-rule="evenodd" d="M4 5a2 2 0 012-2 3 3 0 003 3h2a3 3 0 003-3 2 2 0 012 2v11a2 2 0 01-2 2H6a2 2 0 01-2-2V5zm9.707 5.707a1 1 0 00-1.414-1.414L9 12.586l-1.293-1.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Assessment Completati</div>
+                        <div class="admin-stat-value" id="stat-assessments">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon orange">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M10 2a6 6 0 00-6 6v3.586l-.707.707A1 1 0 004 14h12a1 1 0 00.707-1.707L16 11.586V8a6 6 0 00-6-6zM10 18a3 3 0 01-3-3h6a3 3 0 01-3 3z"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Incidenti Aperti</div>
+                        <div class="admin-stat-value" id="stat-incidents">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon red">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 1.944A11.954 11.954 0 012.166 5C2.056 5.649 2 6.319 2 7c0 5.225 3.34 9.67 8 11.317C14.66 16.67 18 12.225 18 7c0-.682-.057-1.35-.166-2.001A11.954 11.954 0 0110 1.944zM11 14a1 1 0 11-2 0 1 1 0 012 0zm0-7a1 1 0 10-2 0v3a1 1 0 102 0V7z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Totale Rischi</div>
+                        <div class="admin-stat-value" id="stat-risks">--</div>
+                    </div>
+                    <div class="admin-stat-card">
+                        <div class="admin-stat-icon purple">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 110 2H6v1a1 1 0 11-2 0v-1H3a1 1 0 110-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 8.512a1 1 0 010 1.836l-3.354 1.311-1.18 4.456a1 1 0 01-1.932 0L9.854 11.66 6.5 10.348a1 1 0 010-1.836l3.354-1.311 1.18-4.456A1 1 0 0112 2z"/></svg>
+                        </div>
+                        <div class="admin-stat-label">Interazioni AI</div>
+                        <div class="admin-stat-value" id="stat-ai">--</div>
+                    </div>
+                </div>
+
+                <!-- Plans Distribution -->
+                <div class="card mb-24">
+                    <div class="card-header">
+                        <h3>Distribuzione Piani</h3>
+                    </div>
+                    <div class="chart-container">
+                        <div class="bar-chart" id="plans-chart">
+                            <div class="spinner" style="margin:40px auto;"></div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Quick Links -->
+                <div class="card">
+                    <div class="card-header">
+                        <h3>Gestione Piattaforma</h3>
+                    </div>
+                    <div class="card-body">
+                        <div class="quick-links-grid">
+                            <a href="/nis2/admin/organizations.html" class="quick-link-card">
+                                <div class="quick-link-icon">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path d="M4 4a2 2 0 012-2h8a2 2 0 012 2v12a1 1 0 01-1 1H5a1 1 0 01-1-1V4z"/></svg>
+                                </div>
+                                <div class="quick-link-info">
+                                    <h4>Gestisci Organizzazioni</h4>
+                                    <p>Visualizza e gestisci tutte le organizzazioni registrate sulla piattaforma.</p>
+                                </div>
+                            </a>
+                            <a href="/nis2/admin/users.html" class="quick-link-card">
+                                <div class="quick-link-icon">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                                </div>
+                                <div class="quick-link-info">
+                                    <h4>Gestisci Utenti</h4>
+                                    <p>Visualizza e gestisci tutti gli utenti registrati sulla piattaforma.</p>
+                                </div>
+                            </a>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth check ───────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Admin check ──────────────────────────────────────────
+        (async function checkAdmin() {
+            try {
+                const me = await api.getMe();
+                if (!me.success || !me.data || me.data.role !== 'super_admin') {
+                    showNotification('Accesso non autorizzato. Solo gli amministratori possono accedere a questa pagina.', 'error');
+                    setTimeout(() => { window.location.href = '/nis2/dashboard.html'; }, 1500);
+                    return;
+                }
+                loadAdminStats();
+            } catch (e) {
+                window.location.href = '/nis2/dashboard.html';
+            }
+        })();
+
+        // ── Load Stats ───────────────────────────────────────────
+        async function loadAdminStats() {
+            try {
+                const result = await api.request('GET', '/admin/stats');
+                if (result.success && result.data) {
+                    const d = result.data;
+
+                    document.getElementById('stat-total-orgs').textContent = d.total_organizations ?? 0;
+                    document.getElementById('stat-active-orgs').textContent = d.active_organizations ?? 0;
+                    document.getElementById('stat-total-users').textContent = d.total_users ?? 0;
+                    document.getElementById('stat-active-users').textContent = d.active_users ?? 0;
+                    document.getElementById('stat-assessments').textContent = d.completed_assessments ?? 0;
+                    document.getElementById('stat-incidents').textContent = d.open_incidents ?? 0;
+                    document.getElementById('stat-risks').textContent = d.total_risks ?? 0;
+                    document.getElementById('stat-ai').textContent = d.ai_interactions ?? 0;
+
+                    renderPlansChart(d.plans_distribution || []);
+                } else {
+                    showNotification('Impossibile caricare le statistiche.', 'error');
+                }
+            } catch (e) {
+                console.error('Errore caricamento stats:', e);
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Plans Chart ──────────────────────────────────────────
+        function renderPlansChart(distribution) {
+            const container = document.getElementById('plans-chart');
+
+            const planLabels = { free: 'Free', professional: 'Professional', enterprise: 'Enterprise' };
+            const plans = { free: 0, professional: 0, enterprise: 0 };
+
+            distribution.forEach(p => {
+                const key = (p.subscription_plan || 'free').toLowerCase();
+                if (plans.hasOwnProperty(key)) {
+                    plans[key] = parseInt(p.count) || 0;
+                }
+            });
+
+            const maxVal = Math.max(1, ...Object.values(plans));
+
+            let html = '';
+            for (const [key, count] of Object.entries(plans)) {
+                const heightPct = (count / maxVal) * 100;
+                html += `
+                    <div class="bar-chart-item">
+                        <div class="bar-chart-value">${count}</div>
+                        <div class="bar-chart-bar ${key}" style="height:${Math.max(heightPct, 3)}%;"></div>
+                        <div class="bar-chart-label">${planLabels[key]}</div>
+                    </div>`;
+            }
+
+            container.innerHTML = html;
+        }
+    </script>
+</body>
+</html>
diff --git a/public/admin/organizations.html b/public/admin/organizations.html
new file mode 100644
index 0000000..c1b5638
--- /dev/null
+++ b/public/admin/organizations.html
@@ -0,0 +1,297 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Gestione Organizzazioni - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        .entity-type-badge {
+            display: inline-flex;
+            padding: 3px 10px;
+            border-radius: 100px;
+            font-size: 0.7rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .entity-type-badge.essential { background: var(--danger-bg); color: var(--danger); }
+        .entity-type-badge.important { background: var(--warning-bg); color: #a16207; }
+        .entity-type-badge.not_applicable { background: var(--gray-100); color: var(--gray-600); }
+        .plan-badge {
+            display: inline-flex;
+            padding: 3px 10px;
+            border-radius: 100px;
+            font-size: 0.7rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .plan-badge.free { background: var(--gray-100); color: var(--gray-600); }
+        .plan-badge.professional { background: var(--primary-bg); color: var(--primary); }
+        .plan-badge.enterprise { background: #f3e8ff; color: #7c3aed; }
+        .status-dot {
+            display: inline-flex;
+            align-items: center;
+            gap: 6px;
+            font-size: 0.8125rem;
+        }
+        .status-dot::before {
+            content: '';
+            width: 8px;
+            height: 8px;
+            border-radius: 50%;
+            flex-shrink: 0;
+        }
+        .status-dot.active::before { background: var(--secondary); }
+        .status-dot.inactive::before { background: var(--gray-400); }
+        .pagination {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            padding: 16px 24px;
+            border-top: 1px solid var(--gray-100);
+            background: var(--gray-50);
+        }
+        .pagination-info {
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+        }
+        .pagination-controls {
+            display: flex;
+            gap: 8px;
+        }
+        .score-inline {
+            display: inline-flex;
+            align-items: center;
+            gap: 6px;
+            font-size: 0.8125rem;
+            font-weight: 600;
+        }
+        .score-inline .score-dot {
+            width: 8px;
+            height: 8px;
+            border-radius: 50%;
+        }
+        .admin-breadcrumb {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+            margin-bottom: 20px;
+        }
+        .admin-breadcrumb a {
+            color: var(--primary);
+            text-decoration: none;
+            font-weight: 500;
+        }
+        .admin-breadcrumb a:hover {
+            text-decoration: underline;
+        }
+        .admin-breadcrumb svg {
+            width: 14px;
+            height: 14px;
+            color: var(--gray-400);
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Gestione Organizzazioni</h2>
+                <div class="content-header-actions">
+                    <span class="badge badge-danger">Super Admin</span>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Breadcrumb -->
+                <div class="admin-breadcrumb">
+                    <a href="/nis2/admin/index.html">Amministrazione</a>
+                    <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M7.293 14.707a1 1 0 010-1.414L10.586 10 7.293 6.707a1 1 0 011.414-1.414l4 4a1 1 0 010 1.414l-4 4a1 1 0 01-1.414 0z" clip-rule="evenodd"/></svg>
+                    <span>Organizzazioni</span>
+                </div>
+
+                <!-- Table -->
+                <div class="card">
+                    <div class="card-body" style="padding:0;">
+                        <div id="orgs-container">
+                            <div class="spinner" style="margin:60px auto;"></div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth check ───────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        let currentPage = 1;
+
+        // ── Admin check ──────────────────────────────────────────
+        (async function checkAdmin() {
+            try {
+                const me = await api.getMe();
+                if (!me.success || !me.data || me.data.role !== 'super_admin') {
+                    showNotification('Accesso non autorizzato.', 'error');
+                    setTimeout(() => { window.location.href = '/nis2/dashboard.html'; }, 1500);
+                    return;
+                }
+                loadOrganizations(1);
+            } catch (e) {
+                window.location.href = '/nis2/dashboard.html';
+            }
+        })();
+
+        // ── Mappature ────────────────────────────────────────────
+        const sectorLabels = {
+            energy: 'Energia', transport: 'Trasporti', banking: 'Banche',
+            health: 'Sanita\'', water: 'Acqua', digital_infra: 'Infrastrutture Digitali',
+            public_admin: 'Pubblica Amministrazione', manufacturing: 'Manifatturiero',
+            postal: 'Servizi Postali', chemical: 'Chimico', food: 'Alimentare',
+            waste: 'Rifiuti', ict_services: 'Servizi ICT',
+            digital_providers: 'Provider Digitali', space: 'Spazio',
+            research: 'Ricerca', other: 'Altro'
+        };
+
+        const entityTypeLabels = {
+            essential: 'Essenziale',
+            important: 'Importante',
+            not_applicable: 'N/A'
+        };
+
+        const planLabels = { free: 'Free', professional: 'Professional', enterprise: 'Enterprise' };
+
+        // ── Caricamento ──────────────────────────────────────────
+        async function loadOrganizations(page) {
+            const container = document.getElementById('orgs-container');
+            container.innerHTML = '<div class="spinner" style="margin:60px auto;"></div>';
+            currentPage = page;
+
+            try {
+                const result = await api.request('GET', '/admin/organizations?page=' + page);
+                if (result.success) {
+                    renderOrganizations(result.data || [], result.pagination || {});
+                } else {
+                    container.innerHTML = `
+                        <div class="empty-state">
+                            <h4>Errore nel caricamento</h4>
+                            <p>${escapeHtml(result.message || 'Errore sconosciuto')}</p>
+                        </div>`;
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderOrganizations(orgs, pagination) {
+            const container = document.getElementById('orgs-container');
+
+            if (!orgs || orgs.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M4 4a2 2 0 012-2h8a2 2 0 012 2v12a1 1 0 01-1 1H5a1 1 0 01-1-1V4z"/></svg>
+                        <h4>Nessuna organizzazione trovata</h4>
+                        <p>Le organizzazioni registrate appariranno qui.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <div class="table-container">
+                    <table>
+                        <thead>
+                            <tr>
+                                <th>Nome</th>
+                                <th>Settore</th>
+                                <th>Tipo Entita'</th>
+                                <th>Membri</th>
+                                <th>Ultimo Score</th>
+                                <th>Piano</th>
+                                <th>Stato</th>
+                                <th>Data Creazione</th>
+                            </tr>
+                        </thead>
+                        <tbody>`;
+
+            orgs.forEach(org => {
+                const entityType = org.entity_type || 'not_applicable';
+                const sector = sectorLabels[org.sector] || org.sector || '-';
+                const entityLabel = entityTypeLabels[entityType] || entityType;
+                const plan = (org.subscription_plan || 'free').toLowerCase();
+                const planLabel = planLabels[plan] || plan;
+                const isActive = org.is_active == 1 || org.is_active === true;
+                const score = org.last_score;
+                let scoreHtml = '<span class="text-muted">-</span>';
+
+                if (score !== null && score !== undefined) {
+                    const scoreColor = getScoreColor(score);
+                    scoreHtml = `
+                        <span class="score-inline">
+                            <span class="score-dot" style="background:${scoreColor}"></span>
+                            ${Math.round(score)}%
+                        </span>`;
+                }
+
+                html += `
+                    <tr>
+                        <td><strong>${escapeHtml(org.name || '-')}</strong></td>
+                        <td>${escapeHtml(sector)}</td>
+                        <td><span class="entity-type-badge ${entityType}">${escapeHtml(entityLabel)}</span></td>
+                        <td>${org.member_count ?? '-'}</td>
+                        <td>${scoreHtml}</td>
+                        <td><span class="plan-badge ${plan}">${escapeHtml(planLabel)}</span></td>
+                        <td><span class="status-dot ${isActive ? 'active' : 'inactive'}">${isActive ? 'Attiva' : 'Inattiva'}</span></td>
+                        <td>${formatDate(org.created_at)}</td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table></div>';
+
+            // Paginazione
+            const total = pagination.total || orgs.length;
+            const perPage = pagination.per_page || 20;
+            const page = pagination.page || currentPage;
+            const totalPages = Math.ceil(total / perPage);
+            const start = ((page - 1) * perPage) + 1;
+            const end = Math.min(page * perPage, total);
+
+            if (totalPages > 1) {
+                html += `
+                    <div class="pagination">
+                        <div class="pagination-info">
+                            Visualizzati ${start}-${end} di ${total} organizzazioni
+                        </div>
+                        <div class="pagination-controls">
+                            <button class="btn btn-secondary btn-sm" onclick="loadOrganizations(${page - 1})" ${page <= 1 ? 'disabled' : ''}>
+                                &laquo; Precedente
+                            </button>
+                            <button class="btn btn-secondary btn-sm" onclick="loadOrganizations(${page + 1})" ${page >= totalPages ? 'disabled' : ''}>
+                                Successivo &raquo;
+                            </button>
+                        </div>
+                    </div>`;
+            } else if (total > 0) {
+                html += `
+                    <div class="pagination">
+                        <div class="pagination-info">
+                            Totale: ${total} organizzazion${total === 1 ? 'e' : 'i'}
+                        </div>
+                        <div></div>
+                    </div>`;
+            }
+
+            container.innerHTML = html;
+        }
+    </script>
+</body>
+</html>
diff --git a/public/admin/users.html b/public/admin/users.html
new file mode 100644
index 0000000..e65d2e5
--- /dev/null
+++ b/public/admin/users.html
@@ -0,0 +1,336 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Gestione Utenti - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        .role-badge {
+            display: inline-flex;
+            padding: 3px 10px;
+            border-radius: 100px;
+            font-size: 0.7rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .role-badge.super_admin { background: var(--danger-bg); color: var(--danger); }
+        .role-badge.org_admin { background: var(--primary-bg); color: var(--primary); }
+        .role-badge.compliance_manager { background: var(--secondary-bg); color: #15803d; }
+        .role-badge.board_member { background: #f3e8ff; color: #7c3aed; }
+        .role-badge.auditor { background: var(--info-bg); color: var(--primary); }
+        .role-badge.employee { background: var(--gray-100); color: var(--gray-600); }
+        .active-toggle {
+            position: relative;
+            display: inline-flex;
+            align-items: center;
+            cursor: pointer;
+        }
+        .active-toggle input {
+            position: absolute;
+            opacity: 0;
+            width: 0;
+            height: 0;
+        }
+        .toggle-slider {
+            width: 36px;
+            height: 20px;
+            background: var(--gray-300);
+            border-radius: 10px;
+            transition: background var(--transition-fast);
+            position: relative;
+        }
+        .toggle-slider::after {
+            content: '';
+            position: absolute;
+            width: 16px;
+            height: 16px;
+            background: #fff;
+            border-radius: 50%;
+            top: 2px;
+            left: 2px;
+            transition: transform var(--transition-fast);
+            box-shadow: 0 1px 3px rgba(0,0,0,0.2);
+        }
+        .active-toggle input:checked + .toggle-slider {
+            background: var(--secondary);
+        }
+        .active-toggle input:checked + .toggle-slider::after {
+            transform: translateX(16px);
+        }
+        .pagination {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            padding: 16px 24px;
+            border-top: 1px solid var(--gray-100);
+            background: var(--gray-50);
+        }
+        .pagination-info {
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+        }
+        .pagination-controls {
+            display: flex;
+            gap: 8px;
+        }
+        .org-tags {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 4px;
+        }
+        .org-tag {
+            display: inline-flex;
+            padding: 2px 8px;
+            font-size: 0.7rem;
+            font-weight: 500;
+            background: var(--gray-100);
+            color: var(--gray-600);
+            border-radius: var(--border-radius-sm);
+            max-width: 120px;
+            overflow: hidden;
+            text-overflow: ellipsis;
+            white-space: nowrap;
+        }
+        .admin-breadcrumb {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+            margin-bottom: 20px;
+        }
+        .admin-breadcrumb a {
+            color: var(--primary);
+            text-decoration: none;
+            font-weight: 500;
+        }
+        .admin-breadcrumb a:hover {
+            text-decoration: underline;
+        }
+        .admin-breadcrumb svg {
+            width: 14px;
+            height: 14px;
+            color: var(--gray-400);
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Gestione Utenti</h2>
+                <div class="content-header-actions">
+                    <span class="badge badge-danger">Super Admin</span>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Breadcrumb -->
+                <div class="admin-breadcrumb">
+                    <a href="/nis2/admin/index.html">Amministrazione</a>
+                    <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M7.293 14.707a1 1 0 010-1.414L10.586 10 7.293 6.707a1 1 0 011.414-1.414l4 4a1 1 0 010 1.414l-4 4a1 1 0 01-1.414 0z" clip-rule="evenodd"/></svg>
+                    <span>Utenti</span>
+                </div>
+
+                <!-- Table -->
+                <div class="card">
+                    <div class="card-body" style="padding:0;">
+                        <div id="users-container">
+                            <div class="spinner" style="margin:60px auto;"></div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth check ───────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        let currentPage = 1;
+
+        // ── Admin check ──────────────────────────────────────────
+        (async function checkAdmin() {
+            try {
+                const me = await api.getMe();
+                if (!me.success || !me.data || me.data.role !== 'super_admin') {
+                    showNotification('Accesso non autorizzato.', 'error');
+                    setTimeout(() => { window.location.href = '/nis2/dashboard.html'; }, 1500);
+                    return;
+                }
+                loadUsers(1);
+            } catch (e) {
+                window.location.href = '/nis2/dashboard.html';
+            }
+        })();
+
+        // ── Mappature ────────────────────────────────────────────
+        const roleLabels = {
+            super_admin: 'Super Admin',
+            org_admin: 'Amministratore',
+            compliance_manager: 'Compliance Manager',
+            board_member: 'Membro CDA',
+            auditor: 'Auditor',
+            employee: 'Dipendente'
+        };
+
+        // ── Caricamento ──────────────────────────────────────────
+        async function loadUsers(page) {
+            const container = document.getElementById('users-container');
+            container.innerHTML = '<div class="spinner" style="margin:60px auto;"></div>';
+            currentPage = page;
+
+            try {
+                const result = await api.request('GET', '/admin/users?page=' + page);
+                if (result.success) {
+                    renderUsers(result.data || [], result.pagination || {});
+                } else {
+                    container.innerHTML = `
+                        <div class="empty-state">
+                            <h4>Errore nel caricamento</h4>
+                            <p>${escapeHtml(result.message || 'Errore sconosciuto')}</p>
+                        </div>`;
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderUsers(users, pagination) {
+            const container = document.getElementById('users-container');
+
+            if (!users || users.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                        <h4>Nessun utente trovato</h4>
+                        <p>Gli utenti registrati appariranno qui.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <div class="table-container">
+                    <table>
+                        <thead>
+                            <tr>
+                                <th>Nome</th>
+                                <th>Email</th>
+                                <th>Ruolo</th>
+                                <th>Organizzazioni</th>
+                                <th>Ultimo Login</th>
+                                <th>Attivo</th>
+                                <th>Data Creazione</th>
+                            </tr>
+                        </thead>
+                        <tbody>`;
+
+            users.forEach(user => {
+                const role = user.role || 'employee';
+                const roleLabel = roleLabels[role] || role;
+                const isActive = user.is_active == 1 || user.is_active === true;
+
+                // Organizzazioni
+                let orgsHtml = '<span class="text-muted">-</span>';
+                if (user.organizations) {
+                    const orgNames = user.organizations.split(',').filter(n => n.trim());
+                    if (orgNames.length > 0) {
+                        orgsHtml = '<div class="org-tags">';
+                        orgNames.forEach(name => {
+                            orgsHtml += `<span class="org-tag" title="${escapeHtml(name.trim())}">${escapeHtml(name.trim())}</span>`;
+                        });
+                        orgsHtml += '</div>';
+                    }
+                }
+
+                // Ultimo login
+                const lastLogin = user.last_login_at ? formatDateTime(user.last_login_at) : '<span class="text-muted">Mai</span>';
+
+                html += `
+                    <tr>
+                        <td><strong>${escapeHtml(user.full_name || '-')}</strong></td>
+                        <td>${escapeHtml(user.email || '-')}</td>
+                        <td><span class="role-badge ${role}">${escapeHtml(roleLabel)}</span></td>
+                        <td>${orgsHtml}</td>
+                        <td>${lastLogin}</td>
+                        <td>
+                            <label class="active-toggle" title="${isActive ? 'Attivo' : 'Inattivo'}">
+                                <input type="checkbox" ${isActive ? 'checked' : ''} onchange="toggleUserActive(${user.id}, this.checked)" ${role === 'super_admin' ? 'disabled' : ''}>
+                                <span class="toggle-slider"></span>
+                            </label>
+                        </td>
+                        <td>${formatDate(user.created_at)}</td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table></div>';
+
+            // Paginazione
+            const total = pagination.total || users.length;
+            const perPage = pagination.per_page || 20;
+            const page = pagination.page || currentPage;
+            const totalPages = Math.ceil(total / perPage);
+            const start = ((page - 1) * perPage) + 1;
+            const end = Math.min(page * perPage, total);
+
+            if (totalPages > 1) {
+                html += `
+                    <div class="pagination">
+                        <div class="pagination-info">
+                            Visualizzati ${start}-${end} di ${total} utenti
+                        </div>
+                        <div class="pagination-controls">
+                            <button class="btn btn-secondary btn-sm" onclick="loadUsers(${page - 1})" ${page <= 1 ? 'disabled' : ''}>
+                                &laquo; Precedente
+                            </button>
+                            <button class="btn btn-secondary btn-sm" onclick="loadUsers(${page + 1})" ${page >= totalPages ? 'disabled' : ''}>
+                                Successivo &raquo;
+                            </button>
+                        </div>
+                    </div>`;
+            } else if (total > 0) {
+                html += `
+                    <div class="pagination">
+                        <div class="pagination-info">
+                            Totale: ${total} utent${total === 1 ? 'e' : 'i'}
+                        </div>
+                        <div></div>
+                    </div>`;
+            }
+
+            container.innerHTML = html;
+        }
+
+        // ── Toggle Attivo/Inattivo ───────────────────────────────
+        async function toggleUserActive(userId, isActive) {
+            try {
+                const result = await api.request('PUT', '/admin/users/' + userId, {
+                    is_active: isActive ? 1 : 0
+                });
+
+                if (result.success) {
+                    showNotification(
+                        isActive ? 'Utente attivato con successo.' : 'Utente disattivato con successo.',
+                        'success'
+                    );
+                } else {
+                    showNotification(result.message || 'Errore nell\'aggiornamento.', 'error');
+                    // Ricarica per resettare lo stato
+                    loadUsers(currentPage);
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+                loadUsers(currentPage);
+            }
+        }
+    </script>
+</body>
+</html>
diff --git a/public/assets.html b/public/assets.html
new file mode 100644
index 0000000..209a080
--- /dev/null
+++ b/public/assets.html
@@ -0,0 +1,764 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Inventario Asset - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Stats Cards ────────────────────────────────────────── */
+        .asset-stats {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+            gap: 16px;
+            margin-bottom: 24px;
+        }
+        .asset-stat-card {
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            box-shadow: var(--card-shadow);
+            padding: 20px;
+            display: flex;
+            align-items: center;
+            gap: 16px;
+        }
+        .asset-stat-icon {
+            width: 48px;
+            height: 48px;
+            border-radius: var(--border-radius);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            flex-shrink: 0;
+        }
+        .asset-stat-icon svg { width: 24px; height: 24px; }
+        .asset-stat-icon.primary { background: var(--primary-bg); color: var(--primary); }
+        .asset-stat-icon.success { background: var(--secondary-bg); color: var(--secondary); }
+        .asset-stat-icon.danger { background: var(--danger-bg); color: var(--danger); }
+        .asset-stat-icon.warning { background: var(--warning-bg); color: var(--gray-600); }
+        .asset-stat-value {
+            font-size: 1.5rem;
+            font-weight: 700;
+            color: var(--gray-800);
+            line-height: 1.2;
+        }
+        .asset-stat-label {
+            font-size: 0.8rem;
+            color: var(--gray-500);
+        }
+
+        /* ── Filters Bar ────────────────────────────────────────── */
+        .filters-bar {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 12px;
+            margin-bottom: 20px;
+            align-items: center;
+        }
+        .filters-bar select {
+            padding: 8px 12px;
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius-sm);
+            background: var(--card-bg);
+            color: var(--gray-700);
+            font-size: 0.85rem;
+            cursor: pointer;
+        }
+        .filters-bar select:focus {
+            outline: none;
+            border-color: var(--primary);
+            box-shadow: 0 0 0 3px var(--primary-bg);
+        }
+
+        /* ── Data Table ─────────────────────────────────────────── */
+        .data-table {
+            width: 100%;
+            border-collapse: collapse;
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            overflow: hidden;
+            box-shadow: var(--card-shadow);
+        }
+        .data-table thead {
+            background: var(--gray-50);
+        }
+        .data-table th {
+            text-align: left;
+            padding: 12px 16px;
+            font-size: 0.8rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            border-bottom: 1px solid var(--gray-200);
+        }
+        .data-table td {
+            padding: 12px 16px;
+            font-size: 0.875rem;
+            color: var(--gray-700);
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .data-table tr:last-child td { border-bottom: none; }
+        .data-table tbody tr { cursor: pointer; transition: background var(--transition-fast); }
+        .data-table tbody tr:hover td { background: var(--gray-50); }
+
+        /* ── Criticality Badges ─────────────────────────────────── */
+        .criticality-badge {
+            display: inline-flex;
+            align-items: center;
+            padding: 3px 10px;
+            border-radius: 20px;
+            font-size: 0.78rem;
+            font-weight: 500;
+        }
+        .criticality-badge.critical { background: var(--danger-bg); color: var(--danger); }
+        .criticality-badge.high { background: #fff3e0; color: #e65100; }
+        .criticality-badge.medium { background: var(--warning-bg); color: #b8860b; }
+        .criticality-badge.low { background: var(--secondary-bg); color: var(--secondary); }
+
+        /* ── Status Badge ───────────────────────────────────────── */
+        .status-badge {
+            display: inline-flex;
+            align-items: center;
+            padding: 3px 10px;
+            border-radius: 20px;
+            font-size: 0.78rem;
+            font-weight: 500;
+        }
+        .status-badge.active { background: var(--secondary-bg); color: var(--secondary); }
+        .status-badge.maintenance { background: var(--warning-bg); color: #b8860b; }
+        .status-badge.decommissioned { background: var(--gray-100); color: var(--gray-500); }
+
+        /* ── Asset Detail Panel ─────────────────────────────────── */
+        .detail-grid {
+            display: grid;
+            grid-template-columns: 1fr 1fr;
+            gap: 16px;
+        }
+        .detail-field {
+            margin-bottom: 4px;
+        }
+        .detail-field-label {
+            font-size: 0.75rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            margin-bottom: 2px;
+        }
+        .detail-field-value {
+            font-size: 0.9rem;
+            color: var(--gray-800);
+        }
+        .detail-section-title {
+            font-size: 0.9rem;
+            font-weight: 600;
+            color: var(--gray-700);
+            margin: 20px 0 12px;
+            padding-bottom: 6px;
+            border-bottom: 1px solid var(--gray-200);
+        }
+        .dep-tag {
+            display: inline-flex;
+            align-items: center;
+            gap: 4px;
+            background: var(--primary-bg);
+            color: var(--primary);
+            padding: 4px 10px;
+            border-radius: 20px;
+            font-size: 0.8rem;
+            margin: 2px 4px 2px 0;
+        }
+
+        /* ── Action Buttons ─────────────────────────────────────── */
+        .btn-sm {
+            padding: 5px 12px;
+            font-size: 0.8rem;
+        }
+        .btn-icon {
+            padding: 6px;
+            background: none;
+            border: none;
+            color: var(--gray-400);
+            cursor: pointer;
+            border-radius: var(--border-radius-sm);
+            transition: all var(--transition-fast);
+        }
+        .btn-icon:hover { color: var(--primary); background: var(--primary-bg); }
+        .btn-icon svg { width: 18px; height: 18px; }
+
+        /* ── Type breakdown chips ───────────────────────────────── */
+        .type-chips {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 6px;
+            margin-top: 8px;
+        }
+        .type-chip {
+            background: var(--gray-100);
+            padding: 3px 10px;
+            border-radius: 20px;
+            font-size: 0.75rem;
+            color: var(--gray-600);
+        }
+        .type-chip strong {
+            color: var(--gray-800);
+            margin-right: 3px;
+        }
+
+        /* ── Loading/Empty ──────────────────────────────────────── */
+        .loading-state {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .loading-state .spinner {
+            width: 32px;
+            height: 32px;
+            border: 3px solid var(--gray-200);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+            margin: 0 auto 12px;
+        }
+        @keyframes spin { to { transform: rotate(360deg); } }
+
+        .empty-state-box {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .empty-state-box svg {
+            width: 48px;
+            height: 48px;
+            margin-bottom: 12px;
+            opacity: 0.5;
+        }
+        .empty-state-box h4 {
+            color: var(--gray-600);
+            margin-bottom: 4px;
+        }
+
+        /* ── Modal form enhancements ───────────────────────────── */
+        .form-grid-2 {
+            display: grid;
+            grid-template-columns: 1fr 1fr;
+            gap: 16px;
+        }
+
+        /* ── Responsive ─────────────────────────────────────────── */
+        @media (max-width: 768px) {
+            .asset-stats { grid-template-columns: 1fr 1fr; }
+            .detail-grid { grid-template-columns: 1fr; }
+            .filters-bar { flex-direction: column; }
+            .form-grid-2 { grid-template-columns: 1fr; }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Inventario Asset</h2>
+                <div class="content-header-actions">
+                    <span class="text-muted" style="font-size:0.8rem; margin-right:8px;">Art. 21.2.i NIS2</span>
+                    <button class="btn btn-primary" onclick="showCreateAssetModal()">+ Nuovo Asset</button>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Stats Cards -->
+                <div class="asset-stats" id="asset-stats">
+                    <div class="asset-stat-card">
+                        <div class="asset-stat-icon primary">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M2 5a2 2 0 012-2h12a2 2 0 012 2v2a2 2 0 01-2 2H4a2 2 0 01-2-2V5zm14 1a1 1 0 11-2 0 1 1 0 012 0zM2 13a2 2 0 012-2h12a2 2 0 012 2v2a2 2 0 01-2 2H4a2 2 0 01-2-2v-2zm14 1a1 1 0 11-2 0 1 1 0 012 0z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div>
+                            <div class="asset-stat-value" id="stat-total">--</div>
+                            <div class="asset-stat-label">Totale Asset</div>
+                        </div>
+                    </div>
+                    <div class="asset-stat-card">
+                        <div class="asset-stat-icon success">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M3 4a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zm0 4a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zm0 4a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1zm0 4a1 1 0 011-1h12a1 1 0 110 2H4a1 1 0 01-1-1z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div>
+                            <div class="asset-stat-value" id="stat-types">--</div>
+                            <div class="asset-stat-label">Tipologie</div>
+                            <div class="type-chips" id="stat-type-chips"></div>
+                        </div>
+                    </div>
+                    <div class="asset-stat-card">
+                        <div class="asset-stat-icon danger">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div>
+                            <div class="asset-stat-value" id="stat-critical">--</div>
+                            <div class="asset-stat-label">Asset Critici</div>
+                        </div>
+                    </div>
+                    <div class="asset-stat-card">
+                        <div class="asset-stat-icon warning">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zM8.707 7.293a1 1 0 00-1.414 1.414L8.586 10l-1.293 1.293a1 1 0 101.414 1.414L10 11.414l1.293 1.293a1 1 0 001.414-1.414L11.414 10l1.293-1.293a1 1 0 00-1.414-1.414L10 8.586 8.707 7.293z" clip-rule="evenodd"/></svg>
+                        </div>
+                        <div>
+                            <div class="asset-stat-value" id="stat-decommissioned">--</div>
+                            <div class="asset-stat-label">Dismessi</div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Filters -->
+                <div class="filters-bar">
+                    <select id="filter-type" onchange="applyFilters()">
+                        <option value="">Tutti i tipi</option>
+                        <option value="hardware">Hardware</option>
+                        <option value="software">Software</option>
+                        <option value="network">Rete</option>
+                        <option value="data">Dati</option>
+                        <option value="service">Servizio</option>
+                        <option value="personnel">Personale</option>
+                        <option value="facility">Struttura</option>
+                    </select>
+                    <select id="filter-criticality" onchange="applyFilters()">
+                        <option value="">Tutte le criticita'</option>
+                        <option value="critical">Critica</option>
+                        <option value="high">Alta</option>
+                        <option value="medium">Media</option>
+                        <option value="low">Bassa</option>
+                    </select>
+                    <select id="filter-status" onchange="applyFilters()">
+                        <option value="">Tutti gli stati</option>
+                        <option value="active">Attivo</option>
+                        <option value="maintenance">Manutenzione</option>
+                        <option value="decommissioned">Dismesso</option>
+                    </select>
+                </div>
+
+                <!-- Asset Table -->
+                <div id="assets-container">
+                    <div class="loading-state">
+                        <div class="spinner"></div>
+                        <p>Caricamento asset...</p>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ─────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ──────────────────────────────────────────────
+        const typeLabels = {
+            hardware: 'Hardware',
+            software: 'Software',
+            network: 'Rete',
+            data: 'Dati',
+            service: 'Servizio',
+            personnel: 'Personale',
+            facility: 'Struttura'
+        };
+
+        const criticalityLabels = {
+            critical: 'Critica',
+            high: 'Alta',
+            medium: 'Media',
+            low: 'Bassa'
+        };
+
+        const statusLabels = {
+            active: 'Attivo',
+            maintenance: 'Manutenzione',
+            decommissioned: 'Dismesso'
+        };
+
+        // ── State ───────────────────────────────────────────────
+        let allAssets = [];
+
+        // ── Load Assets ─────────────────────────────────────────
+        async function loadAssets() {
+            const container = document.getElementById('assets-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento asset...</p></div>';
+
+            const params = {};
+            const type = document.getElementById('filter-type').value;
+            const criticality = document.getElementById('filter-criticality').value;
+            const status = document.getElementById('filter-status').value;
+            if (type) params.asset_type = type;
+            if (criticality) params.criticality = criticality;
+            if (status) params.status = status;
+
+            try {
+                const result = await api.listAssets(params);
+                if (result.success) {
+                    allAssets = result.data || [];
+                    updateStats(allAssets);
+                    renderAssets(allAssets);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4><p>' + escapeHtml(result.message || '') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4><p>Impossibile caricare gli asset.</p></div>';
+            }
+        }
+
+        function applyFilters() {
+            loadAssets();
+        }
+
+        function updateStats(assets) {
+            // For stats, we count from the current filtered results
+            // In a full implementation, stats would come from the server unfiltered
+            document.getElementById('stat-total').textContent = assets.length;
+
+            // Type breakdown
+            const typeCount = {};
+            let criticalCount = 0;
+            let decommCount = 0;
+            assets.forEach(a => {
+                const t = a.asset_type || 'unknown';
+                typeCount[t] = (typeCount[t] || 0) + 1;
+                if (a.criticality === 'critical') criticalCount++;
+                if (a.status === 'decommissioned') decommCount++;
+            });
+
+            const uniqueTypes = Object.keys(typeCount).length;
+            document.getElementById('stat-types').textContent = uniqueTypes;
+            document.getElementById('stat-critical').textContent = criticalCount;
+            document.getElementById('stat-decommissioned').textContent = decommCount;
+
+            // Type chips
+            const chipsEl = document.getElementById('stat-type-chips');
+            chipsEl.innerHTML = Object.entries(typeCount).map(([type, count]) =>
+                `<span class="type-chip"><strong>${count}</strong> ${typeLabels[type] || type}</span>`
+            ).join('');
+        }
+
+        function renderAssets(assets) {
+            const container = document.getElementById('assets-container');
+
+            if (!assets || assets.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M2 5a2 2 0 012-2h12a2 2 0 012 2v2a2 2 0 01-2 2H4a2 2 0 01-2-2V5zm14 1a1 1 0 11-2 0 1 1 0 012 0zM2 13a2 2 0 012-2h12a2 2 0 012 2v2a2 2 0 01-2 2H4a2 2 0 01-2-2v-2zm14 1a1 1 0 11-2 0 1 1 0 012 0z" clip-rule="evenodd"/></svg>
+                        <h4>Nessun asset trovato</h4>
+                        <p>Registra il primo asset per costruire l'inventario.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Nome</th>
+                            <th>Tipo</th>
+                            <th>Categoria</th>
+                            <th>Criticita'</th>
+                            <th>Owner</th>
+                            <th>Stato</th>
+                            <th>Azioni</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            assets.forEach(asset => {
+                const crit = asset.criticality || 'medium';
+                const st = asset.status || 'active';
+                html += `
+                    <tr onclick="showAssetDetail(${asset.id})" title="Visualizza dettagli">
+                        <td style="font-weight:500;">${escapeHtml(asset.name)}</td>
+                        <td>${typeLabels[asset.asset_type] || asset.asset_type || '-'}</td>
+                        <td>${escapeHtml(asset.category || '-')}</td>
+                        <td><span class="criticality-badge ${crit}">${criticalityLabels[crit] || crit}</span></td>
+                        <td>${escapeHtml(asset.owner_name || '-')}</td>
+                        <td><span class="status-badge ${st}">${statusLabels[st] || st}</span></td>
+                        <td>
+                            <button class="btn-icon" onclick="event.stopPropagation(); showEditAssetModal(${asset.id})" title="Modifica">
+                                <svg viewBox="0 0 20 20" fill="currentColor"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                            </button>
+                        </td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        // ── Asset Detail View ───────────────────────────────────
+        async function showAssetDetail(id) {
+            try {
+                const result = await api.getAsset(id);
+                if (!result.success || !result.data) {
+                    showNotification('Asset non trovato.', 'error');
+                    return;
+                }
+
+                const a = result.data;
+                const crit = a.criticality || 'medium';
+                const st = a.status || 'active';
+
+                let depsHtml = '<span style="color:var(--gray-400);">Nessuna dipendenza</span>';
+                if (a.dependencies) {
+                    let deps = a.dependencies;
+                    if (typeof deps === 'string') {
+                        try { deps = JSON.parse(deps); } catch(e) { deps = []; }
+                    }
+                    if (deps && deps.length > 0) {
+                        depsHtml = deps.map(d => `<span class="dep-tag">ID: ${escapeHtml(String(d))}</span>`).join('');
+                    }
+                }
+
+                showModal(escapeHtml(a.name), `
+                    <div class="detail-grid">
+                        <div class="detail-field">
+                            <div class="detail-field-label">Tipo</div>
+                            <div class="detail-field-value">${typeLabels[a.asset_type] || a.asset_type || '-'}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Categoria</div>
+                            <div class="detail-field-value">${escapeHtml(a.category || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Criticita'</div>
+                            <div class="detail-field-value"><span class="criticality-badge ${crit}">${criticalityLabels[crit] || crit}</span></div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Stato</div>
+                            <div class="detail-field-value"><span class="status-badge ${st}">${statusLabels[st] || st}</span></div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Owner</div>
+                            <div class="detail-field-value">${escapeHtml(a.owner_name || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Posizione</div>
+                            <div class="detail-field-value">${escapeHtml(a.location || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Indirizzo IP</div>
+                            <div class="detail-field-value">${escapeHtml(a.ip_address || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Fornitore</div>
+                            <div class="detail-field-value">${escapeHtml(a.vendor || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Versione</div>
+                            <div class="detail-field-value">${escapeHtml(a.version || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Numero Seriale</div>
+                            <div class="detail-field-value">${escapeHtml(a.serial_number || '-')}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Data Acquisto</div>
+                            <div class="detail-field-value">${formatDate(a.purchase_date)}</div>
+                        </div>
+                        <div class="detail-field">
+                            <div class="detail-field-label">Scadenza Garanzia</div>
+                            <div class="detail-field-value">${formatDate(a.warranty_expiry)}</div>
+                        </div>
+                    </div>
+                    ${a.description ? `
+                        <div class="detail-section-title">Descrizione</div>
+                        <p style="font-size:0.9rem; color:var(--gray-600);">${escapeHtml(a.description)}</p>
+                    ` : ''}
+                    <div class="detail-section-title">Dipendenze</div>
+                    <div>${depsHtml}</div>
+                `, {
+                    size: 'lg',
+                    footer: `
+                        <button class="btn btn-secondary" onclick="closeModal()">Chiudi</button>
+                        <button class="btn btn-primary" onclick="closeModal(); showEditAssetModal(${a.id})">Modifica</button>
+                    `
+                });
+            } catch (e) {
+                showNotification('Errore nel caricamento dell\'asset.', 'error');
+            }
+        }
+
+        // ── Create Asset Modal ──────────────────────────────────
+        function showCreateAssetModal() {
+            showAssetModal('Nuovo Asset', {}, async function(data) {
+                try {
+                    const result = await api.createAsset(data);
+                    if (result.success) {
+                        showNotification('Asset registrato con successo!', 'success');
+                        closeModal();
+                        loadAssets();
+                    } else {
+                        showNotification(result.message || 'Errore nella creazione.', 'error');
+                    }
+                } catch (e) {
+                    showNotification('Errore di connessione.', 'error');
+                }
+            });
+        }
+
+        // ── Edit Asset Modal ────────────────────────────────────
+        async function showEditAssetModal(id) {
+            try {
+                const result = await api.getAsset(id);
+                if (!result.success || !result.data) {
+                    showNotification('Asset non trovato.', 'error');
+                    return;
+                }
+
+                showAssetModal('Modifica Asset', result.data, async function(data) {
+                    try {
+                        const res = await api.updateAsset(id, data);
+                        if (res.success) {
+                            showNotification('Asset aggiornato con successo!', 'success');
+                            closeModal();
+                            loadAssets();
+                        } else {
+                            showNotification(res.message || 'Errore nell\'aggiornamento.', 'error');
+                        }
+                    } catch (e) {
+                        showNotification('Errore di connessione.', 'error');
+                    }
+                });
+            } catch (e) {
+                showNotification('Errore nel caricamento.', 'error');
+            }
+        }
+
+        // ── Generic Asset Modal ─────────────────────────────────
+        function showAssetModal(title, asset, onSave) {
+            const a = asset || {};
+
+            const typeOptions = Object.entries(typeLabels).map(([val, label]) =>
+                `<option value="${val}" ${a.asset_type === val ? 'selected' : ''}>${label}</option>`
+            ).join('');
+
+            const critOptions = Object.entries(criticalityLabels).map(([val, label]) =>
+                `<option value="${val}" ${a.criticality === val ? 'selected' : ''}>${label}</option>`
+            ).join('');
+
+            const statusOptions = Object.entries(statusLabels).map(([val, label]) =>
+                `<option value="${val}" ${a.status === val ? 'selected' : ''}>${label}</option>`
+            ).join('');
+
+            // Store the callback
+            window._assetSaveCallback = onSave;
+
+            showModal(title, `
+                <div class="form-group">
+                    <label class="form-label">Nome *</label>
+                    <input type="text" class="form-input" id="asset-name" value="${escapeHtml(a.name || '')}" required>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Tipo *</label>
+                        <select class="form-select" id="asset-type">${typeOptions}</select>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Categoria</label>
+                        <input type="text" class="form-input" id="asset-category" value="${escapeHtml(a.category || '')}" placeholder="Es: Server, Database...">
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Descrizione</label>
+                    <textarea class="form-input" id="asset-description" rows="2">${escapeHtml(a.description || '')}</textarea>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Criticita'</label>
+                        <select class="form-select" id="asset-criticality">${critOptions}</select>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Stato</label>
+                        <select class="form-select" id="asset-status">${statusOptions}</select>
+                    </div>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Owner (ID utente)</label>
+                        <input type="text" class="form-input" id="asset-owner" value="${escapeHtml(a.owner_user_id || '')}">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Posizione</label>
+                        <input type="text" class="form-input" id="asset-location" value="${escapeHtml(a.location || '')}" placeholder="Es: Data Center Roma">
+                    </div>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Indirizzo IP</label>
+                        <input type="text" class="form-input" id="asset-ip" value="${escapeHtml(a.ip_address || '')}" placeholder="Es: 192.168.1.100">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Fornitore</label>
+                        <input type="text" class="form-input" id="asset-vendor" value="${escapeHtml(a.vendor || '')}">
+                    </div>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Versione</label>
+                        <input type="text" class="form-input" id="asset-version" value="${escapeHtml(a.version || '')}">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Numero Seriale</label>
+                        <input type="text" class="form-input" id="asset-serial" value="${escapeHtml(a.serial_number || '')}">
+                    </div>
+                </div>
+                <div class="form-grid-2">
+                    <div class="form-group">
+                        <label class="form-label">Data Acquisto</label>
+                        <input type="date" class="form-input" id="asset-purchase-date" value="${a.purchase_date || ''}">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Scadenza Garanzia</label>
+                        <input type="date" class="form-input" id="asset-warranty" value="${a.warranty_expiry || ''}">
+                    </div>
+                </div>
+            `, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="saveAsset()">Salva</button>
+                `
+            });
+        }
+
+        function saveAsset() {
+            const name = document.getElementById('asset-name').value.trim();
+            if (!name) {
+                showNotification('Il nome e\' obbligatorio.', 'warning');
+                return;
+            }
+
+            const data = {
+                name: name,
+                asset_type: document.getElementById('asset-type').value,
+                category: document.getElementById('asset-category').value.trim() || null,
+                description: document.getElementById('asset-description').value.trim() || null,
+                criticality: document.getElementById('asset-criticality').value,
+                owner_user_id: document.getElementById('asset-owner').value.trim() || null,
+                location: document.getElementById('asset-location').value.trim() || null,
+                ip_address: document.getElementById('asset-ip').value.trim() || null,
+                vendor: document.getElementById('asset-vendor').value.trim() || null,
+                version: document.getElementById('asset-version').value.trim() || null,
+                serial_number: document.getElementById('asset-serial').value.trim() || null,
+                purchase_date: document.getElementById('asset-purchase-date').value || null,
+                warranty_expiry: document.getElementById('asset-warranty').value || null,
+                status: document.getElementById('asset-status').value,
+            };
+
+            if (window._assetSaveCallback) {
+                window._assetSaveCallback(data);
+            }
+        }
+
+        // ── Initial Load ────────────────────────────────────────
+        loadAssets();
+    </script>
+</body>
+</html>
diff --git a/public/incidents.html b/public/incidents.html
new file mode 100644
index 0000000..7dd6925
--- /dev/null
+++ b/public/incidents.html
@@ -0,0 +1,1148 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Gestione Incidenti - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Filters Bar ─────────────────────────────────────── */
+        .filters-bar {
+            display: flex;
+            gap: 12px;
+            align-items: center;
+            flex-wrap: wrap;
+            margin-bottom: 20px;
+        }
+        .filters-bar .form-select {
+            width: auto;
+            min-width: 160px;
+            padding: 8px 36px 8px 12px;
+            font-size: 0.8rem;
+        }
+
+        /* ── Severity Colors ─────────────────────────────────── */
+        .severity-critical { background: var(--danger-bg); color: var(--danger); }
+        .severity-high { background: #fff7ed; color: #c2410c; }
+        .severity-medium { background: var(--warning-bg); color: #a16207; }
+        .severity-low { background: var(--secondary-bg); color: #15803d; }
+
+        /* ── Overdue Warning Icon ─────────────────────────────── */
+        .overdue-icon {
+            color: var(--danger);
+            display: inline-flex;
+            vertical-align: middle;
+            animation: pulse-warn 1.5s ease-in-out infinite;
+        }
+        @keyframes pulse-warn {
+            0%, 100% { opacity: 1; }
+            50% { opacity: 0.5; }
+        }
+
+        /* ── NIS2 Timeline ───────────────────────────────────── */
+        .nis2-timeline {
+            position: relative;
+            padding: 16px 0;
+        }
+        .nis2-timeline::before {
+            content: '';
+            position: absolute;
+            left: 20px;
+            top: 0;
+            bottom: 0;
+            width: 3px;
+            background: var(--gray-200);
+            border-radius: 2px;
+        }
+        .nis2-step {
+            position: relative;
+            padding-left: 52px;
+            margin-bottom: 28px;
+        }
+        .nis2-step:last-child { margin-bottom: 0; }
+        .nis2-step-dot {
+            position: absolute;
+            left: 10px;
+            top: 2px;
+            width: 24px;
+            height: 24px;
+            border-radius: 50%;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            background: var(--gray-200);
+            z-index: 1;
+        }
+        .nis2-step-dot svg {
+            width: 14px;
+            height: 14px;
+            fill: var(--gray-500);
+        }
+        .nis2-step-dot.sent {
+            background: var(--secondary-bg);
+        }
+        .nis2-step-dot.sent svg { fill: var(--secondary); }
+        .nis2-step-dot.overdue {
+            background: var(--danger-bg);
+        }
+        .nis2-step-dot.overdue svg { fill: var(--danger); }
+        .nis2-step-dot.approaching {
+            background: var(--warning-bg);
+        }
+        .nis2-step-dot.approaching svg { fill: #a16207; }
+
+        .nis2-step-content {
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 16px;
+        }
+        .nis2-step-content.sent { border-color: var(--secondary); background: #f0fdf4; }
+        .nis2-step-content.overdue { border-color: var(--danger); background: #fef2f2; }
+        .nis2-step-content.approaching { border-color: var(--warning); background: #fffbeb; }
+
+        .nis2-step-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: center;
+            margin-bottom: 8px;
+        }
+        .nis2-step-title {
+            font-weight: 700;
+            font-size: 0.9rem;
+            color: var(--gray-800);
+        }
+        .nis2-step-time {
+            font-size: 0.8rem;
+            color: var(--gray-500);
+        }
+        .nis2-step-countdown {
+            font-size: 0.85rem;
+            font-weight: 600;
+            margin-top: 6px;
+        }
+        .countdown-overdue { color: var(--danger); }
+        .countdown-approaching { color: #a16207; }
+        .countdown-ok { color: var(--secondary); }
+
+        /* ── Event Timeline ──────────────────────────────────── */
+        .event-timeline {
+            position: relative;
+            padding-left: 20px;
+        }
+        .event-timeline::before {
+            content: '';
+            position: absolute;
+            left: 6px;
+            top: 0;
+            bottom: 0;
+            width: 2px;
+            background: var(--gray-200);
+        }
+        .event-item {
+            position: relative;
+            padding-left: 24px;
+            padding-bottom: 20px;
+        }
+        .event-item:last-child { padding-bottom: 0; }
+        .event-item::before {
+            content: '';
+            position: absolute;
+            left: -17px;
+            top: 6px;
+            width: 10px;
+            height: 10px;
+            border-radius: 50%;
+            background: var(--primary);
+            border: 2px solid var(--card-bg);
+            z-index: 1;
+        }
+        .event-item.type-notification::before { background: var(--secondary); }
+        .event-item.type-detection::before { background: var(--danger); }
+        .event-item.type-action::before { background: var(--warning); }
+        .event-item-time {
+            font-size: 0.7rem;
+            color: var(--gray-400);
+            margin-bottom: 2px;
+        }
+        .event-item-text {
+            font-size: 0.85rem;
+            color: var(--gray-700);
+        }
+        .event-item-author {
+            font-size: 0.75rem;
+            color: var(--gray-400);
+            margin-top: 2px;
+        }
+
+        /* ── Detail View ─────────────────────────────────────── */
+        .detail-back {
+            display: inline-flex;
+            align-items: center;
+            gap: 6px;
+            font-size: 0.85rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            cursor: pointer;
+            margin-bottom: 16px;
+            border: none;
+            background: none;
+            font-family: inherit;
+            padding: 0;
+        }
+        .detail-back:hover { color: var(--primary); }
+
+        .detail-grid {
+            display: grid;
+            grid-template-columns: 2fr 1fr;
+            gap: 24px;
+        }
+        .detail-field {
+            margin-bottom: 16px;
+        }
+        .detail-field-label {
+            font-size: 0.7rem;
+            text-transform: uppercase;
+            letter-spacing: 0.05em;
+            font-weight: 600;
+            color: var(--gray-500);
+            margin-bottom: 4px;
+        }
+        .detail-field-value {
+            font-size: 0.9rem;
+            color: var(--gray-800);
+        }
+
+        /* ── Table ────────────────────────────────────────────── */
+        .table-clickable tbody tr { cursor: pointer; }
+
+        /* ── NIS2 Status Compact ──────────────────────────────── */
+        .nis2-compact {
+            display: inline-flex;
+            align-items: center;
+            gap: 3px;
+            font-size: 0.7rem;
+        }
+        .nis2-dot {
+            width: 8px;
+            height: 8px;
+            border-radius: 50%;
+            display: inline-block;
+        }
+        .nis2-dot.sent { background: var(--secondary); }
+        .nis2-dot.overdue { background: var(--danger); }
+        .nis2-dot.pending { background: var(--gray-300); }
+        .nis2-dot.approaching { background: var(--warning); }
+
+        /* ── Checkbox inline ──────────────────────────────────── */
+        .form-check-inline {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            font-size: 0.875rem;
+            cursor: pointer;
+            padding: 8px 0;
+        }
+        .form-check-inline input[type="checkbox"] {
+            accent-color: var(--primary);
+            width: 18px;
+            height: 18px;
+        }
+
+        @media (max-width: 768px) {
+            .detail-grid { grid-template-columns: 1fr; }
+            .filters-bar { flex-direction: column; align-items: stretch; }
+            .filters-bar .form-select { min-width: 100%; }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Gestione Incidenti</h2>
+                <div class="content-header-actions">
+                    <button class="btn btn-primary" onclick="showCreateIncidentModal()">+ Nuovo Incidente</button>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- List View -->
+                <div id="view-list">
+                    <div class="filters-bar">
+                        <select class="form-select" id="filter-classification" onchange="loadIncidents()">
+                            <option value="">Tutte le classificazioni</option>
+                            <option value="cyber_attack">Attacco Cyber</option>
+                            <option value="data_breach">Data Breach</option>
+                            <option value="system_failure">Guasto Sistema</option>
+                            <option value="human_error">Errore Umano</option>
+                            <option value="natural_disaster">Disastro Naturale</option>
+                            <option value="supply_chain">Supply Chain</option>
+                            <option value="other">Altro</option>
+                        </select>
+                        <select class="form-select" id="filter-severity" onchange="loadIncidents()">
+                            <option value="">Tutte le severita'</option>
+                            <option value="critical">Critico</option>
+                            <option value="high">Alto</option>
+                            <option value="medium">Medio</option>
+                            <option value="low">Basso</option>
+                        </select>
+                        <select class="form-select" id="filter-status" onchange="loadIncidents()">
+                            <option value="">Tutti gli stati</option>
+                            <option value="detected">Rilevato</option>
+                            <option value="analyzing">In Analisi</option>
+                            <option value="containing">Contenimento</option>
+                            <option value="eradicating">Eradicazione</option>
+                            <option value="recovering">Ripristino</option>
+                            <option value="closed">Chiuso</option>
+                            <option value="post_mortem">Post Mortem</option>
+                        </select>
+                    </div>
+
+                    <div class="card">
+                        <div class="table-container">
+                            <table class="table-clickable">
+                                <thead>
+                                    <tr>
+                                        <th>Codice</th>
+                                        <th>Titolo</th>
+                                        <th>Classificazione</th>
+                                        <th>Severita'</th>
+                                        <th>Stato</th>
+                                        <th>Rilevato</th>
+                                        <th>NIS2 Art. 23</th>
+                                        <th>Azioni</th>
+                                    </tr>
+                                </thead>
+                                <tbody id="incidents-table-body">
+                                    <tr>
+                                        <td colspan="8">
+                                            <div class="spinner" style="margin:40px auto;"></div>
+                                        </td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Detail View -->
+                <div id="view-detail" class="hidden"></div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ──────────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ───────────────────────────────────────────────────
+        const CLASSIFICATION_LABELS = {
+            cyber_attack: 'Attacco Cyber', data_breach: 'Data Breach',
+            system_failure: 'Guasto Sistema', human_error: 'Errore Umano',
+            natural_disaster: 'Disastro Naturale', supply_chain: 'Supply Chain', other: 'Altro'
+        };
+        const SEVERITY_LABELS = { low: 'Basso', medium: 'Medio', high: 'Alto', critical: 'Critico' };
+        const STATUS_LABELS = {
+            detected: 'Rilevato', analyzing: 'In Analisi', containing: 'Contenimento',
+            eradicating: 'Eradicazione', recovering: 'Ripristino',
+            closed: 'Chiuso', post_mortem: 'Post Mortem'
+        };
+
+        // ── Load ─────────────────────────────────────────────────────
+        loadIncidents();
+
+        async function loadIncidents() {
+            const params = {};
+            const cls = document.getElementById('filter-classification').value;
+            const sev = document.getElementById('filter-severity').value;
+            const sts = document.getElementById('filter-status').value;
+            if (cls) params.classification = cls;
+            if (sev) params.severity = sev;
+            if (sts) params.status = sts;
+
+            try {
+                const result = await api.listIncidents(params);
+                if (result.success) {
+                    renderIncidentsTable(result.data || []);
+                } else {
+                    showNotification(result.message || 'Errore nel caricamento incidenti', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Table Render ─────────────────────────────────────────────
+        function renderIncidentsTable(incidents) {
+            const tbody = document.getElementById('incidents-table-body');
+
+            if (!incidents || incidents.length === 0) {
+                tbody.innerHTML = `
+                    <tr><td colspan="8">
+                        <div class="empty-state">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M10 2a6 6 0 00-6 6v3.586l-.707.707A1 1 0 004 14h12a1 1 0 00.707-1.707L16 11.586V8a6 6 0 00-6-6zM10 18a3 3 0 01-3-3h6a3 3 0 01-3 3z"/></svg>
+                            <h4>Nessun incidente registrato</h4>
+                            <p>Clicca "Nuovo Incidente" per registrare un nuovo incidente di sicurezza.</p>
+                        </div>
+                    </td></tr>`;
+                return;
+            }
+
+            const now = new Date();
+            let html = '';
+
+            incidents.forEach(inc => {
+                const severityBadge = getSeverityBadge(inc.severity);
+                const statusBadge = getIncidentStatusBadge(inc.status);
+                const classLabel = CLASSIFICATION_LABELS[inc.classification] || inc.classification;
+                const nis2Status = renderNis2Compact(inc, now);
+
+                html += `
+                    <tr onclick="viewIncidentDetail(${inc.id})">
+                        <td><code style="font-size:0.8rem; color:var(--primary);">${escapeHtml(inc.incident_code || '-')}</code></td>
+                        <td>
+                            <strong>${escapeHtml(inc.title)}</strong>
+                            ${inc.is_significant ? '<span class="badge badge-danger" style="margin-left:6px; font-size:0.6rem;">SIGNIFICATIVO</span>' : ''}
+                        </td>
+                        <td><span class="tag">${escapeHtml(classLabel)}</span></td>
+                        <td>${severityBadge}</td>
+                        <td>${statusBadge}</td>
+                        <td style="font-size:0.8rem;">${formatDateTime(inc.detected_at)}</td>
+                        <td>${nis2Status}</td>
+                        <td>
+                            <div class="btn-group" onclick="event.stopPropagation()">
+                                <button class="btn btn-ghost btn-sm btn-icon" onclick="showUpdateIncidentModal(${inc.id})" title="Aggiorna">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                                </button>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            tbody.innerHTML = html;
+        }
+
+        function getSeverityBadge(severity) {
+            const cls = { critical: 'severity-critical', high: 'severity-high', medium: 'severity-medium', low: 'severity-low' };
+            return `<span class="badge ${cls[severity] || 'badge-neutral'}">${escapeHtml(SEVERITY_LABELS[severity] || severity)}</span>`;
+        }
+
+        function getIncidentStatusBadge(status) {
+            const map = {
+                detected: 'badge-danger', analyzing: 'badge-warning', containing: 'badge-primary',
+                eradicating: 'badge-primary', recovering: 'badge-info',
+                closed: 'badge-success', post_mortem: 'badge-neutral'
+            };
+            return `<span class="badge ${map[status] || 'badge-neutral'}">${escapeHtml(STATUS_LABELS[status] || status)}</span>`;
+        }
+
+        function renderNis2Compact(inc, now) {
+            if (!inc.is_significant) return '<span class="text-muted" style="font-size:0.75rem;">N/A</span>';
+
+            function dotClass(dueDate, sentAt) {
+                if (sentAt) return 'sent';
+                if (!dueDate) return 'pending';
+                const due = new Date(dueDate);
+                if (now > due) return 'overdue';
+                const hoursLeft = (due - now) / 3600000;
+                if (hoursLeft < 6) return 'approaching';
+                return 'pending';
+            }
+
+            const ew = dotClass(inc.early_warning_due, inc.early_warning_sent_at);
+            const nt = dotClass(inc.notification_due, inc.notification_sent_at);
+            const fr = dotClass(inc.final_report_due, inc.final_report_sent_at);
+
+            return `
+                <div class="nis2-compact">
+                    <span class="nis2-dot ${ew}" title="Early Warning 24h"></span>
+                    <span class="nis2-dot ${nt}" title="Notifica 72h"></span>
+                    <span class="nis2-dot ${fr}" title="Report Finale 30gg"></span>
+                    ${ew === 'overdue' || nt === 'overdue' || fr === 'overdue'
+                        ? '<span class="overdue-icon"><svg width="14" height="14" viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg></span>'
+                        : ''}
+                </div>`;
+        }
+
+        // ── Create Incident Modal ────────────────────────────────────
+        function showCreateIncidentModal() {
+            const nowLocal = new Date();
+            const dtLocal = nowLocal.getFullYear() + '-' +
+                String(nowLocal.getMonth()+1).padStart(2,'0') + '-' +
+                String(nowLocal.getDate()).padStart(2,'0') + 'T' +
+                String(nowLocal.getHours()).padStart(2,'0') + ':' +
+                String(nowLocal.getMinutes()).padStart(2,'0');
+
+            const content = `
+                <div class="form-group">
+                    <label class="form-label">Titolo <span class="required">*</span></label>
+                    <input type="text" class="form-input" id="inc-title" placeholder="Titolo dell'incidente">
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Descrizione <span class="required">*</span></label>
+                    <textarea class="form-textarea" id="inc-description" rows="3" placeholder="Descrizione dettagliata dell'incidente"></textarea>
+                </div>
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Classificazione</label>
+                        <select class="form-select" id="inc-classification">
+                            <option value="cyber_attack">Attacco Cyber</option>
+                            <option value="data_breach">Data Breach</option>
+                            <option value="system_failure">Guasto Sistema</option>
+                            <option value="human_error">Errore Umano</option>
+                            <option value="natural_disaster">Disastro Naturale</option>
+                            <option value="supply_chain">Supply Chain</option>
+                            <option value="other">Altro</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Severita'</label>
+                        <select class="form-select" id="inc-severity">
+                            <option value="low">Basso</option>
+                            <option value="medium" selected>Medio</option>
+                            <option value="high">Alto</option>
+                            <option value="critical">Critico</option>
+                        </select>
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Data e ora rilevamento <span class="required">*</span></label>
+                    <input type="datetime-local" class="form-input" id="inc-detected-at" value="${dtLocal}">
+                </div>
+                <div class="form-group">
+                    <label class="form-check-inline">
+                        <input type="checkbox" id="inc-significant">
+                        <span><strong>Incidente significativo</strong> (richiede notifica CSIRT/ACN ai sensi dell'Art. 23 NIS2)</span>
+                    </label>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Servizi interessati</label>
+                    <textarea class="form-textarea" id="inc-affected-services" rows="2" placeholder="Elenco dei servizi e sistemi interessati"></textarea>
+                </div>
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Utenti coinvolti</label>
+                        <input type="number" class="form-input" id="inc-affected-users" min="0" placeholder="0">
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label class="form-check-inline">
+                        <input type="checkbox" id="inc-cross-border">
+                        <span>Impatto transfrontaliero</span>
+                    </label>
+                </div>
+                <div class="form-group">
+                    <label class="form-check-inline">
+                        <input type="checkbox" id="inc-malicious">
+                        <span>Azione dolosa / malevola</span>
+                    </label>
+                </div>
+            `;
+
+            showModal('Registra Nuovo Incidente', content, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="createIncident()">Registra Incidente</button>
+                `
+            });
+        }
+
+        async function createIncident() {
+            const data = {
+                title: document.getElementById('inc-title').value.trim(),
+                description: document.getElementById('inc-description').value.trim(),
+                classification: document.getElementById('inc-classification').value,
+                severity: document.getElementById('inc-severity').value,
+                detected_at: document.getElementById('inc-detected-at').value,
+                is_significant: document.getElementById('inc-significant').checked ? 1 : 0,
+                affected_services: document.getElementById('inc-affected-services').value.trim(),
+                affected_users_count: parseInt(document.getElementById('inc-affected-users').value) || 0,
+                cross_border_impact: document.getElementById('inc-cross-border').checked ? 1 : 0,
+                malicious_action: document.getElementById('inc-malicious').checked ? 1 : 0,
+            };
+
+            if (!data.title) { showNotification('Il titolo e\' obbligatorio', 'warning'); return; }
+            if (!data.description) { showNotification('La descrizione e\' obbligatoria', 'warning'); return; }
+            if (!data.detected_at) { showNotification('La data di rilevamento e\' obbligatoria', 'warning'); return; }
+
+            try {
+                const result = await api.createIncident(data);
+                if (result.success) {
+                    closeModal();
+                    const msg = data.is_significant
+                        ? 'Incidente significativo registrato. Scadenze NIS2 Art. 23 attivate.'
+                        : 'Incidente registrato con successo.';
+                    showNotification(msg, 'success');
+                    loadIncidents();
+                } else {
+                    showNotification(result.message || 'Errore nella creazione', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Update Incident Modal ────────────────────────────────────
+        async function showUpdateIncidentModal(id) {
+            let incident = {};
+            try {
+                const result = await api.getIncident(id);
+                if (result.success) incident = result.data;
+            } catch (e) { /* defaults */ }
+
+            const content = `
+                <div class="form-group">
+                    <label class="form-label">Stato</label>
+                    <select class="form-select" id="upd-status">
+                        ${Object.entries(STATUS_LABELS).map(([k, v]) =>
+                            `<option value="${k}" ${incident.status === k ? 'selected' : ''}>${v}</option>`
+                        ).join('')}
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Causa Radice</label>
+                    <textarea class="form-textarea" id="upd-root-cause" rows="3" placeholder="Analisi della causa radice">${escapeHtml(incident.root_cause || '')}</textarea>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Azioni di Rimedio</label>
+                    <textarea class="form-textarea" id="upd-remediation" rows="3" placeholder="Azioni correttive intraprese">${escapeHtml(incident.remediation_actions || '')}</textarea>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Lezioni Apprese</label>
+                    <textarea class="form-textarea" id="upd-lessons" rows="3" placeholder="Lezioni apprese dall'incidente">${escapeHtml(incident.lessons_learned || '')}</textarea>
+                </div>
+            `;
+
+            showModal('Aggiorna Incidente - ' + escapeHtml(incident.incident_code || ''), content, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="updateIncident(${id})">Salva Aggiornamento</button>
+                `
+            });
+        }
+
+        async function updateIncident(id) {
+            const data = {
+                status: document.getElementById('upd-status').value,
+                root_cause: document.getElementById('upd-root-cause').value.trim(),
+                remediation_actions: document.getElementById('upd-remediation').value.trim(),
+                lessons_learned: document.getElementById('upd-lessons').value.trim(),
+            };
+
+            try {
+                const result = await api.updateIncident(id, data);
+                if (result.success) {
+                    closeModal();
+                    showNotification('Incidente aggiornato', 'success');
+                    loadIncidents();
+                    if (!document.getElementById('view-detail').classList.contains('hidden')) {
+                        viewIncidentDetail(id);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nell\'aggiornamento', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Detail View ──────────────────────────────────────────────
+        async function viewIncidentDetail(id) {
+            try {
+                const result = await api.getIncident(id);
+                if (!result.success) {
+                    showNotification(result.message || 'Errore nel caricamento', 'error');
+                    return;
+                }
+                renderIncidentDetail(result.data);
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        function renderIncidentDetail(inc) {
+            document.getElementById('view-list').classList.add('hidden');
+            const container = document.getElementById('view-detail');
+            container.classList.remove('hidden');
+
+            const now = new Date();
+            const classLabel = CLASSIFICATION_LABELS[inc.classification] || inc.classification;
+
+            // NIS2 Timeline
+            let nis2Html = '';
+            if (inc.is_significant) {
+                nis2Html = renderNis2Timeline(inc, now);
+            } else {
+                nis2Html = `
+                    <div class="card mb-24">
+                        <div class="card-header"><h3>NIS2 Art. 23 - Notifiche</h3></div>
+                        <div class="card-body">
+                            <p class="text-muted" style="font-size:0.85rem;">
+                                Questo incidente non e' stato classificato come significativo.
+                                Le notifiche NIS2 Art. 23 non sono richieste.
+                            </p>
+                        </div>
+                    </div>`;
+            }
+
+            // Event Timeline
+            let timelineHtml = '';
+            if (inc.timeline && inc.timeline.length > 0) {
+                inc.timeline.forEach(ev => {
+                    const typeClass = 'type-' + (ev.event_type || 'action');
+                    timelineHtml += `
+                        <div class="event-item ${typeClass}">
+                            <div class="event-item-time">${formatDateTime(ev.created_at)}</div>
+                            <div class="event-item-text">${escapeHtml(ev.description)}</div>
+                            ${ev.created_by_name ? `<div class="event-item-author">di ${escapeHtml(ev.created_by_name)}</div>` : ''}
+                        </div>`;
+                });
+            } else {
+                timelineHtml = '<p class="text-muted" style="font-size:0.85rem;">Nessun evento nella timeline.</p>';
+            }
+
+            container.innerHTML = `
+                <button class="detail-back" onclick="backToList()">
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M9.707 16.707a1 1 0 01-1.414 0l-6-6a1 1 0 010-1.414l6-6a1 1 0 011.414 1.414L5.414 9H17a1 1 0 110 2H5.414l4.293 4.293a1 1 0 010 1.414z" clip-rule="evenodd"/></svg>
+                    Torna alla lista
+                </button>
+
+                <div class="detail-grid">
+                    <div>
+                        <!-- Info Card -->
+                        <div class="card mb-24">
+                            <div class="card-header">
+                                <h3>
+                                    <code style="color:var(--primary); margin-right:8px;">${escapeHtml(inc.incident_code || '')}</code>
+                                    ${escapeHtml(inc.title)}
+                                </h3>
+                                <div class="btn-group">
+                                    <button class="btn btn-secondary btn-sm" onclick="showUpdateIncidentModal(${inc.id})">Aggiorna</button>
+                                </div>
+                            </div>
+                            <div class="card-body">
+                                <div class="form-row mb-16">
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Classificazione</div>
+                                        <div class="detail-field-value"><span class="tag">${escapeHtml(classLabel)}</span></div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Severita'</div>
+                                        <div class="detail-field-value">${getSeverityBadge(inc.severity)}</div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Stato</div>
+                                        <div class="detail-field-value">${getIncidentStatusBadge(inc.status)}</div>
+                                    </div>
+                                </div>
+
+                                ${inc.description ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Descrizione</div>
+                                    <div class="detail-field-value">${escapeHtml(inc.description)}</div>
+                                </div>` : ''}
+
+                                <div class="form-row">
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Data Rilevamento</div>
+                                        <div class="detail-field-value">${formatDateTime(inc.detected_at)}</div>
+                                    </div>
+                                    ${inc.reported_by_name ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Segnalato da</div>
+                                        <div class="detail-field-value">${escapeHtml(inc.reported_by_name)}</div>
+                                    </div>` : ''}
+                                    ${inc.assigned_to_name ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Assegnato a</div>
+                                        <div class="detail-field-value">${escapeHtml(inc.assigned_to_name)}</div>
+                                    </div>` : ''}
+                                </div>
+
+                                <div class="form-row">
+                                    ${inc.affected_services ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Servizi Interessati</div>
+                                        <div class="detail-field-value">${escapeHtml(inc.affected_services)}</div>
+                                    </div>` : ''}
+                                    ${inc.affected_users_count ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Utenti Coinvolti</div>
+                                        <div class="detail-field-value">${inc.affected_users_count}</div>
+                                    </div>` : ''}
+                                </div>
+
+                                <div class="form-row">
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Incidente Significativo</div>
+                                        <div class="detail-field-value">${inc.is_significant ? '<span class="badge badge-danger">Si</span>' : '<span class="badge badge-neutral">No</span>'}</div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Impatto Transfrontaliero</div>
+                                        <div class="detail-field-value">${inc.cross_border_impact ? 'Si' : 'No'}</div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Azione Malevola</div>
+                                        <div class="detail-field-value">${inc.malicious_action ? 'Si' : 'No'}</div>
+                                    </div>
+                                </div>
+
+                                ${inc.root_cause ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Causa Radice</div>
+                                    <div class="detail-field-value">${escapeHtml(inc.root_cause)}</div>
+                                </div>` : ''}
+                                ${inc.remediation_actions ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Azioni di Rimedio</div>
+                                    <div class="detail-field-value">${escapeHtml(inc.remediation_actions)}</div>
+                                </div>` : ''}
+                                ${inc.lessons_learned ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Lezioni Apprese</div>
+                                    <div class="detail-field-value">${escapeHtml(inc.lessons_learned)}</div>
+                                </div>` : ''}
+                            </div>
+                        </div>
+
+                        <!-- NIS2 Timeline -->
+                        ${nis2Html}
+
+                        <!-- Event Timeline -->
+                        <div class="card">
+                            <div class="card-header">
+                                <h3>Timeline Eventi</h3>
+                                <button class="btn btn-sm btn-primary" onclick="showAddEventModal(${inc.id})">+ Aggiungi Evento</button>
+                            </div>
+                            <div class="card-body">
+                                <div class="event-timeline">
+                                    ${timelineHtml}
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div>
+                        <!-- Summary -->
+                        <div class="card mb-24">
+                            <div class="card-header"><h3>Riepilogo</h3></div>
+                            <div class="card-body">
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Codice</div>
+                                    <div class="detail-field-value"><code>${escapeHtml(inc.incident_code || '-')}</code></div>
+                                </div>
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Creato il</div>
+                                    <div class="detail-field-value">${formatDateTime(inc.created_at)}</div>
+                                </div>
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Aggiornato il</div>
+                                    <div class="detail-field-value">${formatDateTime(inc.updated_at)}</div>
+                                </div>
+                                ${inc.closed_at ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Chiuso il</div>
+                                    <div class="detail-field-value">${formatDateTime(inc.closed_at)}</div>
+                                </div>` : ''}
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Eventi Timeline</div>
+                                    <div class="detail-field-value">${inc.timeline ? inc.timeline.length : 0}</div>
+                                </div>
+                            </div>
+                        </div>
+
+                        <!-- Quick Actions -->
+                        ${inc.is_significant ? `
+                        <div class="card">
+                            <div class="card-header"><h3>Azioni Rapide</h3></div>
+                            <div class="card-body" style="display:flex; flex-direction:column; gap:8px;">
+                                ${!inc.early_warning_sent_at ? `<button class="btn btn-warning w-full" onclick="doSendEarlyWarning(${inc.id})">Invia Early Warning (24h)</button>` : `<button class="btn btn-success w-full" disabled>Early Warning Inviato</button>`}
+                                ${!inc.notification_sent_at ? `<button class="btn btn-warning w-full" onclick="doSendNotification(${inc.id})">Invia Notifica (72h)</button>` : `<button class="btn btn-success w-full" disabled>Notifica Inviata</button>`}
+                                ${!inc.final_report_sent_at ? `<button class="btn btn-warning w-full" onclick="doSendFinalReport(${inc.id})">Invia Report Finale (30gg)</button>` : `<button class="btn btn-success w-full" disabled>Report Finale Inviato</button>`}
+                            </div>
+                        </div>` : ''}
+                    </div>
+                </div>
+            `;
+        }
+
+        // ── NIS2 Art. 23 Timeline Render ─────────────────────────────
+        function renderNis2Timeline(inc, now) {
+            const steps = [
+                {
+                    title: 'Early Warning (24h)',
+                    dueDate: inc.early_warning_due,
+                    sentAt: inc.early_warning_sent_at,
+                    description: 'Allerta iniziale al CSIRT nazionale (ACN) entro 24 ore dal rilevamento.',
+                    action: `doSendEarlyWarning(${inc.id})`,
+                    actionLabel: 'Invia Early Warning'
+                },
+                {
+                    title: 'Notifica Incidente (72h)',
+                    dueDate: inc.notification_due,
+                    sentAt: inc.notification_sent_at,
+                    description: 'Notifica formale al CSIRT nazionale (ACN) con dettagli dell\'incidente entro 72 ore.',
+                    action: `doSendNotification(${inc.id})`,
+                    actionLabel: 'Invia Notifica'
+                },
+                {
+                    title: 'Report Finale (30 giorni)',
+                    dueDate: inc.final_report_due,
+                    sentAt: inc.final_report_sent_at,
+                    description: 'Report finale completo con analisi della causa radice, impatto e lezioni apprese entro 30 giorni.',
+                    action: `doSendFinalReport(${inc.id})`,
+                    actionLabel: 'Invia Report Finale'
+                }
+            ];
+
+            let stepsHtml = '';
+            steps.forEach(step => {
+                let statusClass = '';
+                let dotClass = '';
+                let countdownHtml = '';
+                let actionHtml = '';
+
+                if (step.sentAt) {
+                    statusClass = 'sent';
+                    dotClass = 'sent';
+                    countdownHtml = `<div class="nis2-step-countdown countdown-ok">Inviato il ${formatDateTime(step.sentAt)}</div>`;
+                } else if (step.dueDate) {
+                    const due = new Date(step.dueDate);
+                    const diffMs = due - now;
+
+                    if (diffMs < 0) {
+                        // Overdue
+                        statusClass = 'overdue';
+                        dotClass = 'overdue';
+                        const overdueMins = Math.floor(-diffMs / 60000);
+                        const overdueHours = Math.floor(overdueMins / 60);
+                        const overdueDays = Math.floor(overdueHours / 24);
+                        let overdueText = '';
+                        if (overdueDays > 0) overdueText = `Scaduto da ${overdueDays} giorn${overdueDays === 1 ? 'o' : 'i'} e ${overdueHours % 24} ore`;
+                        else if (overdueHours > 0) overdueText = `Scaduto da ${overdueHours} or${overdueHours === 1 ? 'a' : 'e'} e ${overdueMins % 60} min`;
+                        else overdueText = `Scaduto da ${overdueMins} minut${overdueMins === 1 ? 'o' : 'i'}`;
+                        countdownHtml = `<div class="nis2-step-countdown countdown-overdue">${overdueText}</div>`;
+                        actionHtml = `<button class="btn btn-danger btn-sm mt-8" onclick="${step.action}">${step.actionLabel} (URGENTE)</button>`;
+                    } else {
+                        // Not yet due
+                        const minsLeft = Math.floor(diffMs / 60000);
+                        const hoursLeft = Math.floor(minsLeft / 60);
+                        const daysLeft = Math.floor(hoursLeft / 24);
+                        let timeText = '';
+                        if (daysLeft > 0) timeText = `${daysLeft} giorn${daysLeft === 1 ? 'o' : 'i'} e ${hoursLeft % 24} ore rimanenti`;
+                        else if (hoursLeft > 0) timeText = `${hoursLeft} or${hoursLeft === 1 ? 'a' : 'e'} e ${minsLeft % 60} min rimanenti`;
+                        else timeText = `${minsLeft} minut${minsLeft === 1 ? 'o' : 'i'} rimanenti`;
+
+                        if (hoursLeft < 6) {
+                            statusClass = 'approaching';
+                            dotClass = 'approaching';
+                            countdownHtml = `<div class="nis2-step-countdown countdown-approaching">${timeText}</div>`;
+                        } else {
+                            countdownHtml = `<div class="nis2-step-countdown" style="color:var(--gray-600);">${timeText}</div>`;
+                        }
+                        actionHtml = `<button class="btn btn-primary btn-sm mt-8" onclick="${step.action}">${step.actionLabel}</button>`;
+                    }
+                }
+
+                const checkIcon = '<svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd"/></svg>';
+                const clockIcon = '<svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm1-12a1 1 0 10-2 0v4a1 1 0 00.293.707l2.828 2.829a1 1 0 101.415-1.415L11 9.586V6z" clip-rule="evenodd"/></svg>';
+                const warnIcon = '<svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>';
+
+                let icon = clockIcon;
+                if (step.sentAt) icon = checkIcon;
+                else if (statusClass === 'overdue') icon = warnIcon;
+
+                stepsHtml += `
+                    <div class="nis2-step">
+                        <div class="nis2-step-dot ${dotClass}">${icon}</div>
+                        <div class="nis2-step-content ${statusClass}">
+                            <div class="nis2-step-header">
+                                <div class="nis2-step-title">${step.title}</div>
+                                ${step.dueDate ? `<div class="nis2-step-time">Scadenza: ${formatDateTime(step.dueDate)}</div>` : ''}
+                            </div>
+                            <p style="font-size:0.8rem; color:var(--gray-600); margin:0;">${step.description}</p>
+                            ${countdownHtml}
+                            ${!step.sentAt ? actionHtml : ''}
+                        </div>
+                    </div>`;
+            });
+
+            return `
+                <div class="card mb-24">
+                    <div class="card-header">
+                        <h3>NIS2 Art. 23 - Obblighi di Notifica</h3>
+                        <span class="badge badge-danger">Incidente Significativo</span>
+                    </div>
+                    <div class="card-body">
+                        <div class="nis2-timeline">
+                            ${stepsHtml}
+                        </div>
+                    </div>
+                </div>`;
+        }
+
+        // ── NIS2 Actions ─────────────────────────────────────────────
+        async function doSendEarlyWarning(id) {
+            showModal('Conferma Early Warning', `
+                <p>Stai per registrare l'invio dell'<strong>Early Warning (24h)</strong> al CSIRT nazionale (ACN).</p>
+                <p class="text-muted" style="margin-top:8px; font-size:0.85rem;">
+                    Questa azione registra nel sistema che l'allerta iniziale e' stata inviata.
+                    Assicurati di aver effettivamente trasmesso la comunicazione tramite i canali ufficiali.
+                </p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="executeSendEarlyWarning(${id})">Conferma Invio</button>
+                `
+            });
+        }
+
+        async function executeSendEarlyWarning(id) {
+            try {
+                const result = await api.sendEarlyWarning(id);
+                closeModal();
+                if (result.success) {
+                    showNotification('Early Warning registrato con successo', 'success');
+                    viewIncidentDetail(id);
+                } else {
+                    showNotification(result.message || 'Errore', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        async function doSendNotification(id) {
+            showModal('Conferma Notifica CSIRT', `
+                <p>Stai per registrare l'invio della <strong>Notifica Incidente (72h)</strong> al CSIRT nazionale (ACN).</p>
+                <p class="text-muted" style="margin-top:8px; font-size:0.85rem;">
+                    La notifica deve contenere una valutazione iniziale dell'incidente, la sua gravita' e il suo impatto,
+                    nonche' gli indicatori di compromissione, ove disponibili.
+                </p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="executeSendNotification(${id})">Conferma Invio</button>
+                `
+            });
+        }
+
+        async function executeSendNotification(id) {
+            try {
+                const result = await api.sendNotification(id);
+                closeModal();
+                if (result.success) {
+                    showNotification('Notifica CSIRT registrata con successo', 'success');
+                    viewIncidentDetail(id);
+                } else {
+                    showNotification(result.message || 'Errore', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        async function doSendFinalReport(id) {
+            showModal('Conferma Report Finale', `
+                <p>Stai per registrare l'invio del <strong>Report Finale (30 giorni)</strong> al CSIRT nazionale (ACN).</p>
+                <p class="text-muted" style="margin-top:8px; font-size:0.85rem;">
+                    Il report finale deve includere la descrizione dettagliata dell'incidente, la causa radice,
+                    le misure di mitigazione applicate e l'impatto transfrontaliero, se applicabile.
+                </p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="executeSendFinalReport(${id})">Conferma Invio</button>
+                `
+            });
+        }
+
+        async function executeSendFinalReport(id) {
+            try {
+                const result = await api.sendFinalReport(id);
+                closeModal();
+                if (result.success) {
+                    showNotification('Report finale registrato con successo', 'success');
+                    viewIncidentDetail(id);
+                } else {
+                    showNotification(result.message || 'Errore', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Add Timeline Event Modal ─────────────────────────────────
+        function showAddEventModal(incidentId) {
+            const content = `
+                <div class="form-group">
+                    <label class="form-label">Tipo Evento</label>
+                    <select class="form-select" id="event-type">
+                        <option value="detection">Rilevamento</option>
+                        <option value="analysis">Analisi</option>
+                        <option value="containment">Contenimento</option>
+                        <option value="eradication">Eradicazione</option>
+                        <option value="recovery">Ripristino</option>
+                        <option value="notification">Notifica</option>
+                        <option value="action">Azione</option>
+                        <option value="update">Aggiornamento</option>
+                        <option value="other">Altro</option>
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Descrizione <span class="required">*</span></label>
+                    <textarea class="form-textarea" id="event-description" rows="3" placeholder="Descrizione dell'evento"></textarea>
+                </div>
+            `;
+
+            showModal('Aggiungi Evento alla Timeline', content, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="addTimelineEvent(${incidentId})">Aggiungi Evento</button>
+                `
+            });
+        }
+
+        async function addTimelineEvent(incidentId) {
+            const data = {
+                event_type: document.getElementById('event-type').value,
+                description: document.getElementById('event-description').value.trim(),
+            };
+
+            if (!data.description) {
+                showNotification('La descrizione e\' obbligatoria', 'warning');
+                return;
+            }
+
+            try {
+                const result = await api.post(`/incidents/${incidentId}/timeline`, data);
+                if (result.success) {
+                    closeModal();
+                    showNotification('Evento aggiunto alla timeline', 'success');
+                    viewIncidentDetail(incidentId);
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Navigation ───────────────────────────────────────────────
+        function backToList() {
+            document.getElementById('view-detail').classList.add('hidden');
+            document.getElementById('view-list').classList.remove('hidden');
+        }
+    </script>
+</body>
+</html>
diff --git a/public/policies.html b/public/policies.html
new file mode 100644
index 0000000..df5d8b9
--- /dev/null
+++ b/public/policies.html
@@ -0,0 +1,930 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Policy - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Policy Page Styles ──────────────────────────────────── */
+        .filters-bar {
+            display: flex;
+            gap: 12px;
+            align-items: center;
+            flex-wrap: wrap;
+            margin-bottom: 20px;
+        }
+        .filters-bar .form-select {
+            min-width: 180px;
+            padding: 8px 12px;
+            font-size: 0.85rem;
+        }
+        .filters-bar .btn {
+            white-space: nowrap;
+        }
+
+        .policy-actions {
+            display: flex;
+            gap: 6px;
+        }
+        .policy-actions .btn {
+            padding: 5px 10px;
+            font-size: 0.75rem;
+        }
+
+        .tabs {
+            display: flex;
+            gap: 0;
+            border-bottom: 2px solid var(--gray-200);
+            margin-bottom: 24px;
+        }
+        .tab-btn {
+            padding: 10px 20px;
+            font-size: 0.875rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            background: none;
+            border: none;
+            cursor: pointer;
+            border-bottom: 2px solid transparent;
+            margin-bottom: -2px;
+            transition: all var(--transition-fast);
+        }
+        .tab-btn:hover {
+            color: var(--gray-700);
+        }
+        .tab-btn.active {
+            color: var(--primary);
+            border-bottom-color: var(--primary);
+        }
+        .tab-content {
+            display: none;
+        }
+        .tab-content.active {
+            display: block;
+        }
+
+        .template-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fill, minmax(280px, 1fr));
+            gap: 16px;
+        }
+        .template-card {
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 20px;
+            cursor: pointer;
+            transition: all var(--transition-fast);
+        }
+        .template-card:hover {
+            border-color: var(--primary);
+            box-shadow: var(--card-shadow-hover);
+            transform: translateY(-2px);
+        }
+        .template-card h4 {
+            font-size: 0.9rem;
+            color: var(--gray-800);
+            margin-bottom: 8px;
+        }
+        .template-card .template-meta {
+            font-size: 0.78rem;
+            color: var(--gray-500);
+            display: flex;
+            align-items: center;
+            gap: 12px;
+        }
+        .template-card .template-meta .tag {
+            font-size: 0.7rem;
+        }
+
+        .detail-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: flex-start;
+            margin-bottom: 24px;
+            gap: 16px;
+        }
+        .detail-header h3 {
+            font-size: 1.25rem;
+            color: var(--gray-900);
+        }
+        .detail-header-actions {
+            display: flex;
+            gap: 8px;
+            flex-shrink: 0;
+        }
+
+        .detail-grid {
+            display: grid;
+            grid-template-columns: 1fr 300px;
+            gap: 24px;
+        }
+        @media (max-width: 900px) {
+            .detail-grid {
+                grid-template-columns: 1fr;
+            }
+        }
+
+        .policy-content-box {
+            background: var(--gray-50);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 24px;
+            white-space: pre-wrap;
+            font-size: 0.875rem;
+            line-height: 1.7;
+            color: var(--gray-700);
+            min-height: 200px;
+            max-height: 600px;
+            overflow-y: auto;
+        }
+
+        .meta-card {
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 20px;
+        }
+        .meta-card h4 {
+            font-size: 0.85rem;
+            font-weight: 600;
+            color: var(--gray-800);
+            margin-bottom: 16px;
+            padding-bottom: 12px;
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .meta-row {
+            display: flex;
+            justify-content: space-between;
+            padding: 8px 0;
+            font-size: 0.82rem;
+            border-bottom: 1px solid var(--gray-50);
+        }
+        .meta-row:last-child {
+            border-bottom: none;
+        }
+        .meta-label {
+            color: var(--gray-500);
+            font-weight: 500;
+        }
+        .meta-value {
+            color: var(--gray-800);
+            font-weight: 600;
+            text-align: right;
+        }
+
+        .ai-preview {
+            background: var(--gray-50);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 20px;
+            max-height: 400px;
+            overflow-y: auto;
+            white-space: pre-wrap;
+            font-size: 0.85rem;
+            line-height: 1.6;
+            margin-top: 12px;
+        }
+        .ai-preview-header {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+            margin-bottom: 12px;
+            color: var(--primary);
+            font-weight: 600;
+            font-size: 0.9rem;
+        }
+        .ai-preview-header svg {
+            width: 20px;
+            height: 20px;
+        }
+
+        .loading-overlay {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 60px 20px;
+            flex-direction: column;
+            gap: 12px;
+            color: var(--gray-500);
+        }
+        .loading-overlay .spinner {
+            width: 32px;
+            height: 32px;
+            border: 3px solid var(--gray-200);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+        }
+        @keyframes spin {
+            to { transform: rotate(360deg); }
+        }
+
+        .text-link {
+            color: var(--primary);
+            cursor: pointer;
+            font-weight: 500;
+        }
+        .text-link:hover {
+            text-decoration: underline;
+        }
+
+        .content-header-actions {
+            display: flex;
+            gap: 8px;
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Policy</h2>
+                <div class="content-header-actions">
+                    <button class="btn btn-outline" onclick="openAIGenerateModal()">
+                        <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 110 2H6v1a1 1 0 11-2 0v-1H3a1 1 0 110-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 8.512a1 1 0 010 1.836l-3.354 1.311-1.18 4.456a1 1 0 01-1.932 0L9.854 11.66 6.5 10.348a1 1 0 010-1.836l3.354-1.311 1.18-4.456A1 1 0 0112 2z"/></svg>
+                        Genera con AI
+                    </button>
+                    <button class="btn btn-primary" onclick="openCreateModal()">+ Nuova Policy</button>
+                </div>
+            </header>
+
+            <div class="content-body" id="page-content">
+                <!-- Tabs -->
+                <div class="tabs">
+                    <button class="tab-btn active" onclick="switchTab('list')">Elenco Policy</button>
+                    <button class="tab-btn" onclick="switchTab('templates')">Template</button>
+                </div>
+
+                <!-- Tab: Lista Policy -->
+                <div class="tab-content active" id="tab-list">
+                    <div class="filters-bar">
+                        <select class="form-select" id="filter-category" onchange="loadPolicies()">
+                            <option value="">Tutte le Categorie</option>
+                            <option value="information_security">Sicurezza Informazioni</option>
+                            <option value="access_control">Controllo Accessi</option>
+                            <option value="incident_response">Risposta Incidenti</option>
+                            <option value="business_continuity">Continuita' Operativa</option>
+                            <option value="supply_chain">Supply Chain</option>
+                            <option value="encryption">Crittografia</option>
+                            <option value="hr_security">Sicurezza HR</option>
+                            <option value="asset_management">Gestione Asset</option>
+                            <option value="network_security">Sicurezza Rete</option>
+                            <option value="vulnerability_management">Gestione Vulnerabilita'</option>
+                        </select>
+                        <select class="form-select" id="filter-status" onchange="loadPolicies()">
+                            <option value="">Tutti gli Stati</option>
+                            <option value="draft">Bozza</option>
+                            <option value="review">In Revisione</option>
+                            <option value="approved">Approvata</option>
+                            <option value="published">Pubblicata</option>
+                            <option value="archived">Archiviata</option>
+                        </select>
+                    </div>
+
+                    <div class="card">
+                        <div class="table-container" id="policies-table">
+                            <div class="loading-overlay">
+                                <div class="spinner"></div>
+                                <span>Caricamento policy...</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: Template -->
+                <div class="tab-content" id="tab-templates">
+                    <div class="card">
+                        <div class="card-header">
+                            <h3>Template Policy NIS2</h3>
+                        </div>
+                        <div class="card-body" id="templates-grid">
+                            <div class="loading-overlay">
+                                <div class="spinner"></div>
+                                <span>Caricamento template...</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Detail View (hidden by default) -->
+                <div id="policy-detail-view" style="display:none;"></div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ─────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ──────────────────────────────────────────────
+        const CATEGORY_LABELS = {
+            information_security: 'Sicurezza Informazioni',
+            access_control: 'Controllo Accessi',
+            incident_response: 'Risposta Incidenti',
+            business_continuity: 'Continuita\' Operativa',
+            supply_chain: 'Supply Chain',
+            encryption: 'Crittografia',
+            hr_security: 'Sicurezza HR',
+            asset_management: 'Gestione Asset',
+            network_security: 'Sicurezza Rete',
+            vulnerability_management: 'Gestione Vulnerabilita\''
+        };
+
+        const STATUS_LABELS = {
+            draft: 'Bozza',
+            review: 'In Revisione',
+            approved: 'Approvata',
+            published: 'Pubblicata',
+            archived: 'Archiviata'
+        };
+
+        const STATUS_BADGE_CLASS = {
+            draft: 'badge-neutral',
+            review: 'badge-info',
+            approved: 'badge-success',
+            published: 'badge-primary',
+            archived: 'badge-neutral'
+        };
+
+        // ── State ───────────────────────────────────────────────
+        let currentView = 'list'; // 'list' | 'detail'
+        let policiesData = [];
+
+        // ── Tab switching ───────────────────────────────────────
+        function switchTab(tab) {
+            document.querySelectorAll('.tab-btn').forEach(b => b.classList.remove('active'));
+            document.querySelectorAll('.tab-content').forEach(c => c.classList.remove('active'));
+
+            if (tab === 'list') {
+                document.querySelectorAll('.tab-btn')[0].classList.add('active');
+                document.getElementById('tab-list').classList.add('active');
+            } else if (tab === 'templates') {
+                document.querySelectorAll('.tab-btn')[1].classList.add('active');
+                document.getElementById('tab-templates').classList.add('active');
+                loadTemplates();
+            }
+
+            // Hide detail view when switching tabs
+            document.getElementById('policy-detail-view').style.display = 'none';
+            document.querySelector('.tabs').style.display = '';
+            document.getElementById('tab-list').style.display = '';
+            document.getElementById('tab-templates').style.display = '';
+            currentView = 'list';
+        }
+
+        // ── Load Policies ───────────────────────────────────────
+        async function loadPolicies() {
+            const params = {};
+            const category = document.getElementById('filter-category').value;
+            const status = document.getElementById('filter-status').value;
+            if (category) params.category = category;
+            if (status) params.status = status;
+
+            const container = document.getElementById('policies-table');
+            container.innerHTML = '<div class="loading-overlay"><div class="spinner"></div><span>Caricamento policy...</span></div>';
+
+            try {
+                const result = await api.listPolicies(params);
+                if (result.success) {
+                    policiesData = result.data || [];
+                    renderPoliciesTable(policiesData);
+                } else {
+                    container.innerHTML = '<div class="empty-state"><h4>Errore nel caricamento</h4><p>' + escapeHtml(result.message || 'Errore sconosciuto') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4><p>Impossibile caricare le policy.</p></div>';
+            }
+        }
+
+        function renderPoliciesTable(policies) {
+            const container = document.getElementById('policies-table');
+
+            if (!policies || policies.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state" style="padding:40px 20px;">
+                        <svg viewBox="0 0 20 20" fill="currentColor" style="width:48px;height:48px;color:var(--gray-300);">
+                            <path fill-rule="evenodd" d="M4 4a2 2 0 012-2h4.586A2 2 0 0112 2.586L15.414 6A2 2 0 0116 7.414V16a2 2 0 01-2 2H6a2 2 0 01-2-2V4zm2 6a1 1 0 011-1h6a1 1 0 110 2H7a1 1 0 01-1-1zm1 3a1 1 0 100 2h6a1 1 0 100-2H7z" clip-rule="evenodd"/>
+                        </svg>
+                        <h4>Nessuna policy trovata</h4>
+                        <p>Crea la tua prima policy o utilizza un template per iniziare.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table>
+                    <thead>
+                        <tr>
+                            <th>Titolo</th>
+                            <th>Categoria</th>
+                            <th>Art. NIS2</th>
+                            <th>Versione</th>
+                            <th>Stato</th>
+                            <th>Prossima Revisione</th>
+                            <th>Azioni</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            policies.forEach(p => {
+                const catLabel = CATEGORY_LABELS[p.category] || p.category || '-';
+                const statusLabel = STATUS_LABELS[p.status] || p.status || 'Bozza';
+                const badgeClass = STATUS_BADGE_CLASS[p.status] || 'badge-neutral';
+
+                html += `
+                    <tr>
+                        <td>
+                            <span class="text-link" onclick="viewPolicy(${p.id})">${escapeHtml(p.title)}</span>
+                        </td>
+                        <td>${escapeHtml(catLabel)}</td>
+                        <td>${escapeHtml(p.nis2_article || '-')}</td>
+                        <td>${escapeHtml(p.version || '1.0')}</td>
+                        <td><span class="badge ${badgeClass}">${escapeHtml(statusLabel)}</span></td>
+                        <td>${formatDate(p.next_review_date)}</td>
+                        <td>
+                            <div class="policy-actions">
+                                <button class="btn btn-sm btn-ghost" onclick="viewPolicy(${p.id})" title="Visualizza">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path d="M10 12a2 2 0 100-4 2 2 0 000 4z"/><path fill-rule="evenodd" d="M.458 10C1.732 5.943 5.522 3 10 3s8.268 2.943 9.542 7c-1.274 4.057-5.064 7-9.542 7S1.732 14.057.458 10zM14 10a4 4 0 11-8 0 4 4 0 018 0z" clip-rule="evenodd"/></svg>
+                                </button>
+                                <button class="btn btn-sm btn-ghost" onclick="openEditModal(${p.id})" title="Modifica">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                                </button>
+                                ${p.status === 'draft' || p.status === 'review' ? `
+                                <button class="btn btn-sm btn-success" onclick="approvePolicy(${p.id})" title="Approva">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd"/></svg>
+                                </button>` : ''}
+                                <button class="btn btn-sm btn-ghost" onclick="confirmDeletePolicy(${p.id}, '${escapeHtml(p.title).replace(/'/g, "\\'")}')" title="Elimina" style="color:var(--danger);">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path fill-rule="evenodd" d="M9 2a1 1 0 00-.894.553L7.382 4H4a1 1 0 000 2v10a2 2 0 002 2h8a2 2 0 002-2V6a1 1 0 100-2h-3.382l-.724-1.447A1 1 0 0011 2H9zM7 8a1 1 0 012 0v6a1 1 0 11-2 0V8zm5-1a1 1 0 00-1 1v6a1 1 0 102 0V8a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                                </button>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        // ── View Policy Detail ──────────────────────────────────
+        async function viewPolicy(id) {
+            // Hide tabs and list
+            document.querySelector('.tabs').style.display = 'none';
+            document.getElementById('tab-list').classList.remove('active');
+            document.getElementById('tab-templates').classList.remove('active');
+
+            const detailView = document.getElementById('policy-detail-view');
+            detailView.style.display = 'block';
+            detailView.innerHTML = '<div class="loading-overlay"><div class="spinner"></div><span>Caricamento dettagli...</span></div>';
+            currentView = 'detail';
+
+            try {
+                const result = await api.getPolicy(id);
+                if (result.success && result.data) {
+                    renderPolicyDetail(result.data);
+                } else {
+                    detailView.innerHTML = '<div class="empty-state"><h4>Policy non trovata</h4></div>';
+                }
+            } catch (e) {
+                detailView.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderPolicyDetail(policy) {
+            const detailView = document.getElementById('policy-detail-view');
+            const catLabel = CATEGORY_LABELS[policy.category] || policy.category || '-';
+            const statusLabel = STATUS_LABELS[policy.status] || policy.status || 'Bozza';
+            const badgeClass = STATUS_BADGE_CLASS[policy.status] || 'badge-neutral';
+
+            detailView.innerHTML = `
+                <div class="detail-header">
+                    <div>
+                        <div style="margin-bottom:8px;">
+                            <span class="text-link" onclick="backToList()" style="font-size:0.82rem;">
+                                &larr; Torna all'elenco
+                            </span>
+                        </div>
+                        <h3>${escapeHtml(policy.title)}</h3>
+                        <div style="margin-top:8px;">
+                            <span class="badge ${badgeClass}">${escapeHtml(statusLabel)}</span>
+                            ${policy.ai_generated ? '<span class="badge badge-info" style="margin-left:6px;">AI Generata</span>' : ''}
+                        </div>
+                    </div>
+                    <div class="detail-header-actions">
+                        ${policy.status === 'draft' || policy.status === 'review' ? `
+                        <button class="btn btn-success" onclick="approvePolicy(${policy.id})">
+                            <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd"/></svg>
+                            Approva
+                        </button>` : ''}
+                        <button class="btn btn-secondary" onclick="openEditModal(${policy.id})">
+                            <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                            Modifica
+                        </button>
+                    </div>
+                </div>
+
+                <div class="detail-grid">
+                    <div>
+                        <div class="card">
+                            <div class="card-header">
+                                <h3>Contenuto Policy</h3>
+                            </div>
+                            <div class="card-body">
+                                <div class="policy-content-box">${escapeHtml(policy.content || 'Nessun contenuto disponibile.')}</div>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div>
+                        <div class="meta-card">
+                            <h4>Informazioni</h4>
+                            <div class="meta-row">
+                                <span class="meta-label">Categoria</span>
+                                <span class="meta-value">${escapeHtml(catLabel)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Art. NIS2</span>
+                                <span class="meta-value">${escapeHtml(policy.nis2_article || '-')}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Versione</span>
+                                <span class="meta-value">${escapeHtml(policy.version || '1.0')}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Stato</span>
+                                <span class="meta-value"><span class="badge ${badgeClass}">${escapeHtml(statusLabel)}</span></span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Creata il</span>
+                                <span class="meta-value">${formatDate(policy.created_at)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Aggiornata il</span>
+                                <span class="meta-value">${formatDate(policy.updated_at)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Prossima Revisione</span>
+                                <span class="meta-value">${formatDate(policy.next_review_date)}</span>
+                            </div>
+                            ${policy.approved_by_name ? `
+                            <div class="meta-row">
+                                <span class="meta-label">Approvata da</span>
+                                <span class="meta-value">${escapeHtml(policy.approved_by_name)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Approvata il</span>
+                                <span class="meta-value">${formatDate(policy.approved_at)}</span>
+                            </div>` : ''}
+                        </div>
+                    </div>
+                </div>
+            `;
+        }
+
+        function backToList() {
+            document.getElementById('policy-detail-view').style.display = 'none';
+            document.querySelector('.tabs').style.display = '';
+            switchTab('list');
+            currentView = 'list';
+        }
+
+        // ── Create / Edit Modal ─────────────────────────────────
+        function openCreateModal() {
+            showPolicyFormModal(null);
+        }
+
+        async function openEditModal(id) {
+            try {
+                const result = await api.getPolicy(id);
+                if (result.success && result.data) {
+                    showPolicyFormModal(result.data);
+                } else {
+                    showNotification('Impossibile caricare la policy.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        function showPolicyFormModal(policy) {
+            const isEdit = !!policy;
+            const title = isEdit ? 'Modifica Policy' : 'Nuova Policy';
+
+            const categoryOptions = Object.entries(CATEGORY_LABELS).map(([val, label]) =>
+                `<option value="${val}" ${policy && policy.category === val ? 'selected' : ''}>${label}</option>`
+            ).join('');
+
+            const content = `
+                <form id="policy-form" onsubmit="return false;">
+                    <div class="form-group">
+                        <label class="form-label">Titolo <span class="required">*</span></label>
+                        <input type="text" class="form-input" id="form-title" value="${isEdit ? escapeHtml(policy.title) : ''}" required placeholder="Inserisci il titolo della policy">
+                    </div>
+                    <div class="form-row" style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Categoria <span class="required">*</span></label>
+                            <select class="form-select" id="form-category" required>
+                                <option value="">Seleziona...</option>
+                                ${categoryOptions}
+                            </select>
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Articolo NIS2</label>
+                            <input type="text" class="form-input" id="form-nis2-article" value="${isEdit && policy.nis2_article ? escapeHtml(policy.nis2_article) : ''}" placeholder="es. 21.2.a">
+                        </div>
+                    </div>
+                    <div class="form-row" style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Versione</label>
+                            <input type="text" class="form-input" id="form-version" value="${isEdit && policy.version ? escapeHtml(policy.version) : '1.0'}" placeholder="1.0">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Prossima Revisione</label>
+                            <input type="date" class="form-input" id="form-review-date" value="${isEdit && policy.next_review_date ? policy.next_review_date.substring(0, 10) : ''}">
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Contenuto</label>
+                        <textarea class="form-textarea" id="form-content" rows="12" placeholder="Inserisci il contenuto della policy...&#10;&#10;Puoi strutturare il documento con sezioni:&#10;1. Scopo&#10;2. Ambito&#10;3. Responsabilita'&#10;4. Procedure&#10;5. Revisione">${isEdit && policy.content ? escapeHtml(policy.content) : ''}</textarea>
+                    </div>
+                </form>
+            `;
+
+            showModal(title, content, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="savePolicy(${isEdit ? policy.id : 'null'})">${isEdit ? 'Salva Modifiche' : 'Crea Policy'}</button>
+                `
+            });
+        }
+
+        async function savePolicy(id) {
+            const title = document.getElementById('form-title').value.trim();
+            const category = document.getElementById('form-category').value;
+
+            if (!title) {
+                showNotification('Il titolo e\' obbligatorio.', 'warning');
+                return;
+            }
+            if (!category) {
+                showNotification('La categoria e\' obbligatoria.', 'warning');
+                return;
+            }
+
+            const data = {
+                title: title,
+                category: category,
+                nis2_article: document.getElementById('form-nis2-article').value.trim(),
+                version: document.getElementById('form-version').value.trim() || '1.0',
+                content: document.getElementById('form-content').value,
+                next_review_date: document.getElementById('form-review-date').value || null,
+            };
+
+            try {
+                let result;
+                if (id) {
+                    result = await api.updatePolicy(id, data);
+                } else {
+                    result = await api.createPolicy(data);
+                }
+
+                if (result.success) {
+                    closeModal();
+                    showNotification(id ? 'Policy aggiornata con successo.' : 'Policy creata con successo.', 'success');
+                    loadPolicies();
+                    if (currentView === 'detail' && id) {
+                        viewPolicy(id);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Approve Policy ──────────────────────────────────────
+        async function approvePolicy(id) {
+            showModal('Conferma Approvazione', `
+                <p>Sei sicuro di voler approvare questa policy?</p>
+                <p style="margin-top:8px;font-size:0.85rem;color:var(--gray-500);">Lo stato verra' modificato in "Approvata" e non sara' piu' possibile annullare l'operazione.</p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-success" onclick="doApprovePolicy(${id})">Approva</button>
+                `
+            });
+        }
+
+        async function doApprovePolicy(id) {
+            closeModal();
+            try {
+                const result = await api.approvePolicy(id);
+                if (result.success) {
+                    showNotification('Policy approvata con successo.', 'success');
+                    loadPolicies();
+                    if (currentView === 'detail') {
+                        viewPolicy(id);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nell\'approvazione.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Delete Policy ───────────────────────────────────────
+        function confirmDeletePolicy(id, title) {
+            showModal('Conferma Eliminazione', `
+                <p>Sei sicuro di voler eliminare la policy <strong>${title}</strong>?</p>
+                <p style="margin-top:8px;font-size:0.85rem;color:var(--danger);">Questa azione e' irreversibile.</p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-danger" onclick="doDeletePolicy(${id})">Elimina</button>
+                `
+            });
+        }
+
+        async function doDeletePolicy(id) {
+            closeModal();
+            try {
+                const result = await api.del(`/policies/${id}`);
+                if (result.success) {
+                    showNotification('Policy eliminata.', 'success');
+                    loadPolicies();
+                    if (currentView === 'detail') {
+                        backToList();
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nell\'eliminazione.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── AI Generate ─────────────────────────────────────────
+        function openAIGenerateModal() {
+            const categoryOptions = Object.entries(CATEGORY_LABELS).map(([val, label]) =>
+                `<option value="${val}">${label}</option>`
+            ).join('');
+
+            showModal('Genera Policy con AI', `
+                <p style="margin-bottom:16px;color:var(--gray-600);font-size:0.9rem;">
+                    Seleziona la categoria per generare automaticamente una bozza di policy tramite intelligenza artificiale.
+                    Il contenuto generato potra' essere rivisto e modificato prima della pubblicazione.
+                </p>
+                <div class="form-group">
+                    <label class="form-label">Categoria Policy <span class="required">*</span></label>
+                    <select class="form-select" id="ai-category">
+                        ${categoryOptions}
+                    </select>
+                </div>
+                <div id="ai-preview-container" style="display:none;"></div>
+            `, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" id="ai-generate-btn" onclick="doAIGenerate()">
+                        <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 110 2H6v1a1 1 0 11-2 0v-1H3a1 1 0 110-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 8.512a1 1 0 010 1.836l-3.354 1.311-1.18 4.456a1 1 0 01-1.932 0L9.854 11.66 6.5 10.348a1 1 0 010-1.836l3.354-1.311 1.18-4.456A1 1 0 0112 2z"/></svg>
+                        Genera
+                    </button>
+                `
+            });
+        }
+
+        let aiGeneratedData = null;
+
+        async function doAIGenerate() {
+            const category = document.getElementById('ai-category').value;
+            const btn = document.getElementById('ai-generate-btn');
+            const previewContainer = document.getElementById('ai-preview-container');
+
+            btn.disabled = true;
+            btn.innerHTML = '<div class="spinner" style="width:16px;height:16px;border-width:2px;margin:0 auto;"></div> Generazione...';
+
+            try {
+                const result = await api.aiGeneratePolicy(category);
+                if (result.success && result.data) {
+                    aiGeneratedData = result.data;
+                    previewContainer.style.display = 'block';
+                    previewContainer.innerHTML = `
+                        <div class="ai-preview-header">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 110 2H6v1a1 1 0 11-2 0v-1H3a1 1 0 110-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 8.512a1 1 0 010 1.836l-3.354 1.311-1.18 4.456a1 1 0 01-1.932 0L9.854 11.66 6.5 10.348a1 1 0 010-1.836l3.354-1.311 1.18-4.456A1 1 0 0112 2z"/></svg>
+                            Policy Generata: ${escapeHtml(aiGeneratedData.title || '')}
+                        </div>
+                        <div class="ai-preview">${escapeHtml(aiGeneratedData.content || '')}</div>
+                    `;
+
+                    // Change footer buttons
+                    const footer = btn.closest('.modal-footer');
+                    footer.innerHTML = `
+                        <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                        <button class="btn btn-primary" onclick="saveAIGeneratedPolicy()">Salva come Bozza</button>
+                    `;
+                } else {
+                    showNotification(result.message || 'Errore nella generazione AI.', 'error');
+                    btn.disabled = false;
+                    btn.textContent = 'Genera';
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+                btn.disabled = false;
+                btn.textContent = 'Genera';
+            }
+        }
+
+        async function saveAIGeneratedPolicy() {
+            if (!aiGeneratedData) return;
+
+            const data = {
+                title: aiGeneratedData.title || 'Policy Generata AI',
+                category: aiGeneratedData.category || document.getElementById('ai-category')?.value || 'information_security',
+                nis2_article: aiGeneratedData.nis2_article || '',
+                content: aiGeneratedData.content || '',
+                version: '1.0',
+                ai_generated: 1,
+            };
+
+            try {
+                const result = await api.createPolicy(data);
+                if (result.success) {
+                    closeModal();
+                    showNotification('Policy AI salvata come bozza.', 'success');
+                    aiGeneratedData = null;
+                    loadPolicies();
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Templates ───────────────────────────────────────────
+        async function loadTemplates() {
+            const container = document.getElementById('templates-grid');
+            container.innerHTML = '<div class="loading-overlay"><div class="spinner"></div><span>Caricamento template...</span></div>';
+
+            try {
+                const result = await api.getPolicyTemplates();
+                if (result.success && result.data) {
+                    renderTemplates(result.data);
+                } else {
+                    container.innerHTML = '<div class="empty-state"><h4>Nessun template disponibile</h4></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderTemplates(templates) {
+            const container = document.getElementById('templates-grid');
+
+            if (!templates || templates.length === 0) {
+                container.innerHTML = '<div class="empty-state"><h4>Nessun template disponibile</h4></div>';
+                return;
+            }
+
+            let html = '<div class="template-grid">';
+            templates.forEach(t => {
+                const catLabel = CATEGORY_LABELS[t.category] || t.category;
+                html += `
+                    <div class="template-card" onclick="createFromTemplate('${escapeHtml(t.category)}', '${escapeHtml(t.title).replace(/'/g, "\\'")}', '${escapeHtml(t.nis2_article || '').replace(/'/g, "\\'")}')">
+                        <h4>${escapeHtml(t.title)}</h4>
+                        <div class="template-meta">
+                            <span class="tag">${escapeHtml(catLabel)}</span>
+                            ${t.nis2_article ? `<span style="color:var(--gray-400);">Art. ${escapeHtml(t.nis2_article)}</span>` : ''}
+                        </div>
+                    </div>
+                `;
+            });
+            html += '</div>';
+            container.innerHTML = html;
+        }
+
+        function createFromTemplate(category, title, nis2Article) {
+            showPolicyFormModal({
+                title: title,
+                category: category,
+                nis2_article: nis2Article,
+                version: '1.0',
+                content: '',
+            });
+        }
+
+        // ── Init ────────────────────────────────────────────────
+        loadPolicies();
+    </script>
+</body>
+</html>
diff --git a/public/reports.html b/public/reports.html
new file mode 100644
index 0000000..3c23724
--- /dev/null
+++ b/public/reports.html
@@ -0,0 +1,902 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Audit e Report - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Tab Navigation ─────────────────────────────────────── */
+        .tab-nav {
+            display: flex;
+            gap: 0;
+            border-bottom: 2px solid var(--gray-200);
+            margin-bottom: 24px;
+        }
+        .tab-nav button {
+            padding: 12px 24px;
+            background: none;
+            border: none;
+            border-bottom: 2px solid transparent;
+            margin-bottom: -2px;
+            color: var(--gray-500);
+            font-size: 0.9rem;
+            font-weight: 500;
+            cursor: pointer;
+            transition: all var(--transition-fast);
+        }
+        .tab-nav button:hover {
+            color: var(--gray-700);
+            background: var(--gray-50);
+        }
+        .tab-nav button.active {
+            color: var(--primary);
+            border-bottom-color: var(--primary);
+        }
+        .tab-panel { display: none; }
+        .tab-panel.active { display: block; }
+
+        /* ── Data Table ─────────────────────────────────────────── */
+        .data-table {
+            width: 100%;
+            border-collapse: collapse;
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            overflow: hidden;
+            box-shadow: var(--card-shadow);
+        }
+        .data-table thead {
+            background: var(--gray-50);
+        }
+        .data-table th {
+            text-align: left;
+            padding: 12px 16px;
+            font-size: 0.8rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            border-bottom: 1px solid var(--gray-200);
+        }
+        .data-table td {
+            padding: 12px 16px;
+            font-size: 0.875rem;
+            color: var(--gray-700);
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .data-table tr:last-child td { border-bottom: none; }
+        .data-table tbody tr:hover td { background: var(--gray-50); }
+
+        /* ── Status Badges ──────────────────────────────────────── */
+        .status-badge {
+            display: inline-flex;
+            align-items: center;
+            padding: 3px 10px;
+            border-radius: 20px;
+            font-size: 0.78rem;
+            font-weight: 500;
+        }
+        .status-badge.not_started { background: var(--gray-100); color: var(--gray-600); }
+        .status-badge.in_progress { background: var(--info-bg); color: var(--info); }
+        .status-badge.implemented { background: var(--secondary-bg); color: var(--secondary); }
+        .status-badge.verified { background: var(--primary-bg); color: var(--primary); }
+
+        /* ── Progress Bar ───────────────────────────────────────── */
+        .progress-bar-container {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+        }
+        .progress-bar {
+            flex-grow: 1;
+            height: 6px;
+            background: var(--gray-200);
+            border-radius: 3px;
+            overflow: hidden;
+            min-width: 80px;
+        }
+        .progress-bar-fill {
+            height: 100%;
+            border-radius: 3px;
+            transition: width 0.3s ease;
+        }
+        .progress-pct {
+            font-size: 0.8rem;
+            font-weight: 600;
+            min-width: 36px;
+            text-align: right;
+            color: var(--gray-600);
+        }
+
+        /* ── Report Section ─────────────────────────────────────── */
+        .report-container {
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            box-shadow: var(--card-shadow);
+            overflow: hidden;
+        }
+        .report-header {
+            background: var(--gray-800);
+            color: white;
+            padding: 32px;
+            text-align: center;
+        }
+        .report-header h3 {
+            font-size: 1.3rem;
+            margin-bottom: 4px;
+        }
+        .report-header p {
+            color: var(--gray-300);
+            font-size: 0.85rem;
+        }
+        .report-body {
+            padding: 24px 32px;
+        }
+        .report-section {
+            margin-bottom: 24px;
+        }
+        .report-section-title {
+            font-size: 1rem;
+            font-weight: 600;
+            color: var(--gray-800);
+            margin-bottom: 12px;
+            padding-bottom: 8px;
+            border-bottom: 2px solid var(--primary-bg);
+        }
+        .report-summary-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+            gap: 16px;
+        }
+        .report-summary-item {
+            text-align: center;
+            padding: 16px;
+            background: var(--gray-50);
+            border-radius: var(--border-radius);
+        }
+        .report-summary-value {
+            font-size: 1.8rem;
+            font-weight: 700;
+            color: var(--gray-800);
+            line-height: 1.2;
+        }
+        .report-summary-label {
+            font-size: 0.8rem;
+            color: var(--gray-500);
+            margin-top: 4px;
+        }
+        .report-compliance-bar {
+            height: 20px;
+            background: var(--gray-200);
+            border-radius: 10px;
+            overflow: hidden;
+            margin: 12px 0;
+        }
+        .report-compliance-fill {
+            height: 100%;
+            border-radius: 10px;
+            transition: width 0.5s ease;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            color: white;
+            font-size: 0.75rem;
+            font-weight: 600;
+        }
+
+        /* ── ISO Mapping ────────────────────────────────────────── */
+        .iso-mapping-row {
+            display: flex;
+            align-items: center;
+            gap: 16px;
+            padding: 12px 0;
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .iso-mapping-row:last-child { border-bottom: none; }
+        .iso-nis2-badge {
+            background: var(--primary-bg);
+            color: var(--primary);
+            padding: 6px 14px;
+            border-radius: 20px;
+            font-size: 0.82rem;
+            font-weight: 600;
+            white-space: nowrap;
+            min-width: 90px;
+            text-align: center;
+        }
+        .iso-arrow {
+            color: var(--gray-300);
+            flex-shrink: 0;
+        }
+        .iso-arrow svg { width: 20px; height: 20px; }
+        .iso-controls {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 6px;
+            flex-grow: 1;
+        }
+        .iso-control-badge {
+            background: var(--secondary-bg);
+            color: var(--secondary);
+            padding: 4px 10px;
+            border-radius: 20px;
+            font-size: 0.78rem;
+            font-weight: 500;
+        }
+        .iso-title {
+            font-size: 0.85rem;
+            color: var(--gray-500);
+            min-width: 200px;
+        }
+
+        /* ── Pagination ─────────────────────────────────────────── */
+        .pagination {
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            gap: 12px;
+            margin-top: 20px;
+            padding: 12px;
+        }
+        .pagination button {
+            padding: 8px 16px;
+            border: 1px solid var(--gray-200);
+            background: var(--card-bg);
+            border-radius: var(--border-radius-sm);
+            color: var(--gray-600);
+            cursor: pointer;
+            font-size: 0.85rem;
+            transition: all var(--transition-fast);
+        }
+        .pagination button:hover:not(:disabled) {
+            background: var(--primary-bg);
+            border-color: var(--primary);
+            color: var(--primary);
+        }
+        .pagination button:disabled {
+            opacity: 0.4;
+            cursor: not-allowed;
+        }
+        .pagination .page-info {
+            font-size: 0.85rem;
+            color: var(--gray-500);
+        }
+
+        /* ── Audit Log Action ───────────────────────────────────── */
+        .log-action {
+            display: inline-flex;
+            align-items: center;
+            gap: 4px;
+            font-size: 0.82rem;
+        }
+        .log-entity {
+            background: var(--gray-100);
+            padding: 2px 8px;
+            border-radius: var(--border-radius-sm);
+            font-size: 0.8rem;
+            color: var(--gray-600);
+            font-family: var(--font-mono);
+        }
+        .log-details {
+            max-width: 300px;
+            white-space: nowrap;
+            overflow: hidden;
+            text-overflow: ellipsis;
+            font-size: 0.8rem;
+            color: var(--gray-400);
+            cursor: help;
+        }
+
+        /* ── Controls Row Clickable ─────────────────────────────── */
+        .data-table tbody tr.clickable-row { cursor: pointer; }
+
+        /* ── Loading/Empty ──────────────────────────────────────── */
+        .loading-state {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .loading-state .spinner {
+            width: 32px;
+            height: 32px;
+            border: 3px solid var(--gray-200);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+            margin: 0 auto 12px;
+        }
+        @keyframes spin { to { transform: rotate(360deg); } }
+
+        .empty-state-box {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .empty-state-box svg {
+            width: 48px;
+            height: 48px;
+            margin-bottom: 12px;
+            opacity: 0.5;
+        }
+        .empty-state-box h4 {
+            color: var(--gray-600);
+            margin-bottom: 4px;
+        }
+
+        /* ── Print ──────────────────────────────────────────────── */
+        @media print {
+            .sidebar, .content-header, .tab-nav, .btn { display: none !important; }
+            .main-content { margin: 0 !important; padding: 0 !important; }
+            .report-container { box-shadow: none; border: 1px solid #ddd; }
+            body { background: white; }
+        }
+
+        /* ── Responsive ─────────────────────────────────────────── */
+        @media (max-width: 768px) {
+            .tab-nav button { padding: 10px 12px; font-size: 0.8rem; }
+            .iso-mapping-row { flex-direction: column; align-items: flex-start; }
+            .iso-title { min-width: auto; }
+            .report-summary-grid { grid-template-columns: 1fr 1fr; }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Audit e Report</h2>
+                <div class="content-header-actions">
+                    <button class="btn btn-primary" onclick="generateReport()">Genera Report</button>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Tab Navigation -->
+                <div class="tab-nav">
+                    <button class="active" onclick="switchTab('report', this)">Report Compliance</button>
+                    <button onclick="switchTab('controls', this)">Controlli</button>
+                    <button onclick="switchTab('audit', this)">Audit Log</button>
+                    <button onclick="switchTab('iso', this)">ISO 27001</button>
+                </div>
+
+                <!-- Tab: Report Compliance -->
+                <div class="tab-panel active" id="tab-report">
+                    <div id="report-container">
+                        <div class="empty-state-box">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M4 4a2 2 0 012-2h4.586A2 2 0 0112 2.586L15.414 6A2 2 0 0116 7.414V16a2 2 0 01-2 2H6a2 2 0 01-2-2V4zm2 6a1 1 0 011-1h6a1 1 0 110 2H7a1 1 0 01-1-1zm1 3a1 1 0 100 2h6a1 1 0 100-2H7z" clip-rule="evenodd"/></svg>
+                            <h4>Nessun report generato</h4>
+                            <p>Clicca "Genera Report" per creare un report di compliance aggiornato.</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: Controlli -->
+                <div class="tab-panel" id="tab-controls">
+                    <div id="controls-container">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento controlli...</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: Audit Log -->
+                <div class="tab-panel" id="tab-audit">
+                    <div id="audit-container">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento log...</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: ISO 27001 -->
+                <div class="tab-panel" id="tab-iso">
+                    <div id="iso-container">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento mapping...</p>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ─────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ──────────────────────────────────────────────
+        const controlStatusLabels = {
+            not_started: 'Non Iniziato',
+            in_progress: 'In Corso',
+            implemented: 'Implementato',
+            verified: 'Verificato'
+        };
+
+        const actionLabels = {
+            login: 'Accesso effettuato',
+            logout: 'Disconnessione',
+            user_created: 'Utente creato',
+            org_created: 'Organizzazione creata',
+            assessment_created: 'Assessment creato',
+            assessment_completed: 'Assessment completato',
+            risk_created: 'Rischio creato',
+            risk_updated: 'Rischio aggiornato',
+            risk_deleted: 'Rischio eliminato',
+            incident_created: 'Incidente registrato',
+            incident_updated: 'Incidente aggiornato',
+            early_warning_sent: 'Pre-allarme inviato',
+            notification_sent: 'Notifica inviata',
+            policy_created: 'Policy creata',
+            policy_updated: 'Policy aggiornata',
+            policy_approved: 'Policy approvata',
+            policy_ai_generated: 'Policy generata con AI',
+            supplier_created: 'Fornitore creato',
+            supplier_assessed: 'Fornitore valutato',
+            course_created: 'Corso creato',
+            training_assigned: 'Formazione assegnata',
+            asset_created: 'Asset registrato',
+            asset_updated: 'Asset aggiornato',
+            asset_deleted: 'Asset eliminato',
+            control_updated: 'Controllo aggiornato',
+            evidence_uploaded: 'Evidenza caricata'
+        };
+
+        // ── State ───────────────────────────────────────────────
+        let auditPage = 1;
+        let auditTotalPages = 1;
+
+        // ── Tab Switch ──────────────────────────────────────────
+        function switchTab(tabId, btn) {
+            document.querySelectorAll('.tab-nav button').forEach(b => b.classList.remove('active'));
+            document.querySelectorAll('.tab-panel').forEach(p => p.classList.remove('active'));
+            btn.classList.add('active');
+            document.getElementById('tab-' + tabId).classList.add('active');
+
+            if (tabId === 'controls') loadControls();
+            if (tabId === 'audit') { auditPage = 1; loadAuditLogs(); }
+            if (tabId === 'iso') loadIsoMapping();
+        }
+
+        // ══════════════════════════════════════════════════════════
+        // TAB 1: Compliance Report
+        // ══════════════════════════════════════════════════════════
+        async function generateReport() {
+            const container = document.getElementById('report-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Generazione report in corso...</p></div>';
+
+            // Switch to report tab
+            document.querySelectorAll('.tab-nav button').forEach(b => b.classList.remove('active'));
+            document.querySelectorAll('.tab-panel').forEach(p => p.classList.remove('active'));
+            document.querySelector('.tab-nav button').classList.add('active');
+            document.getElementById('tab-report').classList.add('active');
+
+            try {
+                const result = await api.generateComplianceReport();
+                if (result.success && result.data) {
+                    renderReport(result.data);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nella generazione</h4><p>' + escapeHtml(result.message || '') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderReport(data) {
+            const container = document.getElementById('report-container');
+            const org = data.organization || {};
+            const summary = data.compliance_summary || {};
+            const controls = data.controls || [];
+            const pct = summary.compliance_percentage || 0;
+            const pctColor = pct >= 80 ? 'var(--secondary)' : pct >= 50 ? 'var(--warning)' : 'var(--danger)';
+
+            let controlsTableHtml = '';
+            controls.forEach(c => {
+                const st = c.status || 'not_started';
+                const implPct = c.implementation_percentage || 0;
+                const implColor = implPct >= 80 ? 'var(--secondary)' : implPct >= 50 ? 'var(--warning)' : 'var(--danger)';
+                controlsTableHtml += `
+                    <tr>
+                        <td style="font-family:var(--font-mono); font-size:0.8rem;">${escapeHtml(c.control_code || '-')}</td>
+                        <td>${escapeHtml(c.title || '-')}</td>
+                        <td><span class="status-badge ${st}">${controlStatusLabels[st] || st}</span></td>
+                        <td>
+                            <div class="progress-bar-container">
+                                <div class="progress-bar"><div class="progress-bar-fill" style="width:${implPct}%; background:${implColor};"></div></div>
+                                <span class="progress-pct">${implPct}%</span>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            container.innerHTML = `
+                <div class="report-container">
+                    <div class="report-header">
+                        <h3>Report di Compliance NIS2</h3>
+                        <p>${escapeHtml(org.name || 'Organizzazione')} - ${formatDateTime(data.report_date)}</p>
+                    </div>
+                    <div class="report-body">
+                        <!-- Organization Info -->
+                        <div class="report-section">
+                            <div class="report-section-title">Informazioni Organizzazione</div>
+                            <div style="display:grid; grid-template-columns:1fr 1fr; gap:8px; font-size:0.9rem;">
+                                <div><strong>Nome:</strong> ${escapeHtml(org.name || '-')}</div>
+                                <div><strong>Settore:</strong> ${escapeHtml(org.sector || '-')}</div>
+                                <div><strong>Tipo Entita':</strong> ${escapeHtml(org.entity_type || '-')}</div>
+                                <div><strong>Paese:</strong> ${escapeHtml(org.country || '-')}</div>
+                            </div>
+                        </div>
+
+                        <!-- Compliance Summary -->
+                        <div class="report-section">
+                            <div class="report-section-title">Riepilogo Compliance</div>
+                            <div class="report-compliance-bar">
+                                <div class="report-compliance-fill" style="width:${pct}%; background:${pctColor};">${pct}%</div>
+                            </div>
+                            <div class="report-summary-grid">
+                                <div class="report-summary-item">
+                                    <div class="report-summary-value">${summary.total_controls || 0}</div>
+                                    <div class="report-summary-label">Controlli Totali</div>
+                                </div>
+                                <div class="report-summary-item">
+                                    <div class="report-summary-value">${summary.implemented_controls || 0}</div>
+                                    <div class="report-summary-label">Implementati</div>
+                                </div>
+                                <div class="report-summary-item">
+                                    <div class="report-summary-value" style="color:var(--danger);">${data.risk_count || 0}</div>
+                                    <div class="report-summary-label">Rischi Aperti</div>
+                                </div>
+                                <div class="report-summary-item">
+                                    <div class="report-summary-value" style="color:var(--warning);">${data.incident_count || 0}</div>
+                                    <div class="report-summary-label">Incidenti</div>
+                                </div>
+                                <div class="report-summary-item">
+                                    <div class="report-summary-value" style="color:var(--secondary);">${data.policy_count || 0}</div>
+                                    <div class="report-summary-label">Policy Approvate</div>
+                                </div>
+                            </div>
+                        </div>
+
+                        <!-- Controls Status -->
+                        ${controls.length > 0 ? `
+                            <div class="report-section">
+                                <div class="report-section-title">Stato Controlli</div>
+                                <table class="data-table" style="box-shadow:none; border:1px solid var(--gray-200);">
+                                    <thead>
+                                        <tr>
+                                            <th>Codice</th>
+                                            <th>Titolo</th>
+                                            <th>Stato</th>
+                                            <th>Implementazione</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>${controlsTableHtml}</tbody>
+                                </table>
+                            </div>
+                        ` : ''}
+
+                        <!-- Print Button -->
+                        <div style="text-align:center; margin-top:24px;">
+                            <button class="btn btn-secondary" onclick="window.print()" style="gap:6px;">
+                                <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M5 4v3H4a2 2 0 00-2 2v3a2 2 0 002 2h1v2a2 2 0 002 2h6a2 2 0 002-2v-2h1a2 2 0 002-2V9a2 2 0 00-2-2h-1V4a2 2 0 00-2-2H7a2 2 0 00-2 2zm8 0H7v3h6V4zm0 8H7v4h6v-4z" clip-rule="evenodd"/></svg>
+                                Stampa Report
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            `;
+        }
+
+        // ══════════════════════════════════════════════════════════
+        // TAB 2: Controls
+        // ══════════════════════════════════════════════════════════
+        async function loadControls() {
+            const container = document.getElementById('controls-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento controlli...</p></div>';
+
+            try {
+                const result = await api.listControls();
+                if (result.success && result.data) {
+                    renderControls(result.data);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderControls(controls) {
+            const container = document.getElementById('controls-container');
+
+            if (!controls || controls.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/></svg>
+                        <h4>Nessun controllo configurato</h4>
+                        <p>I controlli di compliance appariranno qui dopo il primo assessment.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Codice</th>
+                            <th>Framework</th>
+                            <th>Titolo</th>
+                            <th>Stato</th>
+                            <th>% Implementazione</th>
+                            <th>Responsabile</th>
+                            <th>Prossima Verifica</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            controls.forEach(c => {
+                const st = c.status || 'not_started';
+                const implPct = c.implementation_percentage || 0;
+                const implColor = implPct >= 80 ? 'var(--secondary)' : implPct >= 50 ? 'var(--warning)' : 'var(--danger)';
+
+                html += `
+                    <tr class="clickable-row" onclick="showEditControlModal(${c.id}, this)" title="Clicca per modificare">
+                        <td style="font-family:var(--font-mono); font-size:0.82rem; font-weight:600;">${escapeHtml(c.control_code || '-')}</td>
+                        <td>${escapeHtml(c.framework || 'NIS2')}</td>
+                        <td style="font-weight:500;">${escapeHtml(c.title || '-')}</td>
+                        <td><span class="status-badge ${st}">${controlStatusLabels[st] || st}</span></td>
+                        <td>
+                            <div class="progress-bar-container">
+                                <div class="progress-bar"><div class="progress-bar-fill" style="width:${implPct}%; background:${implColor};"></div></div>
+                                <span class="progress-pct">${implPct}%</span>
+                            </div>
+                        </td>
+                        <td>${escapeHtml(c.responsible_name || '-')}</td>
+                        <td>${formatDate(c.next_review_date)}</td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        function showEditControlModal(id) {
+            // First, find the control from the table data
+            api.listControls().then(result => {
+                if (!result.success || !result.data) return;
+                const control = result.data.find(c => c.id === id);
+                if (!control) return;
+
+                const st = control.status || 'not_started';
+                const implPct = control.implementation_percentage || 0;
+
+                const statusOptions = Object.entries(controlStatusLabels).map(([val, label]) =>
+                    `<option value="${val}" ${st === val ? 'selected' : ''}>${label}</option>`
+                ).join('');
+
+                showModal('Modifica Controllo: ' + escapeHtml(control.control_code || ''), `
+                    <div class="form-group">
+                        <label class="form-label">Titolo</label>
+                        <p style="font-size:0.9rem; color:var(--gray-700); padding:8px 0;">${escapeHtml(control.title || '-')}</p>
+                    </div>
+                    <div style="display:grid; grid-template-columns:1fr 1fr; gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Stato</label>
+                            <select class="form-select" id="ctrl-status">${statusOptions}</select>
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">% Implementazione</label>
+                            <input type="range" id="ctrl-impl-pct" min="0" max="100" value="${implPct}" oninput="document.getElementById('ctrl-impl-pct-val').textContent = this.value + '%'" style="width:100%; margin-top:8px;">
+                            <span id="ctrl-impl-pct-val" style="font-size:0.85rem; font-weight:600; color:var(--gray-700);">${implPct}%</span>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Descrizione Evidenza</label>
+                        <textarea class="form-input" id="ctrl-evidence" rows="3" placeholder="Descrivi le evidenze di implementazione...">${escapeHtml(control.evidence_description || '')}</textarea>
+                    </div>
+                    <div style="display:grid; grid-template-columns:1fr 1fr; gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Responsabile (ID utente)</label>
+                            <input type="text" class="form-input" id="ctrl-responsible" value="${escapeHtml(control.responsible_user_id || '')}">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Prossima Verifica</label>
+                            <input type="date" class="form-input" id="ctrl-next-review" value="${control.next_review_date || ''}">
+                        </div>
+                    </div>
+                `, {
+                    size: 'lg',
+                    footer: `
+                        <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                        <button class="btn btn-primary" onclick="saveControl(${id})">Salva</button>
+                    `
+                });
+            });
+        }
+
+        async function saveControl(id) {
+            const data = {
+                status: document.getElementById('ctrl-status').value,
+                implementation_percentage: parseInt(document.getElementById('ctrl-impl-pct').value),
+                evidence_description: document.getElementById('ctrl-evidence').value.trim() || null,
+                responsible_user_id: document.getElementById('ctrl-responsible').value.trim() || null,
+                next_review_date: document.getElementById('ctrl-next-review').value || null,
+            };
+
+            closeModal();
+
+            try {
+                const result = await api.updateControl(id, data);
+                if (result.success) {
+                    showNotification('Controllo aggiornato con successo!', 'success');
+                    loadControls();
+                } else {
+                    showNotification(result.message || 'Errore nell\'aggiornamento.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ══════════════════════════════════════════════════════════
+        // TAB 3: Audit Logs
+        // ══════════════════════════════════════════════════════════
+        async function loadAuditLogs() {
+            const container = document.getElementById('audit-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento log...</p></div>';
+
+            try {
+                const result = await api.getAuditLogs({ page: auditPage, per_page: 25 });
+                if (result.success) {
+                    const logs = result.data || [];
+                    const pagination = result.pagination || {};
+                    auditTotalPages = pagination.total_pages || 1;
+                    renderAuditLogs(logs, pagination);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4><p>' + escapeHtml(result.message || '') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderAuditLogs(logs, pagination) {
+            const container = document.getElementById('audit-container');
+
+            if (!logs || logs.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm1-12a1 1 0 10-2 0v4a1 1 0 00.293.707l2.828 2.829a1 1 0 101.415-1.415L11 9.586V6z" clip-rule="evenodd"/></svg>
+                        <h4>Nessun log disponibile</h4>
+                        <p>Le attivita' di audit appariranno qui.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Data/Ora</th>
+                            <th>Utente</th>
+                            <th>Azione</th>
+                            <th>Entita'</th>
+                            <th>Dettagli</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            logs.forEach(log => {
+                const actionText = actionLabels[log.action] || log.action || '-';
+                let detailsText = '-';
+                if (log.details) {
+                    try {
+                        const d = typeof log.details === 'string' ? JSON.parse(log.details) : log.details;
+                        detailsText = Object.entries(d).map(([k, v]) => `${k}: ${v}`).join(', ');
+                    } catch (e) {
+                        detailsText = String(log.details);
+                    }
+                }
+
+                html += `
+                    <tr>
+                        <td style="white-space:nowrap;">${formatDateTime(log.created_at)}</td>
+                        <td>${escapeHtml(log.full_name || '-')}</td>
+                        <td><span class="log-action">${escapeHtml(actionText)}</span></td>
+                        <td>
+                            ${log.entity_type ? `<span class="log-entity">${escapeHtml(log.entity_type)}</span>` : '-'}
+                            ${log.entity_id ? `<span style="font-size:0.8rem; color:var(--gray-400);"> #${log.entity_id}</span>` : ''}
+                        </td>
+                        <td><span class="log-details" title="${escapeHtml(detailsText)}">${escapeHtml(detailsText)}</span></td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+
+            // Pagination
+            const totalPages = pagination.total_pages || 1;
+            const currentPage = pagination.page || auditPage;
+            html += `
+                <div class="pagination">
+                    <button onclick="goAuditPage(${currentPage - 1})" ${currentPage <= 1 ? 'disabled' : ''}>Precedente</button>
+                    <span class="page-info">Pagina ${currentPage} di ${totalPages}</span>
+                    <button onclick="goAuditPage(${currentPage + 1})" ${currentPage >= totalPages ? 'disabled' : ''}>Successiva</button>
+                </div>`;
+
+            container.innerHTML = html;
+        }
+
+        function goAuditPage(page) {
+            if (page < 1 || page > auditTotalPages) return;
+            auditPage = page;
+            loadAuditLogs();
+        }
+
+        // ══════════════════════════════════════════════════════════
+        // TAB 4: ISO 27001 Mapping
+        // ══════════════════════════════════════════════════════════
+        async function loadIsoMapping() {
+            const container = document.getElementById('iso-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento mapping ISO 27001...</p></div>';
+
+            try {
+                const result = await api.getIsoMapping();
+                if (result.success && result.data) {
+                    renderIsoMapping(result.data);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderIsoMapping(mapping) {
+            const container = document.getElementById('iso-container');
+
+            if (!mapping || mapping.length === 0) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Nessun mapping disponibile</h4></div>';
+                return;
+            }
+
+            let html = `
+                <div class="card">
+                    <div class="card-header">
+                        <h3>Mapping NIS2 - ISO 27001:2022</h3>
+                    </div>
+                    <div class="card-body">
+                        <p style="font-size:0.85rem; color:var(--gray-500); margin-bottom:20px;">
+                            Corrispondenza tra gli articoli della Direttiva NIS2 e i controlli dello standard ISO/IEC 27001:2022.
+                        </p>`;
+
+            mapping.forEach(m => {
+                const isoControls = (m.iso27001 || '').split(',').map(c => c.trim()).filter(c => c);
+                const controlBadges = isoControls.map(c => `<span class="iso-control-badge">${escapeHtml(c)}</span>`).join('');
+
+                html += `
+                    <div class="iso-mapping-row">
+                        <span class="iso-nis2-badge">Art. ${escapeHtml(m.nis2)}</span>
+                        <span class="iso-arrow">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10.293 3.293a1 1 0 011.414 0l6 6a1 1 0 010 1.414l-6 6a1 1 0 01-1.414-1.414L14.586 11H3a1 1 0 110-2h11.586l-4.293-4.293a1 1 0 010-1.414z" clip-rule="evenodd"/></svg>
+                        </span>
+                        <div class="iso-controls">${controlBadges}</div>
+                        <span class="iso-title">${escapeHtml(m.title || '')}</span>
+                    </div>`;
+            });
+
+            html += '</div></div>';
+            container.innerHTML = html;
+        }
+
+        // ── Initial: no auto-load, user triggers report ─────────
+    </script>
+</body>
+</html>
diff --git a/public/risks.html b/public/risks.html
new file mode 100644
index 0000000..77d981b
--- /dev/null
+++ b/public/risks.html
@@ -0,0 +1,1120 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Gestione Rischi - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── View Toggle ─────────────────────────────────────── */
+        .view-toggle {
+            display: flex;
+            background: var(--gray-100);
+            border-radius: var(--border-radius);
+            padding: 3px;
+            gap: 2px;
+        }
+        .view-toggle button {
+            padding: 6px 16px;
+            border: none;
+            background: transparent;
+            border-radius: 6px;
+            cursor: pointer;
+            font-size: 0.8rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            font-family: inherit;
+            transition: all var(--transition-fast);
+        }
+        .view-toggle button.active {
+            background: var(--card-bg);
+            color: var(--gray-800);
+            box-shadow: 0 1px 3px rgba(0,0,0,0.1);
+        }
+
+        /* ── Filters Bar ─────────────────────────────────────── */
+        .filters-bar {
+            display: flex;
+            gap: 12px;
+            align-items: center;
+            flex-wrap: wrap;
+            margin-bottom: 20px;
+        }
+        .filters-bar .form-select {
+            width: auto;
+            min-width: 160px;
+            padding: 8px 36px 8px 12px;
+            font-size: 0.8rem;
+        }
+
+        /* ── Risk Score Badge ────────────────────────────────── */
+        .risk-score {
+            display: inline-flex;
+            align-items: center;
+            justify-content: center;
+            width: 36px;
+            height: 36px;
+            border-radius: 50%;
+            font-weight: 700;
+            font-size: 0.85rem;
+            color: #fff;
+        }
+        .risk-score.score-low { background: var(--secondary); }
+        .risk-score.score-medium { background: var(--warning); color: var(--gray-900); }
+        .risk-score.score-high { background: #f97316; }
+        .risk-score.score-critical { background: var(--danger); }
+
+        /* ── Risk Matrix ─────────────────────────────────────── */
+        .risk-matrix-container {
+            max-width: 680px;
+            margin: 0 auto;
+        }
+        .risk-matrix-wrapper {
+            display: flex;
+            gap: 8px;
+        }
+        .risk-matrix-y-label {
+            writing-mode: vertical-lr;
+            transform: rotate(180deg);
+            text-align: center;
+            font-weight: 700;
+            font-size: 0.8rem;
+            color: var(--gray-600);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding-right: 4px;
+        }
+        .risk-matrix-grid-wrapper {
+            flex: 1;
+        }
+        .risk-matrix {
+            display: grid;
+            grid-template-columns: 40px repeat(5, 1fr);
+            grid-template-rows: repeat(5, 1fr) 40px;
+            gap: 3px;
+            width: 100%;
+            aspect-ratio: 1.15;
+        }
+        .matrix-y-header {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            font-weight: 700;
+            font-size: 0.8rem;
+            color: var(--gray-600);
+        }
+        .matrix-x-header {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            font-weight: 700;
+            font-size: 0.8rem;
+            color: var(--gray-600);
+        }
+        .matrix-corner {
+            /* empty corner cell */
+        }
+        .matrix-cell {
+            border-radius: var(--border-radius-sm);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            cursor: default;
+            position: relative;
+            min-height: 64px;
+            transition: transform var(--transition-fast);
+        }
+        .matrix-cell:hover {
+            transform: scale(1.04);
+            z-index: 2;
+        }
+        .matrix-cell.level-1 { background: #dcfce7; }
+        .matrix-cell.level-2 { background: #bbf7d0; }
+        .matrix-cell.level-3 { background: #fef9c3; }
+        .matrix-cell.level-4 { background: #fde68a; }
+        .matrix-cell.level-5 { background: #fed7aa; }
+        .matrix-cell.level-6 { background: #fdba74; }
+        .matrix-cell.level-7 { background: #fb923c; }
+        .matrix-cell.level-8 { background: #fca5a5; }
+        .matrix-cell.level-9 { background: #f87171; }
+        .matrix-cell.level-10 { background: #ef4444; }
+
+        .matrix-dot {
+            width: 28px;
+            height: 28px;
+            border-radius: 50%;
+            background: rgba(255,255,255,0.9);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            font-weight: 700;
+            font-size: 0.75rem;
+            color: var(--gray-800);
+            box-shadow: 0 1px 4px rgba(0,0,0,0.2);
+        }
+        .risk-matrix-x-label {
+            text-align: center;
+            font-weight: 700;
+            font-size: 0.8rem;
+            color: var(--gray-600);
+            margin-top: 8px;
+        }
+        .matrix-legend {
+            display: flex;
+            gap: 16px;
+            justify-content: center;
+            margin-top: 20px;
+            flex-wrap: wrap;
+        }
+        .matrix-legend-item {
+            display: flex;
+            align-items: center;
+            gap: 6px;
+            font-size: 0.75rem;
+            color: var(--gray-600);
+        }
+        .matrix-legend-color {
+            width: 16px;
+            height: 16px;
+            border-radius: 3px;
+        }
+
+        /* ── Detail View ─────────────────────────────────────── */
+        .detail-back {
+            display: inline-flex;
+            align-items: center;
+            gap: 6px;
+            font-size: 0.85rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            cursor: pointer;
+            margin-bottom: 16px;
+            border: none;
+            background: none;
+            font-family: inherit;
+            padding: 0;
+        }
+        .detail-back:hover { color: var(--primary); }
+
+        .detail-grid {
+            display: grid;
+            grid-template-columns: 2fr 1fr;
+            gap: 24px;
+        }
+        .detail-field {
+            margin-bottom: 16px;
+        }
+        .detail-field-label {
+            font-size: 0.7rem;
+            text-transform: uppercase;
+            letter-spacing: 0.05em;
+            font-weight: 600;
+            color: var(--gray-500);
+            margin-bottom: 4px;
+        }
+        .detail-field-value {
+            font-size: 0.9rem;
+            color: var(--gray-800);
+        }
+
+        .score-display {
+            display: flex;
+            gap: 24px;
+            padding: 16px;
+            background: var(--gray-50);
+            border-radius: var(--border-radius);
+            margin-bottom: 16px;
+        }
+        .score-item {
+            text-align: center;
+        }
+        .score-item-value {
+            font-size: 1.75rem;
+            font-weight: 800;
+            line-height: 1.2;
+        }
+        .score-item-label {
+            font-size: 0.7rem;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            letter-spacing: 0.04em;
+        }
+
+        .treatment-item {
+            padding: 16px;
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            margin-bottom: 12px;
+        }
+        .treatment-item-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: flex-start;
+            margin-bottom: 8px;
+        }
+
+        /* ── Table clickable rows ───────────────────────────── */
+        .table-clickable tbody tr { cursor: pointer; }
+
+        /* ── Range value display ─────────────────────────────── */
+        .range-value-display {
+            text-align: center;
+            font-weight: 700;
+            font-size: 1.1rem;
+            color: var(--primary);
+            margin: 4px 0;
+        }
+        .range-label-text {
+            text-align: center;
+            font-size: 0.8rem;
+            color: var(--gray-600);
+            font-weight: 600;
+        }
+        .score-preview {
+            text-align: center;
+            padding: 12px;
+            background: var(--gray-50);
+            border-radius: var(--border-radius);
+            margin-top: 8px;
+        }
+        .score-preview-value {
+            font-size: 2rem;
+            font-weight: 800;
+        }
+        .score-preview-label {
+            font-size: 0.75rem;
+            color: var(--gray-500);
+            text-transform: uppercase;
+        }
+
+        @media (max-width: 768px) {
+            .detail-grid { grid-template-columns: 1fr; }
+            .filters-bar { flex-direction: column; align-items: stretch; }
+            .filters-bar .form-select { min-width: 100%; }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Gestione Rischi</h2>
+                <div class="content-header-actions">
+                    <div class="view-toggle" id="view-toggle">
+                        <button class="active" onclick="switchView('table')">Tabella</button>
+                        <button onclick="switchView('matrix')">Matrice</button>
+                    </div>
+                    <button class="btn btn-secondary" onclick="aiSuggest()">
+                        <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path d="M5 2a1 1 0 011 1v1h1a1 1 0 010 2H6v1a1 1 0 01-2 0V6H3a1 1 0 010-2h1V3a1 1 0 011-1zm0 10a1 1 0 011 1v1h1a1 1 0 110 2H6v1a1 1 0 11-2 0v-1H3a1 1 0 110-2h1v-1a1 1 0 011-1zm7-10a1 1 0 01.967.744L14.146 7.2 17.5 8.512a1 1 0 010 1.836l-3.354 1.311-1.18 4.456a1 1 0 01-1.932 0L9.854 11.66 6.5 10.348a1 1 0 010-1.836l3.354-1.311 1.18-4.456A1 1 0 0112 2z"/></svg>
+                        AI Suggerisci
+                    </button>
+                    <button class="btn btn-primary" onclick="showRiskModal()">+ Nuovo Rischio</button>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Table View -->
+                <div id="view-table">
+                    <div class="filters-bar">
+                        <select class="form-select" id="filter-category" onchange="loadRisks()">
+                            <option value="">Tutte le categorie</option>
+                            <option value="cyber">Cyber</option>
+                            <option value="operational">Operativo</option>
+                            <option value="compliance">Compliance</option>
+                            <option value="supply_chain">Supply Chain</option>
+                            <option value="physical">Fisico</option>
+                            <option value="human">Umano</option>
+                        </select>
+                        <select class="form-select" id="filter-status" onchange="loadRisks()">
+                            <option value="">Tutti gli stati</option>
+                            <option value="identified">Identificato</option>
+                            <option value="analyzing">In Analisi</option>
+                            <option value="treating">In Trattamento</option>
+                            <option value="monitored">Monitorato</option>
+                            <option value="closed">Chiuso</option>
+                        </select>
+                    </div>
+
+                    <div class="card">
+                        <div class="table-container">
+                            <table class="table-clickable">
+                                <thead>
+                                    <tr>
+                                        <th>Codice</th>
+                                        <th>Titolo</th>
+                                        <th>Categoria</th>
+                                        <th>Probabilita'</th>
+                                        <th>Impatto</th>
+                                        <th>Score</th>
+                                        <th>Stato</th>
+                                        <th>Azioni</th>
+                                    </tr>
+                                </thead>
+                                <tbody id="risks-table-body">
+                                    <tr>
+                                        <td colspan="8">
+                                            <div class="spinner" style="margin:40px auto;"></div>
+                                        </td>
+                                    </tr>
+                                </tbody>
+                            </table>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Matrix View -->
+                <div id="view-matrix" class="hidden">
+                    <div class="card">
+                        <div class="card-header">
+                            <h3>Matrice di Rischio 5x5</h3>
+                            <span class="text-muted" style="font-size:0.8rem;">Rischi inerenti (esclusi chiusi)</span>
+                        </div>
+                        <div class="card-body">
+                            <div class="risk-matrix-container">
+                                <div class="risk-matrix-wrapper">
+                                    <div class="risk-matrix-y-label">Probabilita'</div>
+                                    <div class="risk-matrix-grid-wrapper">
+                                        <div class="risk-matrix" id="risk-matrix-grid">
+                                            <div class="spinner" style="margin:60px auto; grid-column: span 6;"></div>
+                                        </div>
+                                        <div class="risk-matrix-x-label">Impatto</div>
+                                    </div>
+                                </div>
+                                <div class="matrix-legend">
+                                    <div class="matrix-legend-item">
+                                        <div class="matrix-legend-color" style="background:#bbf7d0;"></div>
+                                        Basso (1-4)
+                                    </div>
+                                    <div class="matrix-legend-item">
+                                        <div class="matrix-legend-color" style="background:#fde68a;"></div>
+                                        Medio (5-9)
+                                    </div>
+                                    <div class="matrix-legend-item">
+                                        <div class="matrix-legend-color" style="background:#fdba74;"></div>
+                                        Alto (10-14)
+                                    </div>
+                                    <div class="matrix-legend-item">
+                                        <div class="matrix-legend-color" style="background:#fb923c;"></div>
+                                        Elevato (15-19)
+                                    </div>
+                                    <div class="matrix-legend-item">
+                                        <div class="matrix-legend-color" style="background:#ef4444;"></div>
+                                        Critico (20-25)
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Detail View -->
+                <div id="view-detail" class="hidden"></div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ──────────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ───────────────────────────────────────────────────
+        const CATEGORY_LABELS = {
+            cyber: 'Cyber', operational: 'Operativo', compliance: 'Compliance',
+            supply_chain: 'Supply Chain', physical: 'Fisico', human: 'Umano'
+        };
+        const STATUS_LABELS = {
+            identified: 'Identificato', analyzing: 'In Analisi', treating: 'In Trattamento',
+            monitored: 'Monitorato', closed: 'Chiuso'
+        };
+        const TREATMENT_LABELS = {
+            mitigate: 'Mitigare', accept: 'Accettare', transfer: 'Trasferire', avoid: 'Evitare'
+        };
+        const TREATMENT_STATUS_LABELS = {
+            planned: 'Pianificato', in_progress: 'In Corso', completed: 'Completato', cancelled: 'Annullato'
+        };
+        const LIKELIHOOD_LABELS = ['', 'Molto Basso', 'Basso', 'Medio', 'Alto', 'Molto Alto'];
+
+        // ── State ────────────────────────────────────────────────────
+        let currentView = 'table';
+        let risksData = [];
+
+        // ── Load ─────────────────────────────────────────────────────
+        loadRisks();
+
+        async function loadRisks() {
+            const params = {};
+            const cat = document.getElementById('filter-category').value;
+            const status = document.getElementById('filter-status').value;
+            if (cat) params.category = cat;
+            if (status) params.status = status;
+
+            try {
+                const result = await api.listRisks(params);
+                if (result.success) {
+                    risksData = result.data || [];
+                    renderRisksTable(risksData);
+                } else {
+                    showNotification(result.message || 'Errore nel caricamento rischi', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Table Render ─────────────────────────────────────────────
+        function renderRisksTable(risks) {
+            const tbody = document.getElementById('risks-table-body');
+
+            if (!risks || risks.length === 0) {
+                tbody.innerHTML = `
+                    <tr><td colspan="8">
+                        <div class="empty-state">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 1.944A11.954 11.954 0 012.166 5C2.056 5.649 2 6.319 2 7c0 5.225 3.34 9.67 8 11.317C14.66 16.67 18 12.225 18 7c0-.682-.057-1.35-.166-2.001A11.954 11.954 0 0110 1.944zM11 14a1 1 0 11-2 0 1 1 0 012 0zm0-7a1 1 0 10-2 0v3a1 1 0 102 0V7z" clip-rule="evenodd"/></svg>
+                            <h4>Nessun rischio registrato</h4>
+                            <p>Clicca "Nuovo Rischio" per aggiungere il primo rischio, oppure usa "AI Suggerisci".</p>
+                        </div>
+                    </td></tr>`;
+                return;
+            }
+
+            let html = '';
+            risks.forEach(r => {
+                const score = r.inherent_risk_score || 0;
+                const scoreClass = getScoreClassForRisk(score);
+                const statusBadge = getStatusBadge(r.status);
+                const categoryLabel = CATEGORY_LABELS[r.category] || r.category;
+
+                html += `
+                    <tr onclick="viewRiskDetail(${r.id})">
+                        <td><code style="font-size:0.8rem; color:var(--primary);">${escapeHtml(r.risk_code || '-')}</code></td>
+                        <td><strong>${escapeHtml(r.title)}</strong></td>
+                        <td><span class="tag">${escapeHtml(categoryLabel)}</span></td>
+                        <td>${r.likelihood || '-'}/5</td>
+                        <td>${r.impact || '-'}/5</td>
+                        <td><span class="risk-score ${scoreClass}">${score}</span></td>
+                        <td>${statusBadge}</td>
+                        <td>
+                            <div class="btn-group" onclick="event.stopPropagation()">
+                                <button class="btn btn-ghost btn-sm btn-icon" onclick="showRiskModal(${r.id})" title="Modifica">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                                </button>
+                                <button class="btn btn-ghost btn-sm btn-icon" onclick="confirmDeleteRisk(${r.id}, '${escapeHtml(r.title)}')" title="Elimina">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M9 2a1 1 0 00-.894.553L7.382 4H4a1 1 0 000 2v10a2 2 0 002 2h8a2 2 0 002-2V6a1 1 0 100-2h-3.382l-.724-1.447A1 1 0 0011 2H9zM7 8a1 1 0 012 0v6a1 1 0 11-2 0V8zm5-1a1 1 0 00-1 1v6a1 1 0 102 0V8a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                                </button>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            tbody.innerHTML = html;
+        }
+
+        function getScoreClassForRisk(score) {
+            if (score >= 20) return 'score-critical';
+            if (score >= 15) return 'score-high';
+            if (score >= 10) return 'score-medium';
+            return 'score-low';
+        }
+
+        function getScoreColorForRisk(score) {
+            if (score >= 20) return 'var(--danger)';
+            if (score >= 15) return '#f97316';
+            if (score >= 10) return 'var(--warning)';
+            return 'var(--secondary)';
+        }
+
+        function getStatusBadge(status) {
+            const map = {
+                identified: 'badge-info', analyzing: 'badge-warning',
+                treating: 'badge-primary', monitored: 'badge-success', closed: 'badge-neutral'
+            };
+            const cls = map[status] || 'badge-neutral';
+            const label = STATUS_LABELS[status] || status;
+            return `<span class="badge ${cls}">${escapeHtml(label)}</span>`;
+        }
+
+        // ── View Switching ───────────────────────────────────────────
+        function switchView(view) {
+            currentView = view;
+            document.getElementById('view-table').classList.toggle('hidden', view !== 'table');
+            document.getElementById('view-matrix').classList.toggle('hidden', view !== 'matrix');
+            document.getElementById('view-detail').classList.toggle('hidden', true);
+
+            const btns = document.querySelectorAll('#view-toggle button');
+            btns.forEach(b => b.classList.remove('active'));
+            if (view === 'table') btns[0].classList.add('active');
+            else btns[1].classList.add('active');
+
+            if (view === 'matrix') loadMatrix();
+        }
+
+        // ── Matrix ───────────────────────────────────────────────────
+        async function loadMatrix() {
+            try {
+                const result = await api.getRiskMatrix();
+                if (result.success) {
+                    renderMatrix(result.data.risks || []);
+                } else {
+                    showNotification(result.message || 'Errore caricamento matrice', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        function renderMatrix(risks) {
+            const grid = document.getElementById('risk-matrix-grid');
+
+            // Build a map: `${likelihood}-${impact}` -> count
+            const cellMap = {};
+            risks.forEach(r => {
+                const key = `${r.likelihood || 0}-${r.impact || 0}`;
+                if (!cellMap[key]) cellMap[key] = [];
+                cellMap[key].push(r);
+            });
+
+            // Color level mapping for cell score (likelihood * impact)
+            function getCellLevel(score) {
+                if (score <= 1) return 'level-1';
+                if (score <= 2) return 'level-2';
+                if (score <= 4) return 'level-3';
+                if (score <= 6) return 'level-4';
+                if (score <= 8) return 'level-5';
+                if (score <= 10) return 'level-6';
+                if (score <= 14) return 'level-7';
+                if (score <= 16) return 'level-8';
+                if (score <= 19) return 'level-9';
+                return 'level-10';
+            }
+
+            let html = '';
+            // Rows from top (likelihood=5) to bottom (likelihood=1)
+            for (let li = 5; li >= 1; li--) {
+                // Y-axis header
+                html += `<div class="matrix-y-header">${li}</div>`;
+                // 5 cells per row (impact 1-5)
+                for (let imp = 1; imp <= 5; imp++) {
+                    const score = li * imp;
+                    const level = getCellLevel(score);
+                    const key = `${li}-${imp}`;
+                    const risksInCell = cellMap[key] || [];
+                    const dot = risksInCell.length > 0
+                        ? `<div class="matrix-dot" title="${risksInCell.map(r => escapeHtml(r.title)).join(', ')}">${risksInCell.length}</div>`
+                        : '';
+                    html += `<div class="matrix-cell ${level}" title="P:${li} x I:${imp} = ${score}">${dot}</div>`;
+                }
+            }
+            // Bottom row: corner + x-axis headers
+            html += `<div class="matrix-corner"></div>`;
+            for (let imp = 1; imp <= 5; imp++) {
+                html += `<div class="matrix-x-header">${imp}</div>`;
+            }
+
+            grid.innerHTML = html;
+        }
+
+        // ── Detail View ──────────────────────────────────────────────
+        async function viewRiskDetail(id) {
+            try {
+                const result = await api.getRisk(id);
+                if (!result.success) {
+                    showNotification(result.message || 'Errore nel caricamento', 'error');
+                    return;
+                }
+                renderDetail(result.data);
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        function renderDetail(risk) {
+            document.getElementById('view-table').classList.add('hidden');
+            document.getElementById('view-matrix').classList.add('hidden');
+            const container = document.getElementById('view-detail');
+            container.classList.remove('hidden');
+
+            const score = risk.inherent_risk_score || 0;
+            const residualScore = risk.residual_risk_score || 0;
+            const categoryLabel = CATEGORY_LABELS[risk.category] || risk.category;
+            const treatmentLabel = TREATMENT_LABELS[risk.treatment] || risk.treatment;
+
+            let treatmentsHtml = '';
+            if (risk.treatments && risk.treatments.length > 0) {
+                risk.treatments.forEach(t => {
+                    const tStatusBadge = getTreatmentStatusBadge(t.status);
+                    treatmentsHtml += `
+                        <div class="treatment-item">
+                            <div class="treatment-item-header">
+                                <strong>${escapeHtml(t.action_description)}</strong>
+                                ${tStatusBadge}
+                            </div>
+                            <div style="font-size:0.8rem; color:var(--gray-500);">
+                                ${t.responsible_name ? 'Responsabile: ' + escapeHtml(t.responsible_name) : ''}
+                                ${t.due_date ? ' | Scadenza: ' + formatDate(t.due_date) : ''}
+                            </div>
+                            ${t.notes ? '<p style="font-size:0.85rem; margin-top:8px;">' + escapeHtml(t.notes) + '</p>' : ''}
+                        </div>`;
+                });
+            } else {
+                treatmentsHtml = '<p class="text-muted" style="font-size:0.85rem;">Nessun trattamento registrato.</p>';
+            }
+
+            container.innerHTML = `
+                <button class="detail-back" onclick="backToList()">
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M9.707 16.707a1 1 0 01-1.414 0l-6-6a1 1 0 010-1.414l6-6a1 1 0 011.414 1.414L5.414 9H17a1 1 0 110 2H5.414l4.293 4.293a1 1 0 010 1.414z" clip-rule="evenodd"/></svg>
+                    Torna alla lista
+                </button>
+
+                <div class="detail-grid">
+                    <div>
+                        <div class="card mb-24">
+                            <div class="card-header">
+                                <h3>
+                                    <code style="color:var(--primary); margin-right:8px;">${escapeHtml(risk.risk_code || '')}</code>
+                                    ${escapeHtml(risk.title)}
+                                </h3>
+                                <div class="btn-group">
+                                    <button class="btn btn-secondary btn-sm" onclick="showRiskModal(${risk.id})">Modifica</button>
+                                    <button class="btn btn-danger btn-sm" onclick="confirmDeleteRisk(${risk.id}, '${escapeHtml(risk.title)}')">Elimina</button>
+                                </div>
+                            </div>
+                            <div class="card-body">
+                                <div class="score-display">
+                                    <div class="score-item">
+                                        <div class="score-item-value">${risk.likelihood || '-'}</div>
+                                        <div class="score-item-label">Probabilita'</div>
+                                    </div>
+                                    <div class="score-item" style="font-size:1.5rem; color:var(--gray-400); padding-top:4px;">x</div>
+                                    <div class="score-item">
+                                        <div class="score-item-value">${risk.impact || '-'}</div>
+                                        <div class="score-item-label">Impatto</div>
+                                    </div>
+                                    <div class="score-item" style="font-size:1.5rem; color:var(--gray-400); padding-top:4px;">=</div>
+                                    <div class="score-item">
+                                        <div class="score-item-value" style="color:${getScoreColorForRisk(score)}">${score}</div>
+                                        <div class="score-item-label">Rischio Inerente</div>
+                                    </div>
+                                    ${residualScore > 0 ? `
+                                    <div class="score-item" style="border-left:2px solid var(--gray-200); padding-left:24px;">
+                                        <div class="score-item-value" style="color:${getScoreColorForRisk(residualScore)}">${residualScore}</div>
+                                        <div class="score-item-label">Rischio Residuo</div>
+                                    </div>` : ''}
+                                </div>
+
+                                ${risk.description ? `
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Descrizione</div>
+                                    <div class="detail-field-value">${escapeHtml(risk.description)}</div>
+                                </div>` : ''}
+
+                                <div class="form-row">
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Categoria</div>
+                                        <div class="detail-field-value"><span class="tag">${escapeHtml(categoryLabel)}</span></div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Stato</div>
+                                        <div class="detail-field-value">${getStatusBadge(risk.status)}</div>
+                                    </div>
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Trattamento</div>
+                                        <div class="detail-field-value"><span class="badge badge-primary">${escapeHtml(treatmentLabel)}</span></div>
+                                    </div>
+                                </div>
+
+                                <div class="form-row">
+                                    ${risk.threat_source ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Sorgente Minaccia</div>
+                                        <div class="detail-field-value">${escapeHtml(risk.threat_source)}</div>
+                                    </div>` : ''}
+                                    ${risk.vulnerability ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Vulnerabilita'</div>
+                                        <div class="detail-field-value">${escapeHtml(risk.vulnerability)}</div>
+                                    </div>` : ''}
+                                </div>
+
+                                <div class="form-row">
+                                    ${risk.owner_name ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Responsabile</div>
+                                        <div class="detail-field-value">${escapeHtml(risk.owner_name)}</div>
+                                    </div>` : ''}
+                                    ${risk.review_date ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Data Revisione</div>
+                                        <div class="detail-field-value">${formatDate(risk.review_date)}</div>
+                                    </div>` : ''}
+                                    ${risk.nis2_article ? `
+                                    <div class="detail-field">
+                                        <div class="detail-field-label">Articolo NIS2</div>
+                                        <div class="detail-field-value">${escapeHtml(risk.nis2_article)}</div>
+                                    </div>` : ''}
+                                </div>
+                            </div>
+                        </div>
+
+                        <!-- Treatments -->
+                        <div class="card">
+                            <div class="card-header">
+                                <h3>Trattamenti</h3>
+                                <button class="btn btn-sm btn-primary" onclick="showAddTreatmentModal(${risk.id})">+ Aggiungi</button>
+                            </div>
+                            <div class="card-body">
+                                ${treatmentsHtml}
+                            </div>
+                        </div>
+                    </div>
+
+                    <div>
+                        <div class="card mb-24">
+                            <div class="card-header"><h3>Riepilogo</h3></div>
+                            <div class="card-body">
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Codice</div>
+                                    <div class="detail-field-value"><code>${escapeHtml(risk.risk_code || '-')}</code></div>
+                                </div>
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Creato il</div>
+                                    <div class="detail-field-value">${formatDateTime(risk.created_at)}</div>
+                                </div>
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Aggiornato il</div>
+                                    <div class="detail-field-value">${formatDateTime(risk.updated_at)}</div>
+                                </div>
+                                <div class="detail-field">
+                                    <div class="detail-field-label">Trattamenti</div>
+                                    <div class="detail-field-value">${risk.treatments ? risk.treatments.length : 0}</div>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            `;
+        }
+
+        function getTreatmentStatusBadge(status) {
+            const map = { planned: 'badge-info', in_progress: 'badge-warning', completed: 'badge-success', cancelled: 'badge-neutral' };
+            return `<span class="badge ${map[status] || 'badge-neutral'}">${escapeHtml(TREATMENT_STATUS_LABELS[status] || status)}</span>`;
+        }
+
+        function backToList() {
+            document.getElementById('view-detail').classList.add('hidden');
+            if (currentView === 'table') {
+                document.getElementById('view-table').classList.remove('hidden');
+            } else {
+                document.getElementById('view-matrix').classList.remove('hidden');
+            }
+        }
+
+        // ── Create/Edit Risk Modal ───────────────────────────────────
+        async function showRiskModal(riskId = null) {
+            let risk = {};
+            if (riskId) {
+                try {
+                    const result = await api.getRisk(riskId);
+                    if (result.success) risk = result.data;
+                } catch (e) { /* use defaults */ }
+            }
+
+            const isEdit = !!riskId;
+            const title = isEdit ? 'Modifica Rischio' : 'Nuovo Rischio';
+            const likelihood = risk.likelihood || 3;
+            const impact = risk.impact || 3;
+            const initialScore = likelihood * impact;
+
+            const content = `
+                <div class="form-group">
+                    <label class="form-label">Titolo <span class="required">*</span></label>
+                    <input type="text" class="form-input" id="risk-title" value="${escapeHtml(risk.title || '')}" placeholder="Titolo del rischio">
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Descrizione</label>
+                    <textarea class="form-textarea" id="risk-description" rows="3" placeholder="Descrizione dettagliata">${escapeHtml(risk.description || '')}</textarea>
+                </div>
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Categoria</label>
+                        <select class="form-select" id="risk-category">
+                            <option value="cyber" ${risk.category==='cyber'?'selected':''}>Cyber</option>
+                            <option value="operational" ${risk.category==='operational'?'selected':''}>Operativo</option>
+                            <option value="compliance" ${risk.category==='compliance'?'selected':''}>Compliance</option>
+                            <option value="supply_chain" ${risk.category==='supply_chain'?'selected':''}>Supply Chain</option>
+                            <option value="physical" ${risk.category==='physical'?'selected':''}>Fisico</option>
+                            <option value="human" ${risk.category==='human'?'selected':''}>Umano</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Trattamento</label>
+                        <select class="form-select" id="risk-treatment">
+                            <option value="mitigate" ${risk.treatment==='mitigate'?'selected':''}>Mitigare</option>
+                            <option value="accept" ${risk.treatment==='accept'?'selected':''}>Accettare</option>
+                            <option value="transfer" ${risk.treatment==='transfer'?'selected':''}>Trasferire</option>
+                            <option value="avoid" ${risk.treatment==='avoid'?'selected':''}>Evitare</option>
+                        </select>
+                    </div>
+                </div>
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Sorgente Minaccia</label>
+                        <input type="text" class="form-input" id="risk-threat-source" value="${escapeHtml(risk.threat_source || '')}" placeholder="Es. attaccante esterno">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Vulnerabilita'</label>
+                        <input type="text" class="form-input" id="risk-vulnerability" value="${escapeHtml(risk.vulnerability || '')}" placeholder="Es. software non aggiornato">
+                    </div>
+                </div>
+
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Probabilita': <span id="likelihood-label">${LIKELIHOOD_LABELS[likelihood]}</span></label>
+                        <div class="range-value-display" id="likelihood-value">${likelihood}</div>
+                        <input type="range" class="form-range" id="risk-likelihood" min="1" max="5" value="${likelihood}" oninput="updateRiskScore()">
+                        <div class="form-range-labels">
+                            <span>1 - Molto Basso</span>
+                            <span>5 - Molto Alto</span>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Impatto: <span id="impact-label">${LIKELIHOOD_LABELS[impact]}</span></label>
+                        <div class="range-value-display" id="impact-value">${impact}</div>
+                        <input type="range" class="form-range" id="risk-impact" min="1" max="5" value="${impact}" oninput="updateRiskScore()">
+                        <div class="form-range-labels">
+                            <span>1 - Molto Basso</span>
+                            <span>5 - Molto Alto</span>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="score-preview" id="score-preview">
+                    <div class="score-preview-label">Rischio Inerente</div>
+                    <div class="score-preview-value" id="score-preview-value" style="color:${getScoreColorForRisk(initialScore)}">${initialScore}</div>
+                </div>
+
+                <div class="form-row" style="margin-top:16px;">
+                    <div class="form-group">
+                        <label class="form-label">Responsabile (ID utente)</label>
+                        <input type="text" class="form-input" id="risk-owner" value="${escapeHtml(risk.owner_user_id || '')}" placeholder="ID utente responsabile">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Data Revisione</label>
+                        <input type="date" class="form-input" id="risk-review-date" value="${risk.review_date ? risk.review_date.split(' ')[0] : ''}">
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Articolo NIS2 di riferimento</label>
+                    <input type="text" class="form-input" id="risk-nis2-article" value="${escapeHtml(risk.nis2_article || '')}" placeholder="Es. Art. 21, par. 2">
+                </div>
+            `;
+
+            showModal(title, content, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="saveRisk(${riskId || 'null'})">${isEdit ? 'Salva Modifiche' : 'Crea Rischio'}</button>
+                `
+            });
+        }
+
+        function updateRiskScore() {
+            const l = parseInt(document.getElementById('risk-likelihood').value);
+            const i = parseInt(document.getElementById('risk-impact').value);
+            const score = l * i;
+
+            document.getElementById('likelihood-value').textContent = l;
+            document.getElementById('impact-value').textContent = i;
+            document.getElementById('likelihood-label').textContent = LIKELIHOOD_LABELS[l];
+            document.getElementById('impact-label').textContent = LIKELIHOOD_LABELS[i];
+            document.getElementById('score-preview-value').textContent = score;
+            document.getElementById('score-preview-value').style.color = getScoreColorForRisk(score);
+        }
+
+        async function saveRisk(riskId) {
+            const data = {
+                title: document.getElementById('risk-title').value.trim(),
+                description: document.getElementById('risk-description').value.trim(),
+                category: document.getElementById('risk-category').value,
+                treatment: document.getElementById('risk-treatment').value,
+                threat_source: document.getElementById('risk-threat-source').value.trim(),
+                vulnerability: document.getElementById('risk-vulnerability').value.trim(),
+                likelihood: parseInt(document.getElementById('risk-likelihood').value),
+                impact: parseInt(document.getElementById('risk-impact').value),
+                owner_user_id: document.getElementById('risk-owner').value.trim() || null,
+                review_date: document.getElementById('risk-review-date').value || null,
+                nis2_article: document.getElementById('risk-nis2-article').value.trim(),
+            };
+
+            if (!data.title) {
+                showNotification('Il titolo e\' obbligatorio', 'warning');
+                return;
+            }
+
+            try {
+                let result;
+                if (riskId) {
+                    result = await api.updateRisk(riskId, data);
+                } else {
+                    result = await api.createRisk(data);
+                }
+
+                if (result.success) {
+                    closeModal();
+                    showNotification(riskId ? 'Rischio aggiornato' : 'Rischio creato con successo', 'success');
+                    loadRisks();
+                    // If detail view is visible, reload detail
+                    if (!document.getElementById('view-detail').classList.contains('hidden')) {
+                        viewRiskDetail(riskId || result.data.id);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Delete Risk ──────────────────────────────────────────────
+        function confirmDeleteRisk(id, title) {
+            showModal('Conferma Eliminazione', `
+                <p>Sei sicuro di voler eliminare il rischio <strong>${escapeHtml(title)}</strong>?</p>
+                <p class="text-muted" style="margin-top:8px; font-size:0.85rem;">Questa azione non puo' essere annullata.</p>
+            `, {
+                size: 'sm',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-danger" onclick="deleteRisk(${id})">Elimina</button>
+                `
+            });
+        }
+
+        async function deleteRisk(id) {
+            try {
+                const result = await api.deleteRisk(id);
+                if (result.success) {
+                    closeModal();
+                    showNotification('Rischio eliminato', 'success');
+                    backToList();
+                    loadRisks();
+                } else {
+                    showNotification(result.message || 'Errore nella eliminazione', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── Add Treatment Modal ──────────────────────────────────────
+        function showAddTreatmentModal(riskId) {
+            const content = `
+                <div class="form-group">
+                    <label class="form-label">Descrizione Azione <span class="required">*</span></label>
+                    <textarea class="form-textarea" id="treatment-description" rows="3" placeholder="Descrizione dell'azione di trattamento"></textarea>
+                </div>
+                <div class="form-row">
+                    <div class="form-group">
+                        <label class="form-label">Responsabile (ID utente)</label>
+                        <input type="text" class="form-input" id="treatment-responsible" placeholder="ID utente">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Data Scadenza</label>
+                        <input type="date" class="form-input" id="treatment-due-date">
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Stato</label>
+                    <select class="form-select" id="treatment-status">
+                        <option value="planned">Pianificato</option>
+                        <option value="in_progress">In Corso</option>
+                        <option value="completed">Completato</option>
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Note</label>
+                    <textarea class="form-textarea" id="treatment-notes" rows="2" placeholder="Note aggiuntive"></textarea>
+                </div>
+            `;
+
+            showModal('Aggiungi Trattamento', content, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="saveTreatment(${riskId})">Aggiungi</button>
+                `
+            });
+        }
+
+        async function saveTreatment(riskId) {
+            const data = {
+                action_description: document.getElementById('treatment-description').value.trim(),
+                responsible_user_id: document.getElementById('treatment-responsible').value.trim() || null,
+                due_date: document.getElementById('treatment-due-date').value || null,
+                status: document.getElementById('treatment-status').value,
+                notes: document.getElementById('treatment-notes').value.trim(),
+            };
+
+            if (!data.action_description) {
+                showNotification('La descrizione dell\'azione e\' obbligatoria', 'warning');
+                return;
+            }
+
+            try {
+                const result = await api.post(`/risks/${riskId}/treatments`, data);
+                if (result.success) {
+                    closeModal();
+                    showNotification('Trattamento aggiunto', 'success');
+                    viewRiskDetail(riskId);
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione', 'error');
+            }
+        }
+
+        // ── AI Suggest ───────────────────────────────────────────────
+        async function aiSuggest() {
+            showNotification('Generazione suggerimenti AI in corso...', 'info');
+            try {
+                const result = await api.aiSuggestRisks();
+                if (result.success && result.data) {
+                    const suggestions = Array.isArray(result.data) ? result.data : (result.data.suggestions || []);
+                    if (suggestions.length === 0) {
+                        showNotification('Nessun suggerimento disponibile', 'info');
+                        return;
+                    }
+
+                    let listHtml = '<div style="max-height:400px; overflow-y:auto;">';
+                    suggestions.forEach((s, idx) => {
+                        listHtml += `
+                            <div style="padding:12px; border:1px solid var(--gray-200); border-radius:var(--border-radius); margin-bottom:8px;">
+                                <strong>${escapeHtml(s.title || 'Rischio ' + (idx + 1))}</strong>
+                                <p style="font-size:0.85rem; color:var(--gray-600); margin:4px 0;">${escapeHtml(s.description || '')}</p>
+                                <div style="display:flex; gap:8px; flex-wrap:wrap; margin-top:6px;">
+                                    ${s.category ? `<span class="tag">${escapeHtml(CATEGORY_LABELS[s.category] || s.category)}</span>` : ''}
+                                    ${s.likelihood ? `<span class="badge badge-info">P:${s.likelihood}</span>` : ''}
+                                    ${s.impact ? `<span class="badge badge-warning">I:${s.impact}</span>` : ''}
+                                </div>
+                            </div>`;
+                    });
+                    listHtml += '</div>';
+
+                    showModal('Rischi Suggeriti dall\'AI', listHtml, {
+                        size: 'lg',
+                        footer: `<button class="btn btn-secondary" onclick="closeModal()">Chiudi</button>`
+                    });
+                } else {
+                    showNotification(result.message || 'Errore AI', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione al servizio AI', 'error');
+            }
+        }
+    </script>
+</body>
+</html>
diff --git a/public/settings.html b/public/settings.html
new file mode 100644
index 0000000..a78c2fd
--- /dev/null
+++ b/public/settings.html
@@ -0,0 +1,1006 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Impostazioni - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        .settings-tabs {
+            display: flex;
+            border-bottom: 2px solid var(--gray-200);
+            margin-bottom: 24px;
+            gap: 0;
+            overflow-x: auto;
+        }
+        .settings-tab {
+            padding: 12px 24px;
+            font-size: 0.875rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            cursor: pointer;
+            border: none;
+            background: none;
+            border-bottom: 2px solid transparent;
+            margin-bottom: -2px;
+            transition: all var(--transition-fast);
+            white-space: nowrap;
+            font-family: inherit;
+        }
+        .settings-tab:hover {
+            color: var(--gray-700);
+        }
+        .settings-tab.active {
+            color: var(--primary);
+            border-bottom-color: var(--primary);
+        }
+        .tab-panel {
+            display: none;
+        }
+        .tab-panel.active {
+            display: block;
+        }
+        .settings-section {
+            margin-bottom: 32px;
+        }
+        .settings-section-title {
+            font-size: 1rem;
+            font-weight: 700;
+            color: var(--gray-900);
+            margin-bottom: 4px;
+        }
+        .settings-section-desc {
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+            margin-bottom: 20px;
+        }
+        .entity-badge {
+            display: inline-flex;
+            align-items: center;
+            gap: 8px;
+            padding: 12px 20px;
+            border-radius: var(--border-radius-lg);
+            font-weight: 700;
+            font-size: 0.9rem;
+            margin-bottom: 8px;
+        }
+        .entity-badge.essential {
+            background: var(--danger-bg);
+            color: var(--danger);
+            border: 1px solid var(--danger);
+        }
+        .entity-badge.important {
+            background: var(--warning-bg);
+            color: #a16207;
+            border: 1px solid var(--warning);
+        }
+        .entity-badge.not_applicable {
+            background: var(--gray-100);
+            color: var(--gray-600);
+            border: 1px solid var(--gray-300);
+        }
+        .plan-badge {
+            display: inline-flex;
+            align-items: center;
+            padding: 6px 16px;
+            border-radius: 100px;
+            font-size: 0.8rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .plan-badge.free { background: var(--gray-100); color: var(--gray-600); }
+        .plan-badge.professional { background: var(--primary-bg); color: var(--primary); }
+        .plan-badge.enterprise { background: #f3e8ff; color: #7c3aed; }
+        .password-section {
+            border-top: 1px solid var(--gray-200);
+            padding-top: 24px;
+            margin-top: 24px;
+        }
+        .strength-bar {
+            display: flex;
+            gap: 4px;
+            margin-top: 8px;
+            margin-bottom: 4px;
+        }
+        .strength-segment {
+            flex: 1;
+            height: 4px;
+            border-radius: 2px;
+            background: var(--gray-200);
+            transition: background var(--transition-fast);
+        }
+        .strength-segment.active.weak { background: var(--danger); }
+        .strength-segment.active.fair { background: #f97316; }
+        .strength-segment.active.good { background: var(--warning); }
+        .strength-segment.active.strong { background: var(--secondary); }
+        .strength-text {
+            font-size: 0.7rem;
+            color: var(--gray-500);
+        }
+        .member-role-badge {
+            display: inline-flex;
+            padding: 3px 10px;
+            border-radius: 100px;
+            font-size: 0.7rem;
+            font-weight: 600;
+            text-transform: uppercase;
+            letter-spacing: 0.03em;
+        }
+        .member-role-badge.org_admin { background: var(--primary-bg); color: var(--primary); }
+        .member-role-badge.compliance_manager { background: var(--secondary-bg); color: #15803d; }
+        .member-role-badge.board_member { background: #f3e8ff; color: #7c3aed; }
+        .member-role-badge.auditor { background: var(--info-bg); color: var(--primary); }
+        .member-role-badge.employee { background: var(--gray-100); color: var(--gray-600); }
+        .security-item {
+            padding: 20px;
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            margin-bottom: 16px;
+        }
+        .security-item-header {
+            display: flex;
+            align-items: center;
+            justify-content: space-between;
+            margin-bottom: 8px;
+        }
+        .security-item-title {
+            font-size: 0.9rem;
+            font-weight: 600;
+            color: var(--gray-800);
+        }
+        .security-item-desc {
+            font-size: 0.8125rem;
+            color: var(--gray-500);
+            line-height: 1.5;
+        }
+        .coming-soon-badge {
+            display: inline-flex;
+            padding: 3px 10px;
+            border-radius: 100px;
+            font-size: 0.65rem;
+            font-weight: 700;
+            text-transform: uppercase;
+            letter-spacing: 0.05em;
+            background: var(--gray-100);
+            color: var(--gray-500);
+        }
+        .btn-icon-action {
+            background: none;
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius-sm);
+            color: var(--gray-500);
+            cursor: pointer;
+            padding: 6px;
+            transition: all var(--transition-fast);
+            display: inline-flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .btn-icon-action:hover {
+            border-color: var(--danger);
+            color: var(--danger);
+            background: var(--danger-bg);
+        }
+        .btn-icon-action svg {
+            width: 16px;
+            height: 16px;
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Impostazioni</h2>
+                <div class="content-header-actions">
+                    <span class="text-muted" id="header-org-name"></span>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Tab Navigation -->
+                <div class="settings-tabs">
+                    <button class="settings-tab active" onclick="switchTab('org')">Organizzazione</button>
+                    <button class="settings-tab" onclick="switchTab('profile')">Profilo</button>
+                    <button class="settings-tab" onclick="switchTab('members')">Membri</button>
+                    <button class="settings-tab" onclick="switchTab('security')">Sicurezza</button>
+                </div>
+
+                <!-- ══════════════ TAB: Organizzazione ══════════════ -->
+                <div class="tab-panel active" id="tab-org">
+                    <div class="card">
+                        <div class="card-body">
+                            <div class="settings-section">
+                                <h3 class="settings-section-title">Classificazione NIS2</h3>
+                                <p class="settings-section-desc">La classificazione viene calcolata automaticamente in base a settore, numero di dipendenti e fatturato.</p>
+                                <div id="entity-classification">
+                                    <div class="spinner" style="margin:20px auto;"></div>
+                                </div>
+                            </div>
+
+                            <div class="settings-section">
+                                <h3 class="settings-section-title">Piano di Abbonamento</h3>
+                                <p class="settings-section-desc">Il piano attivo per questa organizzazione.</p>
+                                <div id="subscription-plan">
+                                    <div class="spinner" style="margin:12px 0;"></div>
+                                </div>
+                            </div>
+
+                            <div class="settings-section">
+                                <h3 class="settings-section-title">Dati Organizzazione</h3>
+                                <p class="settings-section-desc">Informazioni generali dell'organizzazione soggetta a compliance NIS2.</p>
+
+                                <form id="org-form" onsubmit="saveOrganization(event)">
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Nome Organizzazione <span class="required">*</span></label>
+                                            <input type="text" class="form-input" id="org-name" required>
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Settore NIS2 <span class="required">*</span></label>
+                                            <select class="form-select" id="org-sector" required>
+                                                <option value="">Seleziona settore...</option>
+                                                <option value="energy">Energia</option>
+                                                <option value="transport">Trasporti</option>
+                                                <option value="banking">Banche</option>
+                                                <option value="health">Sanita'</option>
+                                                <option value="water">Acqua</option>
+                                                <option value="digital_infra">Infrastrutture Digitali</option>
+                                                <option value="public_admin">Pubblica Amministrazione</option>
+                                                <option value="manufacturing">Manifatturiero</option>
+                                                <option value="postal">Servizi Postali</option>
+                                                <option value="chemical">Chimico</option>
+                                                <option value="food">Alimentare</option>
+                                                <option value="waste">Rifiuti</option>
+                                                <option value="ict_services">Servizi ICT</option>
+                                                <option value="digital_providers">Provider Digitali</option>
+                                                <option value="space">Spazio</option>
+                                                <option value="research">Ricerca</option>
+                                                <option value="other">Altro</option>
+                                            </select>
+                                        </div>
+                                    </div>
+
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Partita IVA</label>
+                                            <input type="text" class="form-input" id="org-vat" placeholder="IT12345678901">
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Codice Fiscale</label>
+                                            <input type="text" class="form-input" id="org-fiscal">
+                                        </div>
+                                    </div>
+
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Numero Dipendenti</label>
+                                            <input type="number" class="form-input" id="org-employees" min="0" placeholder="0">
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Fatturato Annuo (EUR)</label>
+                                            <input type="number" class="form-input" id="org-turnover" min="0" step="1000" placeholder="0">
+                                        </div>
+                                    </div>
+
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Paese</label>
+                                            <input type="text" class="form-input" id="org-country" placeholder="IT">
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Citta'</label>
+                                            <input type="text" class="form-input" id="org-city">
+                                        </div>
+                                    </div>
+
+                                    <div class="form-group">
+                                        <label class="form-label">Indirizzo</label>
+                                        <input type="text" class="form-input" id="org-address">
+                                    </div>
+
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Sito Web</label>
+                                            <input type="url" class="form-input" id="org-website" placeholder="https://...">
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Email di Contatto</label>
+                                            <input type="email" class="form-input" id="org-email">
+                                        </div>
+                                    </div>
+
+                                    <div class="form-group">
+                                        <label class="form-label">Telefono di Contatto</label>
+                                        <input type="tel" class="form-input" id="org-phone" style="max-width:320px;">
+                                    </div>
+
+                                    <button type="submit" class="btn btn-primary" id="btn-save-org">
+                                        <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z"/></svg>
+                                        Salva Modifiche
+                                    </button>
+                                </form>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- ══════════════ TAB: Profilo ══════════════ -->
+                <div class="tab-panel" id="tab-profile">
+                    <div class="card mb-24">
+                        <div class="card-header">
+                            <h3>Informazioni Personali</h3>
+                        </div>
+                        <div class="card-body">
+                            <div class="settings-section">
+                                <p class="settings-section-desc">Aggiorna le tue informazioni personali e le preferenze dell'account.</p>
+
+                                <form id="profile-form" onsubmit="saveProfile(event)">
+                                    <div class="form-group">
+                                        <label class="form-label">Email</label>
+                                        <input type="email" class="form-input" id="profile-email" disabled style="background:var(--gray-50); max-width:400px;">
+                                        <span class="form-help">L'email non puo' essere modificata.</span>
+                                    </div>
+
+                                    <div class="form-row">
+                                        <div class="form-group">
+                                            <label class="form-label">Nome Completo <span class="required">*</span></label>
+                                            <input type="text" class="form-input" id="profile-name" required>
+                                        </div>
+                                        <div class="form-group">
+                                            <label class="form-label">Telefono</label>
+                                            <input type="tel" class="form-input" id="profile-phone">
+                                        </div>
+                                    </div>
+
+                                    <div class="form-group" style="max-width:320px;">
+                                        <label class="form-label">Lingua Preferita</label>
+                                        <select class="form-select" id="profile-language">
+                                            <option value="it">Italiano</option>
+                                            <option value="en">English</option>
+                                        </select>
+                                    </div>
+
+                                    <button type="submit" class="btn btn-primary" id="btn-save-profile">
+                                        <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z"/></svg>
+                                        Aggiorna Profilo
+                                    </button>
+                                </form>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="card">
+                        <div class="card-header">
+                            <h3>Cambia Password</h3>
+                        </div>
+                        <div class="card-body">
+                            <p class="settings-section-desc">Per motivi di sicurezza, dopo il cambio password verrai disconnesso da tutte le sessioni.</p>
+
+                            <form id="password-form" onsubmit="changePassword(event)">
+                                <div class="form-group" style="max-width:400px;">
+                                    <label class="form-label">Password Attuale <span class="required">*</span></label>
+                                    <input type="password" class="form-input" id="pw-current" required autocomplete="current-password">
+                                </div>
+
+                                <div class="form-group" style="max-width:400px;">
+                                    <label class="form-label">Nuova Password <span class="required">*</span></label>
+                                    <input type="password" class="form-input" id="pw-new" required autocomplete="new-password" oninput="checkPasswordStrength(this.value)">
+                                    <div class="strength-bar" id="pw-strength-bar">
+                                        <div class="strength-segment" id="pw-seg-1"></div>
+                                        <div class="strength-segment" id="pw-seg-2"></div>
+                                        <div class="strength-segment" id="pw-seg-3"></div>
+                                        <div class="strength-segment" id="pw-seg-4"></div>
+                                    </div>
+                                    <div class="strength-text" id="pw-strength-text"></div>
+                                </div>
+
+                                <div class="form-group" style="max-width:400px;">
+                                    <label class="form-label">Conferma Nuova Password <span class="required">*</span></label>
+                                    <input type="password" class="form-input" id="pw-confirm" required autocomplete="new-password">
+                                </div>
+
+                                <button type="submit" class="btn btn-warning" id="btn-change-pw">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd"/></svg>
+                                    Cambia Password
+                                </button>
+                            </form>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- ══════════════ TAB: Membri ══════════════ -->
+                <div class="tab-panel" id="tab-members">
+                    <div class="card">
+                        <div class="card-header">
+                            <h3>Membri dell'Organizzazione</h3>
+                            <button class="btn btn-primary btn-sm" onclick="showInviteModal()">
+                                <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path fill-rule="evenodd" d="M10 5a1 1 0 011 1v3h3a1 1 0 110 2h-3v3a1 1 0 11-2 0v-3H6a1 1 0 110-2h3V6a1 1 0 011-1z" clip-rule="evenodd"/></svg>
+                                Invita Membro
+                            </button>
+                        </div>
+                        <div class="card-body" style="padding:0;">
+                            <div id="members-container">
+                                <div class="spinner" style="margin:40px auto;"></div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- ══════════════ TAB: Sicurezza ══════════════ -->
+                <div class="tab-panel" id="tab-security">
+                    <div class="card mb-24">
+                        <div class="card-header">
+                            <h3>Sicurezza Account</h3>
+                        </div>
+                        <div class="card-body">
+                            <div class="security-item">
+                                <div class="security-item-header">
+                                    <span class="security-item-title">Sessione Corrente</span>
+                                    <span class="badge badge-success">Attiva</span>
+                                </div>
+                                <p class="security-item-desc" id="session-info">Sessione autenticata tramite token JWT. L'accesso e' protetto da crittografia.</p>
+                            </div>
+
+                            <div class="security-item">
+                                <div class="security-item-header">
+                                    <span class="security-item-title">Autenticazione a Due Fattori (2FA)</span>
+                                    <span class="coming-soon-badge">Prossimamente</span>
+                                </div>
+                                <p class="security-item-desc">L'autenticazione a due fattori aggiunge un ulteriore livello di sicurezza al tuo account. Questa funzionalita' sara' disponibile in un futuro aggiornamento.</p>
+                            </div>
+
+                            <div class="security-item">
+                                <div class="security-item-header">
+                                    <span class="security-item-title">Accesso API</span>
+                                    <span class="badge badge-info">JWT</span>
+                                </div>
+                                <p class="security-item-desc">L'accesso alle API avviene tramite token JWT (JSON Web Token) con scadenza automatica e meccanismo di refresh. Tutti i token vengono invalidati al cambio password.</p>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="card">
+                        <div class="card-header">
+                            <h3>Registro Attivita' Recenti</h3>
+                        </div>
+                        <div class="card-body" style="padding:0;">
+                            <div id="audit-log-container">
+                                <div class="spinner" style="margin:40px auto;"></div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth check ───────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+
+        // ── Init ─────────────────────────────────────────────────
+        loadSidebar();
+
+        let currentOrg = null;
+        let currentUser = null;
+        let currentOrgId = localStorage.getItem('nis2_org_id');
+
+        // Carica dati iniziali
+        loadOrgData();
+        loadProfileData();
+
+        // ── Tab Navigation ───────────────────────────────────────
+        function switchTab(tab) {
+            // Rimuovi active da tutti i tab e pannelli
+            document.querySelectorAll('.settings-tab').forEach(t => t.classList.remove('active'));
+            document.querySelectorAll('.tab-panel').forEach(p => p.classList.remove('active'));
+
+            // Attiva il tab selezionato
+            const tabMap = { org: 0, profile: 1, members: 2, security: 3 };
+            const panelMap = { org: 'tab-org', profile: 'tab-profile', members: 'tab-members', security: 'tab-security' };
+
+            document.querySelectorAll('.settings-tab')[tabMap[tab]].classList.add('active');
+            document.getElementById(panelMap[tab]).classList.add('active');
+
+            // Carica dati del tab se necessario
+            if (tab === 'members') loadMembers();
+            if (tab === 'security') loadAuditLog();
+        }
+
+        // ── Settori NIS2 ─────────────────────────────────────────
+        const sectorLabels = {
+            energy: 'Energia', transport: 'Trasporti', banking: 'Banche',
+            health: 'Sanita\'', water: 'Acqua', digital_infra: 'Infrastrutture Digitali',
+            public_admin: 'Pubblica Amministrazione', manufacturing: 'Manifatturiero',
+            postal: 'Servizi Postali', chemical: 'Chimico', food: 'Alimentare',
+            waste: 'Rifiuti', ict_services: 'Servizi ICT',
+            digital_providers: 'Provider Digitali', space: 'Spazio',
+            research: 'Ricerca', other: 'Altro'
+        };
+
+        const entityTypeLabels = {
+            essential: 'Essenziale',
+            important: 'Importante',
+            not_applicable: 'Non Applicabile'
+        };
+
+        const roleLabels = {
+            org_admin: 'Amministratore',
+            compliance_manager: 'Compliance Manager',
+            board_member: 'Membro CDA',
+            auditor: 'Auditor',
+            employee: 'Dipendente'
+        };
+
+        // ── Organizzazione ───────────────────────────────────────
+        async function loadOrgData() {
+            try {
+                const result = await api.getCurrentOrg();
+                if (result.success && result.data) {
+                    currentOrg = result.data;
+                    fillOrgForm(currentOrg);
+                    renderEntityClassification(currentOrg);
+                    renderSubscriptionPlan(currentOrg);
+                    document.getElementById('header-org-name').textContent = currentOrg.name || '';
+                } else {
+                    showNotification('Impossibile caricare i dati dell\'organizzazione.', 'error');
+                }
+            } catch (e) {
+                console.error('Errore caricamento org:', e);
+            }
+        }
+
+        function fillOrgForm(org) {
+            document.getElementById('org-name').value = org.name || '';
+            document.getElementById('org-sector').value = org.sector || '';
+            document.getElementById('org-vat').value = org.vat_number || '';
+            document.getElementById('org-fiscal').value = org.fiscal_code || '';
+            document.getElementById('org-employees').value = org.employee_count || '';
+            document.getElementById('org-turnover').value = org.annual_turnover_eur || '';
+            document.getElementById('org-country').value = org.country || '';
+            document.getElementById('org-city').value = org.city || '';
+            document.getElementById('org-address').value = org.address || '';
+            document.getElementById('org-website').value = org.website || '';
+            document.getElementById('org-email').value = org.contact_email || '';
+            document.getElementById('org-phone').value = org.contact_phone || '';
+        }
+
+        function renderEntityClassification(org) {
+            const type = org.entity_type || 'not_applicable';
+            const label = entityTypeLabels[type] || 'Non Applicabile';
+
+            let description = '';
+            if (type === 'essential') {
+                description = 'L\'organizzazione rientra tra le entita\' <strong>Essenziali</strong> ai sensi della Direttiva NIS2. Soggetta a supervisione proattiva con sanzioni fino a EUR 10M o 2% del fatturato globale.';
+            } else if (type === 'important') {
+                description = 'L\'organizzazione rientra tra le entita\' <strong>Importanti</strong> ai sensi della Direttiva NIS2. Soggetta a supervisione reattiva con sanzioni fino a EUR 7M o 1,4% del fatturato globale.';
+            } else {
+                description = 'In base ai parametri attuali, l\'organizzazione <strong>non rientra</strong> nell\'ambito di applicazione della Direttiva NIS2. Si consiglia comunque di adottare le best practice di cybersecurity.';
+            }
+
+            document.getElementById('entity-classification').innerHTML = `
+                <div class="entity-badge ${type}">
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="20" height="20"><path fill-rule="evenodd" d="M10 1.944A11.954 11.954 0 012.166 5C2.056 5.649 2 6.319 2 7c0 5.225 3.34 9.67 8 11.317C14.66 16.67 18 12.225 18 7c0-.682-.057-1.35-.166-2.001A11.954 11.954 0 0110 1.944zM11 14a1 1 0 11-2 0 1 1 0 012 0zm0-7a1 1 0 10-2 0v3a1 1 0 102 0V7z" clip-rule="evenodd"/></svg>
+                    Entita' ${label}
+                </div>
+                <p style="font-size:0.8125rem; color:var(--gray-600); line-height:1.6; max-width:640px;">${description}</p>
+            `;
+        }
+
+        function renderSubscriptionPlan(org) {
+            const plan = org.subscription_plan || 'free';
+            const planLabels = { free: 'Free', professional: 'Professional', enterprise: 'Enterprise' };
+            document.getElementById('subscription-plan').innerHTML = `
+                <span class="plan-badge ${plan}">${planLabels[plan] || plan}</span>
+            `;
+        }
+
+        async function saveOrganization(e) {
+            e.preventDefault();
+            if (!currentOrg) return;
+
+            const btn = document.getElementById('btn-save-org');
+            btn.disabled = true;
+            btn.textContent = 'Salvataggio...';
+
+            const data = {
+                name: document.getElementById('org-name').value.trim(),
+                sector: document.getElementById('org-sector').value,
+                vat_number: document.getElementById('org-vat').value.trim(),
+                fiscal_code: document.getElementById('org-fiscal').value.trim(),
+                employee_count: parseInt(document.getElementById('org-employees').value) || 0,
+                annual_turnover_eur: parseFloat(document.getElementById('org-turnover').value) || 0,
+                country: document.getElementById('org-country').value.trim(),
+                city: document.getElementById('org-city').value.trim(),
+                address: document.getElementById('org-address').value.trim(),
+                website: document.getElementById('org-website').value.trim(),
+                contact_email: document.getElementById('org-email').value.trim(),
+                contact_phone: document.getElementById('org-phone').value.trim()
+            };
+
+            try {
+                const result = await api.updateOrganization(currentOrg.id, data);
+                if (result.success) {
+                    showNotification('Organizzazione aggiornata con successo!', 'success');
+                    // Ricarica dati per aggiornare classificazione
+                    loadOrgData();
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            } finally {
+                btn.disabled = false;
+                btn.innerHTML = `
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z"/></svg>
+                    Salva Modifiche`;
+            }
+        }
+
+        // ── Profilo ──────────────────────────────────────────────
+        async function loadProfileData() {
+            try {
+                const result = await api.getMe();
+                if (result.success && result.data) {
+                    currentUser = result.data;
+                    document.getElementById('profile-email').value = currentUser.email || '';
+                    document.getElementById('profile-name').value = currentUser.full_name || '';
+                    document.getElementById('profile-phone').value = currentUser.phone || '';
+                    document.getElementById('profile-language').value = currentUser.preferred_language || 'it';
+                }
+            } catch (e) {
+                console.error('Errore caricamento profilo:', e);
+            }
+        }
+
+        async function saveProfile(e) {
+            e.preventDefault();
+            const btn = document.getElementById('btn-save-profile');
+            btn.disabled = true;
+            btn.textContent = 'Salvataggio...';
+
+            const data = {
+                full_name: document.getElementById('profile-name').value.trim(),
+                phone: document.getElementById('profile-phone').value.trim(),
+                preferred_language: document.getElementById('profile-language').value
+            };
+
+            try {
+                const response = await fetch('/nis2/api/auth/profile', {
+                    method: 'PUT',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Authorization': 'Bearer ' + localStorage.getItem('nis2_access_token')
+                    },
+                    body: JSON.stringify(data)
+                });
+                const result = await response.json();
+
+                if (result.success) {
+                    showNotification('Profilo aggiornato con successo!', 'success');
+                } else {
+                    showNotification(result.message || 'Errore nell\'aggiornamento.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            } finally {
+                btn.disabled = false;
+                btn.innerHTML = `
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z"/></svg>
+                    Aggiorna Profilo`;
+            }
+        }
+
+        // ── Password ─────────────────────────────────────────────
+        function checkPasswordStrength(password) {
+            let score = 0;
+            let label = '';
+            let cls = '';
+
+            if (password.length >= 8) score++;
+            if (password.length >= 12) score++;
+            if (/[A-Z]/.test(password) && /[a-z]/.test(password)) score++;
+            if (/[0-9]/.test(password)) score++;
+            if (/[^A-Za-z0-9]/.test(password)) score++;
+
+            if (score <= 1) { label = 'Debole'; cls = 'weak'; }
+            else if (score <= 2) { label = 'Sufficiente'; cls = 'fair'; }
+            else if (score <= 3) { label = 'Buona'; cls = 'good'; }
+            else { label = 'Forte'; cls = 'strong'; }
+
+            const segments = Math.min(score, 4);
+            for (let i = 1; i <= 4; i++) {
+                const seg = document.getElementById('pw-seg-' + i);
+                seg.className = 'strength-segment';
+                if (i <= segments) {
+                    seg.classList.add('active', cls);
+                }
+            }
+
+            document.getElementById('pw-strength-text').textContent = password.length > 0 ? 'Sicurezza: ' + label : '';
+        }
+
+        async function changePassword(e) {
+            e.preventDefault();
+
+            const currentPw = document.getElementById('pw-current').value;
+            const newPw = document.getElementById('pw-new').value;
+            const confirmPw = document.getElementById('pw-confirm').value;
+
+            if (newPw !== confirmPw) {
+                showNotification('Le password non coincidono.', 'error');
+                return;
+            }
+
+            if (newPw.length < 8) {
+                showNotification('La password deve essere di almeno 8 caratteri.', 'error');
+                return;
+            }
+
+            const btn = document.getElementById('btn-change-pw');
+            btn.disabled = true;
+            btn.textContent = 'Aggiornamento...';
+
+            try {
+                const response = await fetch('/nis2/api/auth/change-password', {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Authorization': 'Bearer ' + localStorage.getItem('nis2_access_token')
+                    },
+                    body: JSON.stringify({
+                        current_password: currentPw,
+                        new_password: newPw
+                    })
+                });
+                const result = await response.json();
+
+                if (result.success) {
+                    showNotification('Password modificata. Verrai disconnesso...', 'success');
+                    setTimeout(() => {
+                        api.clearTokens();
+                        window.location.href = '/nis2/login.html';
+                    }, 2000);
+                } else {
+                    showNotification(result.message || 'Errore nel cambio password.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            } finally {
+                btn.disabled = false;
+                btn.innerHTML = `
+                    <svg viewBox="0 0 20 20" fill="currentColor" width="18" height="18"><path fill-rule="evenodd" d="M5 9V7a5 5 0 0110 0v2a2 2 0 012 2v5a2 2 0 01-2 2H5a2 2 0 01-2-2v-5a2 2 0 012-2zm8-2v2H7V7a3 3 0 016 0z" clip-rule="evenodd"/></svg>
+                    Cambia Password`;
+            }
+        }
+
+        // ── Membri ───────────────────────────────────────────────
+        async function loadMembers() {
+            const container = document.getElementById('members-container');
+            container.innerHTML = '<div class="spinner" style="margin:40px auto;"></div>';
+
+            try {
+                const result = await api.request('GET', '/organizations/' + currentOrgId + '/members');
+                if (result.success && result.data) {
+                    renderMembersTable(result.data);
+                } else {
+                    container.innerHTML = `
+                        <div class="empty-state">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                            <h4>Nessun membro trovato</h4>
+                            <p>Invita i membri del team per collaborare alla compliance NIS2.</p>
+                        </div>`;
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore nel caricamento dei membri</h4></div>';
+            }
+        }
+
+        function renderMembersTable(members) {
+            const container = document.getElementById('members-container');
+
+            if (!members || members.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                        <h4>Nessun membro trovato</h4>
+                        <p>Invita i membri del team per collaborare alla compliance NIS2.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <div class="table-container">
+                    <table>
+                        <thead>
+                            <tr>
+                                <th>Nome</th>
+                                <th>Email</th>
+                                <th>Ruolo</th>
+                                <th>Data Ingresso</th>
+                                <th>Azioni</th>
+                            </tr>
+                        </thead>
+                        <tbody>`;
+
+            members.forEach(m => {
+                const role = m.org_role || 'employee';
+                const roleLabel = roleLabels[role] || role;
+                html += `
+                    <tr>
+                        <td><strong>${escapeHtml(m.full_name || '-')}</strong></td>
+                        <td>${escapeHtml(m.email || '-')}</td>
+                        <td><span class="member-role-badge ${role}">${escapeHtml(roleLabel)}</span></td>
+                        <td>${formatDate(m.joined_at)}</td>
+                        <td>
+                            <button class="btn-icon-action" onclick="removeMember(${m.id}, '${escapeHtml(m.full_name || m.email)}')" title="Rimuovi membro">
+                                <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M9 2a1 1 0 00-.894.553L7.382 4H4a1 1 0 000 2v10a2 2 0 002 2h8a2 2 0 002-2V6a1 1 0 100-2h-3.382l-.724-1.447A1 1 0 0011 2H9zM7 8a1 1 0 012 0v6a1 1 0 11-2 0V8zm5-1a1 1 0 00-1 1v6a1 1 0 102 0V8a1 1 0 00-1-1z" clip-rule="evenodd"/></svg>
+                            </button>
+                        </td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table></div>';
+            container.innerHTML = html;
+        }
+
+        function showInviteModal() {
+            showModal('Invita Membro', `
+                <p style="margin-bottom:16px; font-size:0.875rem; color:var(--gray-600);">Aggiungi un membro esistente alla tua organizzazione. L'utente deve gia' essere registrato sulla piattaforma.</p>
+                <div class="form-group">
+                    <label class="form-label">Email del Membro <span class="required">*</span></label>
+                    <input type="email" class="form-input" id="invite-email" placeholder="utente@esempio.it" required>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Ruolo <span class="required">*</span></label>
+                    <select class="form-select" id="invite-role">
+                        <option value="employee">Dipendente</option>
+                        <option value="compliance_manager">Compliance Manager</option>
+                        <option value="board_member">Membro CDA</option>
+                        <option value="auditor">Auditor</option>
+                        <option value="org_admin">Amministratore</option>
+                    </select>
+                </div>
+            `, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="doInviteMember()">Invita</button>
+                `
+            });
+        }
+
+        async function doInviteMember() {
+            const email = document.getElementById('invite-email').value.trim();
+            const role = document.getElementById('invite-role').value;
+
+            if (!email) {
+                showNotification('Inserisci l\'email del membro.', 'warning');
+                return;
+            }
+
+            closeModal();
+
+            try {
+                const result = await api.request('POST', '/organizations/' + currentOrgId + '/invite', {
+                    email: email,
+                    role: role
+                });
+
+                if (result.success) {
+                    showNotification('Membro aggiunto con successo!', 'success');
+                    loadMembers();
+                } else {
+                    showNotification(result.message || 'Errore nell\'invito.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        async function removeMember(userId, name) {
+            showModal('Conferma Rimozione', `
+                <p style="font-size:0.875rem; color:var(--gray-700);">
+                    Sei sicuro di voler rimuovere <strong>${escapeHtml(name)}</strong> dall'organizzazione?
+                </p>
+                <p style="font-size:0.8125rem; color:var(--gray-500); margin-top:8px;">
+                    L'utente perdera' l'accesso a tutti i dati dell'organizzazione. Questa azione non puo' essere annullata.
+                </p>
+            `, {
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-danger" onclick="doRemoveMember(${userId})">Rimuovi</button>
+                `
+            });
+        }
+
+        async function doRemoveMember(userId) {
+            closeModal();
+
+            try {
+                const result = await api.request('DELETE', '/organizations/' + currentOrgId + '/members/' + userId);
+                if (result.success) {
+                    showNotification('Membro rimosso con successo.', 'success');
+                    loadMembers();
+                } else {
+                    showNotification(result.message || 'Errore nella rimozione.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Audit Log ────────────────────────────────────────────
+        async function loadAuditLog() {
+            const container = document.getElementById('audit-log-container');
+            container.innerHTML = '<div class="spinner" style="margin:40px auto;"></div>';
+
+            try {
+                const result = await api.getAuditLogs({ limit: 20 });
+                if (result.success && result.data && result.data.length > 0) {
+                    let html = `
+                        <div class="table-container">
+                            <table>
+                                <thead>
+                                    <tr>
+                                        <th>Azione</th>
+                                        <th>Tipo</th>
+                                        <th>Data</th>
+                                    </tr>
+                                </thead>
+                                <tbody>`;
+
+                    const actionLabels = {
+                        user_login: 'Accesso effettuato',
+                        user_logout: 'Disconnessione',
+                        user_registered: 'Registrazione utente',
+                        profile_updated: 'Profilo aggiornato',
+                        password_changed: 'Password modificata',
+                        organization_created: 'Organizzazione creata',
+                        organization_updated: 'Organizzazione aggiornata',
+                        member_invited: 'Membro invitato',
+                        member_removed: 'Membro rimosso',
+                        assessment_created: 'Assessment creato',
+                        assessment_completed: 'Assessment completato',
+                        risk_created: 'Rischio creato',
+                        risk_updated: 'Rischio aggiornato',
+                        incident_created: 'Incidente creato',
+                        policy_created: 'Policy creata',
+                        policy_approved: 'Policy approvata'
+                    };
+
+                    result.data.forEach(log => {
+                        html += `
+                            <tr>
+                                <td>${escapeHtml(actionLabels[log.action] || log.action || '-')}</td>
+                                <td><span class="badge badge-neutral">${escapeHtml(log.entity_type || '-')}</span></td>
+                                <td>${formatDateTime(log.created_at)}</td>
+                            </tr>`;
+                    });
+
+                    html += '</tbody></table></div>';
+                    container.innerHTML = html;
+                } else {
+                    container.innerHTML = `
+                        <div class="empty-state">
+                            <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm1-12a1 1 0 10-2 0v4a1 1 0 00.293.707l2.828 2.829a1 1 0 101.415-1.415L11 9.586V6z" clip-rule="evenodd"/></svg>
+                            <h4>Nessuna attivita' registrata</h4>
+                            <p>Le attivita' del tuo account appariranno qui.</p>
+                        </div>`;
+                }
+            } catch (e) {
+                container.innerHTML = `
+                    <div class="empty-state">
+                        <h4>Impossibile caricare il registro</h4>
+                        <p>Riprova piu' tardi.</p>
+                    </div>`;
+            }
+        }
+    </script>
+</body>
+</html>
diff --git a/public/supply-chain.html b/public/supply-chain.html
new file mode 100644
index 0000000..57db032
--- /dev/null
+++ b/public/supply-chain.html
@@ -0,0 +1,1133 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Supply Chain - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Supply Chain Page Styles ─────────────────────────── */
+        .filters-bar {
+            display: flex;
+            gap: 12px;
+            align-items: center;
+            flex-wrap: wrap;
+            margin-bottom: 20px;
+        }
+        .filters-bar .form-select {
+            min-width: 180px;
+            padding: 8px 12px;
+            font-size: 0.85rem;
+        }
+
+        .supplier-actions {
+            display: flex;
+            gap: 6px;
+        }
+        .supplier-actions .btn {
+            padding: 5px 10px;
+            font-size: 0.75rem;
+        }
+
+        /* Risk overview cards */
+        .risk-overview {
+            display: grid;
+            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+            gap: 16px;
+            margin-bottom: 24px;
+        }
+        .risk-card {
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 20px;
+            text-align: center;
+        }
+        .risk-card-value {
+            font-size: 2rem;
+            font-weight: 700;
+            color: var(--gray-900);
+            line-height: 1;
+        }
+        .risk-card-label {
+            font-size: 0.78rem;
+            color: var(--gray-500);
+            margin-top: 6px;
+            font-weight: 500;
+        }
+        .risk-card-value.danger { color: var(--danger); }
+        .risk-card-value.warning { color: var(--warning); }
+        .risk-card-value.success { color: var(--secondary); }
+
+        /* Criticality bar chart */
+        .criticality-chart {
+            display: flex;
+            gap: 16px;
+            align-items: flex-end;
+            height: 140px;
+            padding: 16px 0;
+        }
+        .chart-bar-group {
+            flex: 1;
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            gap: 8px;
+        }
+        .chart-bar {
+            width: 48px;
+            border-radius: 4px 4px 0 0;
+            transition: height 0.5s ease;
+            min-height: 4px;
+            position: relative;
+        }
+        .chart-bar-value {
+            position: absolute;
+            top: -20px;
+            left: 50%;
+            transform: translateX(-50%);
+            font-size: 0.75rem;
+            font-weight: 700;
+            color: var(--gray-700);
+        }
+        .chart-bar-label {
+            font-size: 0.72rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            text-transform: uppercase;
+        }
+
+        /* Risk score progress */
+        .risk-score-bar {
+            width: 100%;
+            height: 8px;
+            background: var(--gray-200);
+            border-radius: 4px;
+            overflow: hidden;
+            display: inline-flex;
+            min-width: 80px;
+        }
+        .risk-score-fill {
+            height: 100%;
+            border-radius: 4px;
+            transition: width 0.4s ease;
+        }
+        .risk-score-cell {
+            display: flex;
+            align-items: center;
+            gap: 8px;
+        }
+        .risk-score-value {
+            font-weight: 600;
+            font-size: 0.82rem;
+            min-width: 32px;
+            text-align: right;
+        }
+
+        /* Detail view */
+        .detail-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: flex-start;
+            margin-bottom: 24px;
+            gap: 16px;
+        }
+        .detail-header h3 {
+            font-size: 1.25rem;
+            color: var(--gray-900);
+        }
+        .detail-header-actions {
+            display: flex;
+            gap: 8px;
+            flex-shrink: 0;
+        }
+
+        .detail-grid {
+            display: grid;
+            grid-template-columns: 1fr 320px;
+            gap: 24px;
+        }
+        @media (max-width: 900px) {
+            .detail-grid {
+                grid-template-columns: 1fr;
+            }
+        }
+
+        .info-grid {
+            display: grid;
+            grid-template-columns: 1fr 1fr;
+            gap: 0;
+        }
+        .info-item {
+            padding: 12px 16px;
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .info-item:nth-child(odd) {
+            border-right: 1px solid var(--gray-100);
+        }
+        .info-item-label {
+            font-size: 0.72rem;
+            font-weight: 600;
+            color: var(--gray-400);
+            text-transform: uppercase;
+            letter-spacing: 0.04em;
+            margin-bottom: 4px;
+        }
+        .info-item-value {
+            font-size: 0.875rem;
+            color: var(--gray-800);
+            font-weight: 500;
+        }
+
+        .meta-card {
+            background: var(--card-bg);
+            border: 1px solid var(--gray-200);
+            border-radius: var(--border-radius);
+            padding: 20px;
+            margin-bottom: 16px;
+        }
+        .meta-card h4 {
+            font-size: 0.85rem;
+            font-weight: 600;
+            color: var(--gray-800);
+            margin-bottom: 16px;
+            padding-bottom: 12px;
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .meta-row {
+            display: flex;
+            justify-content: space-between;
+            padding: 8px 0;
+            font-size: 0.82rem;
+            border-bottom: 1px solid var(--gray-50);
+        }
+        .meta-row:last-child { border-bottom: none; }
+        .meta-label { color: var(--gray-500); font-weight: 500; }
+        .meta-value { color: var(--gray-800); font-weight: 600; text-align: right; }
+
+        /* Score gauge (ring) */
+        .score-ring {
+            width: 120px;
+            height: 120px;
+            margin: 0 auto 12px;
+            position: relative;
+        }
+        .score-ring svg {
+            transform: rotate(-90deg);
+        }
+        .score-ring-bg {
+            fill: none;
+            stroke: var(--gray-200);
+            stroke-width: 8;
+        }
+        .score-ring-fill {
+            fill: none;
+            stroke-width: 8;
+            stroke-linecap: round;
+            transition: stroke-dashoffset 0.6s ease;
+        }
+        .score-ring-value {
+            position: absolute;
+            top: 50%;
+            left: 50%;
+            transform: translate(-50%, -50%);
+            text-align: center;
+        }
+        .score-ring-number {
+            font-size: 1.75rem;
+            font-weight: 700;
+            line-height: 1;
+        }
+        .score-ring-label {
+            font-size: 0.65rem;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            font-weight: 600;
+        }
+
+        /* Assessment questions */
+        .assessment-question {
+            padding: 14px 0;
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .assessment-question:last-child { border-bottom: none; }
+        .assessment-question-text {
+            font-size: 0.875rem;
+            color: var(--gray-800);
+            margin-bottom: 10px;
+            font-weight: 500;
+        }
+        .assessment-options {
+            display: flex;
+            gap: 8px;
+        }
+        .assessment-option {
+            padding: 6px 16px;
+            border: 1px solid var(--gray-200);
+            border-radius: 100px;
+            font-size: 0.78rem;
+            font-weight: 600;
+            cursor: pointer;
+            transition: all var(--transition-fast);
+            background: var(--card-bg);
+            color: var(--gray-600);
+        }
+        .assessment-option:hover {
+            border-color: var(--primary);
+            color: var(--primary);
+        }
+        .assessment-option.selected {
+            background: var(--primary);
+            border-color: var(--primary);
+            color: #fff;
+        }
+        .assessment-option.selected-partial {
+            background: var(--warning-bg);
+            border-color: var(--warning);
+            color: #a16207;
+        }
+        .assessment-option.selected-no {
+            background: var(--danger-bg);
+            border-color: var(--danger);
+            color: var(--danger);
+        }
+
+        .assessment-score-preview {
+            margin-top: 16px;
+            padding: 16px;
+            background: var(--gray-50);
+            border-radius: var(--border-radius);
+            text-align: center;
+        }
+        .assessment-score-preview .score-val {
+            font-size: 2rem;
+            font-weight: 700;
+        }
+        .assessment-score-preview .score-label {
+            font-size: 0.78rem;
+            color: var(--gray-500);
+        }
+
+        /* Assessment history */
+        .assessment-history-item {
+            display: flex;
+            align-items: center;
+            gap: 12px;
+            padding: 10px 0;
+            border-bottom: 1px solid var(--gray-100);
+            font-size: 0.82rem;
+        }
+        .assessment-history-item:last-child { border-bottom: none; }
+        .assessment-history-date {
+            color: var(--gray-500);
+            min-width: 80px;
+        }
+        .assessment-history-score {
+            font-weight: 700;
+        }
+
+        .loading-overlay {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 60px 20px;
+            flex-direction: column;
+            gap: 12px;
+            color: var(--gray-500);
+        }
+        .loading-overlay .spinner {
+            width: 32px;
+            height: 32px;
+            border: 3px solid var(--gray-200);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+        }
+        @keyframes spin {
+            to { transform: rotate(360deg); }
+        }
+
+        .text-link {
+            color: var(--primary);
+            cursor: pointer;
+            font-weight: 500;
+        }
+        .text-link:hover {
+            text-decoration: underline;
+        }
+
+        .content-header-actions {
+            display: flex;
+            gap: 8px;
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Supply Chain</h2>
+                <div class="content-header-actions">
+                    <button class="btn btn-primary" onclick="openCreateModal()">+ Nuovo Fornitore</button>
+                </div>
+            </header>
+
+            <div class="content-body" id="page-content">
+                <!-- Risk Overview -->
+                <div class="risk-overview" id="risk-overview">
+                    <div class="risk-card">
+                        <div class="risk-card-value" id="stat-total">--</div>
+                        <div class="risk-card-label">Totale Fornitori</div>
+                    </div>
+                    <div class="risk-card">
+                        <div class="risk-card-value danger" id="stat-critical">--</div>
+                        <div class="risk-card-label">Critici Non Conformi</div>
+                    </div>
+                    <div class="risk-card">
+                        <div class="risk-card-value warning" id="stat-expiring">--</div>
+                        <div class="risk-card-label">Contratti in Scadenza</div>
+                    </div>
+                    <div class="risk-card">
+                        <div class="risk-card-value success" id="stat-avg-score">--</div>
+                        <div class="risk-card-label">Score Rischio Medio</div>
+                    </div>
+                </div>
+
+                <!-- Criticality Chart -->
+                <div class="card mb-24">
+                    <div class="card-header">
+                        <h3>Distribuzione Criticita'</h3>
+                    </div>
+                    <div class="card-body">
+                        <div class="criticality-chart" id="criticality-chart">
+                            <div class="chart-bar-group">
+                                <div class="chart-bar" id="chart-bar-critical" style="height:0;background:var(--danger);"><span class="chart-bar-value" id="chart-val-critical">0</span></div>
+                                <span class="chart-bar-label">Critico</span>
+                            </div>
+                            <div class="chart-bar-group">
+                                <div class="chart-bar" id="chart-bar-high" style="height:0;background:#f97316;"><span class="chart-bar-value" id="chart-val-high">0</span></div>
+                                <span class="chart-bar-label">Alto</span>
+                            </div>
+                            <div class="chart-bar-group">
+                                <div class="chart-bar" id="chart-bar-medium" style="height:0;background:var(--warning);"><span class="chart-bar-value" id="chart-val-medium">0</span></div>
+                                <span class="chart-bar-label">Medio</span>
+                            </div>
+                            <div class="chart-bar-group">
+                                <div class="chart-bar" id="chart-bar-low" style="height:0;background:var(--secondary);"><span class="chart-bar-value" id="chart-val-low">0</span></div>
+                                <span class="chart-bar-label">Basso</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Filters + Table -->
+                <div id="suppliers-list-section">
+                    <div class="filters-bar">
+                        <select class="form-select" id="filter-criticality" onchange="applyFilters()">
+                            <option value="">Tutte le Criticita'</option>
+                            <option value="critical">Critico</option>
+                            <option value="high">Alto</option>
+                            <option value="medium">Medio</option>
+                            <option value="low">Basso</option>
+                        </select>
+                        <select class="form-select" id="filter-status" onchange="applyFilters()">
+                            <option value="">Tutti gli Stati</option>
+                            <option value="active">Attivo</option>
+                            <option value="under_review">In Revisione</option>
+                            <option value="suspended">Sospeso</option>
+                            <option value="terminated">Terminato</option>
+                        </select>
+                    </div>
+
+                    <div class="card">
+                        <div class="table-container" id="suppliers-table">
+                            <div class="loading-overlay">
+                                <div class="spinner"></div>
+                                <span>Caricamento fornitori...</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Detail View (hidden by default) -->
+                <div id="supplier-detail-view" style="display:none;"></div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ─────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ──────────────────────────────────────────────
+        const CRITICALITY_LABELS = {
+            low: 'Basso',
+            medium: 'Medio',
+            high: 'Alto',
+            critical: 'Critico'
+        };
+
+        const CRITICALITY_BADGE_CLASS = {
+            low: 'badge-success',
+            medium: 'badge-warning',
+            high: 'badge-danger',
+            critical: 'badge-danger'
+        };
+
+        const STATUS_LABELS = {
+            active: 'Attivo',
+            under_review: 'In Revisione',
+            suspended: 'Sospeso',
+            terminated: 'Terminato'
+        };
+
+        const STATUS_BADGE_CLASS = {
+            active: 'badge-success',
+            under_review: 'badge-info',
+            suspended: 'badge-warning',
+            terminated: 'badge-neutral'
+        };
+
+        // ── Assessment Questions ────────────────────────────────
+        const ASSESSMENT_QUESTIONS = [
+            { id: 'security_certs', text: 'Il fornitore ha certificazioni di sicurezza (ISO 27001, SOC2)?', weight: 2 },
+            { id: 'security_sla', text: 'Esistono SLA definiti per la sicurezza?', weight: 1.5 },
+            { id: 'incident_plan', text: 'Il fornitore ha un piano di incident response?', weight: 2 },
+            { id: 'data_encryption', text: 'I dati sono crittografati in transito e a riposo?', weight: 2 },
+            { id: 'periodic_audits', text: 'Il fornitore effettua audit periodici?', weight: 1.5 },
+            { id: 'access_control', text: 'Il fornitore implementa controlli di accesso robusti?', weight: 1 },
+            { id: 'data_backup', text: 'Il fornitore dispone di procedure di backup e disaster recovery?', weight: 1.5 },
+            { id: 'compliance_gdpr', text: 'Il fornitore e\' conforme al GDPR?', weight: 1 },
+            { id: 'security_training', text: 'Il personale del fornitore riceve formazione sulla sicurezza?', weight: 1 },
+            { id: 'vulnerability_mgmt', text: 'Il fornitore gestisce attivamente le vulnerabilita\'?', weight: 1.5 }
+        ];
+
+        // ── State ───────────────────────────────────────────────
+        let allSuppliers = [];
+        let currentView = 'list';
+
+        // ── Load Suppliers ──────────────────────────────────────
+        async function loadSuppliers() {
+            const container = document.getElementById('suppliers-table');
+            container.innerHTML = '<div class="loading-overlay"><div class="spinner"></div><span>Caricamento fornitori...</span></div>';
+
+            try {
+                const result = await api.listSuppliers();
+                if (result.success) {
+                    allSuppliers = result.data || [];
+                    updateRiskOverview(allSuppliers);
+                    updateCriticalityChart(allSuppliers);
+                    applyFilters();
+                } else {
+                    container.innerHTML = '<div class="empty-state"><h4>Errore nel caricamento</h4><p>' + escapeHtml(result.message || '') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4><p>Impossibile caricare i fornitori.</p></div>';
+            }
+        }
+
+        function applyFilters() {
+            const criticality = document.getElementById('filter-criticality').value;
+            const status = document.getElementById('filter-status').value;
+
+            let filtered = allSuppliers;
+            if (criticality) {
+                filtered = filtered.filter(s => s.criticality === criticality);
+            }
+            if (status) {
+                filtered = filtered.filter(s => s.status === status);
+            }
+
+            renderSuppliersTable(filtered);
+        }
+
+        function updateRiskOverview(suppliers) {
+            const total = suppliers.length;
+            const criticalNonCompliant = suppliers.filter(s =>
+                (s.criticality === 'critical' || s.criticality === 'high') && !s.security_requirements_met
+            ).length;
+
+            const today = new Date();
+            const in90Days = new Date(today.getTime() + 90 * 86400000);
+            const expiring = suppliers.filter(s => {
+                if (!s.contract_expiry_date || s.status !== 'active') return false;
+                const exp = new Date(s.contract_expiry_date);
+                return exp <= in90Days && exp >= today;
+            }).length;
+
+            const scored = suppliers.filter(s => s.risk_score != null && s.risk_score !== '');
+            const avgScore = scored.length > 0
+                ? Math.round(scored.reduce((sum, s) => sum + Number(s.risk_score), 0) / scored.length)
+                : 0;
+
+            document.getElementById('stat-total').textContent = total;
+            document.getElementById('stat-critical').textContent = criticalNonCompliant;
+            document.getElementById('stat-expiring').textContent = expiring;
+            document.getElementById('stat-avg-score').textContent = avgScore > 0 ? avgScore + '/100' : '-';
+        }
+
+        function updateCriticalityChart(suppliers) {
+            const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+            suppliers.forEach(s => {
+                if (counts.hasOwnProperty(s.criticality)) {
+                    counts[s.criticality]++;
+                }
+            });
+
+            const maxCount = Math.max(...Object.values(counts), 1);
+
+            Object.entries(counts).forEach(([level, count]) => {
+                const bar = document.getElementById('chart-bar-' + level);
+                const val = document.getElementById('chart-val-' + level);
+                if (bar) {
+                    const height = maxCount > 0 ? Math.max((count / maxCount) * 100, count > 0 ? 10 : 4) : 4;
+                    bar.style.height = height + 'px';
+                }
+                if (val) val.textContent = count;
+            });
+        }
+
+        function renderSuppliersTable(suppliers) {
+            const container = document.getElementById('suppliers-table');
+
+            if (!suppliers || suppliers.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state" style="padding:40px 20px;">
+                        <svg viewBox="0 0 20 20" fill="currentColor" style="width:48px;height:48px;color:var(--gray-300);">
+                            <path fill-rule="evenodd" d="M12.586 4.586a2 2 0 112.828 2.828l-3 3a2 2 0 01-2.828 0 1 1 0 00-1.414 1.414 4 4 0 005.656 0l3-3a4 4 0 00-5.656-5.656l-1.5 1.5a1 1 0 101.414 1.414l1.5-1.5zm-5 5a2 2 0 012.828 0 1 1 0 101.414-1.414 4 4 0 00-5.656 0l-3 3a4 4 0 105.656 5.656l1.5-1.5a1 1 0 10-1.414-1.414l-1.5 1.5a2 2 0 11-2.828-2.828l3-3z" clip-rule="evenodd"/>
+                        </svg>
+                        <h4>Nessun fornitore trovato</h4>
+                        <p>Aggiungi il tuo primo fornitore per iniziare il monitoraggio della supply chain.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table>
+                    <thead>
+                        <tr>
+                            <th>Nome</th>
+                            <th>Tipo Servizio</th>
+                            <th>Criticita'</th>
+                            <th>Score Rischio</th>
+                            <th>Stato</th>
+                            <th>Ultima Valutazione</th>
+                            <th>Azioni</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            suppliers.forEach(s => {
+                const critLabel = CRITICALITY_LABELS[s.criticality] || s.criticality || '-';
+                const critBadge = CRITICALITY_BADGE_CLASS[s.criticality] || 'badge-neutral';
+                const statusLabel = STATUS_LABELS[s.status] || s.status || 'Attivo';
+                const statusBadge = STATUS_BADGE_CLASS[s.status] || 'badge-neutral';
+                const riskScore = s.risk_score != null && s.risk_score !== '' ? Number(s.risk_score) : null;
+                const scoreColor = riskScore !== null ? getScoreColor(riskScore) : 'var(--gray-300)';
+
+                html += `
+                    <tr>
+                        <td>
+                            <span class="text-link" onclick="viewSupplier(${s.id})">${escapeHtml(s.name)}</span>
+                        </td>
+                        <td>${escapeHtml(s.service_type || '-')}</td>
+                        <td>
+                            <span class="badge ${critBadge}">${escapeHtml(critLabel)}</span>
+                        </td>
+                        <td>
+                            <div class="risk-score-cell">
+                                <div class="risk-score-bar">
+                                    <div class="risk-score-fill" style="width:${riskScore !== null ? riskScore : 0}%;background:${scoreColor};"></div>
+                                </div>
+                                <span class="risk-score-value" style="color:${scoreColor};">${riskScore !== null ? riskScore : '-'}</span>
+                            </div>
+                        </td>
+                        <td><span class="badge ${statusBadge}">${escapeHtml(statusLabel)}</span></td>
+                        <td>${formatDate(s.last_assessment_date)}</td>
+                        <td>
+                            <div class="supplier-actions">
+                                <button class="btn btn-sm btn-ghost" onclick="viewSupplier(${s.id})" title="Visualizza">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path d="M10 12a2 2 0 100-4 2 2 0 000 4z"/><path fill-rule="evenodd" d="M.458 10C1.732 5.943 5.522 3 10 3s8.268 2.943 9.542 7c-1.274 4.057-5.064 7-9.542 7S1.732 14.057.458 10zM14 10a4 4 0 11-8 0 4 4 0 018 0z" clip-rule="evenodd"/></svg>
+                                </button>
+                                <button class="btn btn-sm btn-ghost" onclick="openEditModal(${s.id})" title="Modifica">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                                </button>
+                                <button class="btn btn-sm btn-primary" onclick="openAssessmentModal(${s.id})" title="Valuta">
+                                    <svg viewBox="0 0 20 20" fill="currentColor" width="14" height="14"><path d="M9 2a1 1 0 000 2h2a1 1 0 100-2H9z"/><path fill-rule="evenodd" d="M4 5a2 2 0 012-2 3 3 0 003 3h2a3 3 0 003-3 2 2 0 012 2v11a2 2 0 01-2 2H6a2 2 0 01-2-2V5zm9.707 5.707a1 1 0 00-1.414-1.414L9 12.586l-1.293-1.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/></svg>
+                                </button>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        // ── View Supplier Detail ────────────────────────────────
+        async function viewSupplier(id) {
+            // Hide overview and list
+            document.getElementById('risk-overview').style.display = 'none';
+            document.querySelector('.card.mb-24').style.display = 'none';
+            document.getElementById('suppliers-list-section').style.display = 'none';
+
+            const detailView = document.getElementById('supplier-detail-view');
+            detailView.style.display = 'block';
+            detailView.innerHTML = '<div class="loading-overlay"><div class="spinner"></div><span>Caricamento dettagli...</span></div>';
+            currentView = 'detail';
+
+            try {
+                const result = await api.getSupplier(id);
+                if (result.success && result.data) {
+                    renderSupplierDetail(result.data);
+                } else {
+                    detailView.innerHTML = '<div class="empty-state"><h4>Fornitore non trovato</h4></div>';
+                }
+            } catch (e) {
+                detailView.innerHTML = '<div class="empty-state"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderSupplierDetail(supplier) {
+            const detailView = document.getElementById('supplier-detail-view');
+            const critLabel = CRITICALITY_LABELS[supplier.criticality] || supplier.criticality || '-';
+            const critBadge = CRITICALITY_BADGE_CLASS[supplier.criticality] || 'badge-neutral';
+            const statusLabel = STATUS_LABELS[supplier.status] || supplier.status || 'Attivo';
+            const statusBadge = STATUS_BADGE_CLASS[supplier.status] || 'badge-neutral';
+            const riskScore = supplier.risk_score != null && supplier.risk_score !== '' ? Number(supplier.risk_score) : null;
+            const scoreColor = riskScore !== null ? getScoreColor(riskScore) : 'var(--gray-300)';
+
+            // Score ring SVG
+            const ringSize = 120;
+            const ringRadius = (ringSize / 2) - 10;
+            const ringCircumference = 2 * Math.PI * ringRadius;
+            const ringOffset = riskScore !== null
+                ? ringCircumference - (riskScore / 100) * ringCircumference
+                : ringCircumference;
+
+            detailView.innerHTML = `
+                <div class="detail-header">
+                    <div>
+                        <div style="margin-bottom:8px;">
+                            <span class="text-link" onclick="backToList()" style="font-size:0.82rem;">
+                                &larr; Torna all'elenco
+                            </span>
+                        </div>
+                        <h3>${escapeHtml(supplier.name)}</h3>
+                        <div style="margin-top:8px;display:flex;gap:8px;">
+                            <span class="badge ${critBadge}">${escapeHtml(critLabel)}</span>
+                            <span class="badge ${statusBadge}">${escapeHtml(statusLabel)}</span>
+                            ${supplier.security_requirements_met ? '<span class="badge badge-success">Conforme</span>' : '<span class="badge badge-danger">Non Conforme</span>'}
+                        </div>
+                    </div>
+                    <div class="detail-header-actions">
+                        <button class="btn btn-primary" onclick="openAssessmentModal(${supplier.id})">
+                            <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path d="M9 2a1 1 0 000 2h2a1 1 0 100-2H9z"/><path fill-rule="evenodd" d="M4 5a2 2 0 012-2 3 3 0 003 3h2a3 3 0 003-3 2 2 0 012 2v11a2 2 0 01-2 2H6a2 2 0 01-2-2V5zm9.707 5.707a1 1 0 00-1.414-1.414L9 12.586l-1.293-1.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/></svg>
+                            Valuta Fornitore
+                        </button>
+                        <button class="btn btn-secondary" onclick="openEditModal(${supplier.id})">
+                            <svg viewBox="0 0 20 20" fill="currentColor" width="16" height="16"><path d="M13.586 3.586a2 2 0 112.828 2.828l-.793.793-2.828-2.828.793-.793zM11.379 5.793L3 14.172V17h2.828l8.38-8.379-2.83-2.828z"/></svg>
+                            Modifica
+                        </button>
+                    </div>
+                </div>
+
+                <div class="detail-grid">
+                    <div>
+                        <div class="card" style="margin-bottom:16px;">
+                            <div class="card-header">
+                                <h3>Informazioni Fornitore</h3>
+                            </div>
+                            <div class="card-body" style="padding:0;">
+                                <div class="info-grid">
+                                    <div class="info-item">
+                                        <div class="info-item-label">Nome</div>
+                                        <div class="info-item-value">${escapeHtml(supplier.name)}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Partita IVA</div>
+                                        <div class="info-item-value">${escapeHtml(supplier.vat_number || '-')}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Referente</div>
+                                        <div class="info-item-value">${escapeHtml(supplier.contact_name || '-')}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Email</div>
+                                        <div class="info-item-value">${supplier.contact_email ? '<a href="mailto:' + escapeHtml(supplier.contact_email) + '">' + escapeHtml(supplier.contact_email) + '</a>' : '-'}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Tipo Servizio</div>
+                                        <div class="info-item-value">${escapeHtml(supplier.service_type || '-')}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Criticita'</div>
+                                        <div class="info-item-value"><span class="badge ${critBadge}">${escapeHtml(critLabel)}</span></div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Inizio Contratto</div>
+                                        <div class="info-item-value">${formatDate(supplier.contract_start_date)}</div>
+                                    </div>
+                                    <div class="info-item">
+                                        <div class="info-item-label">Scadenza Contratto</div>
+                                        <div class="info-item-value">${formatDate(supplier.contract_expiry_date)}</div>
+                                    </div>
+                                </div>
+                            </div>
+                        </div>
+
+                        ${supplier.service_description ? `
+                        <div class="card" style="margin-bottom:16px;">
+                            <div class="card-header"><h3>Descrizione Servizio</h3></div>
+                            <div class="card-body">
+                                <p style="font-size:0.875rem;color:var(--gray-700);white-space:pre-wrap;">${escapeHtml(supplier.service_description)}</p>
+                            </div>
+                        </div>` : ''}
+
+                        ${supplier.notes ? `
+                        <div class="card">
+                            <div class="card-header"><h3>Note</h3></div>
+                            <div class="card-body">
+                                <p style="font-size:0.875rem;color:var(--gray-700);white-space:pre-wrap;">${escapeHtml(supplier.notes)}</p>
+                            </div>
+                        </div>` : ''}
+                    </div>
+
+                    <div>
+                        <!-- Risk Score Gauge -->
+                        <div class="meta-card" style="text-align:center;">
+                            <h4 style="text-align:left;">Score Rischio</h4>
+                            <div class="score-ring">
+                                <svg width="${ringSize}" height="${ringSize}" viewBox="0 0 ${ringSize} ${ringSize}">
+                                    <circle class="score-ring-bg" cx="${ringSize/2}" cy="${ringSize/2}" r="${ringRadius}"/>
+                                    <circle class="score-ring-fill" cx="${ringSize/2}" cy="${ringSize/2}" r="${ringRadius}"
+                                        stroke="${scoreColor}"
+                                        stroke-dasharray="${ringCircumference}"
+                                        stroke-dashoffset="${ringOffset}"/>
+                                </svg>
+                                <div class="score-ring-value">
+                                    <div class="score-ring-number" style="color:${scoreColor};">${riskScore !== null ? riskScore : '-'}</div>
+                                    <div class="score-ring-label">su 100</div>
+                                </div>
+                            </div>
+                            <p style="font-size:0.78rem;color:var(--gray-500);margin-top:8px;">
+                                ${riskScore !== null
+                                    ? (riskScore >= 70 ? 'Requisiti di sicurezza soddisfatti' : 'Requisiti di sicurezza non soddisfatti')
+                                    : 'Nessuna valutazione effettuata'}
+                            </p>
+                        </div>
+
+                        <!-- Assessment Info -->
+                        <div class="meta-card">
+                            <h4>Valutazione</h4>
+                            <div class="meta-row">
+                                <span class="meta-label">Ultima Valutazione</span>
+                                <span class="meta-value">${formatDate(supplier.last_assessment_date)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Prossima Valutazione</span>
+                                <span class="meta-value">${formatDate(supplier.next_assessment_date)}</span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Requisiti Sicurezza</span>
+                                <span class="meta-value">
+                                    ${supplier.security_requirements_met
+                                        ? '<span class="badge badge-success">Soddisfatti</span>'
+                                        : '<span class="badge badge-danger">Non Soddisfatti</span>'}
+                                </span>
+                            </div>
+                            <div class="meta-row">
+                                <span class="meta-label">Creato il</span>
+                                <span class="meta-value">${formatDate(supplier.created_at)}</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            `;
+        }
+
+        function backToList() {
+            document.getElementById('supplier-detail-view').style.display = 'none';
+            document.getElementById('risk-overview').style.display = '';
+            document.querySelector('.card.mb-24').style.display = '';
+            document.getElementById('suppliers-list-section').style.display = '';
+            currentView = 'list';
+        }
+
+        // ── Create / Edit Modal ─────────────────────────────────
+        function openCreateModal() {
+            showSupplierFormModal(null);
+        }
+
+        async function openEditModal(id) {
+            try {
+                const result = await api.getSupplier(id);
+                if (result.success && result.data) {
+                    showSupplierFormModal(result.data);
+                } else {
+                    showNotification('Impossibile caricare il fornitore.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        function showSupplierFormModal(supplier) {
+            const isEdit = !!supplier;
+            const title = isEdit ? 'Modifica Fornitore' : 'Nuovo Fornitore';
+
+            const criticalityOptions = Object.entries(CRITICALITY_LABELS).map(([val, label]) =>
+                `<option value="${val}" ${supplier && supplier.criticality === val ? 'selected' : ''}>${label}</option>`
+            ).join('');
+
+            const content = `
+                <form id="supplier-form" onsubmit="return false;">
+                    <div class="form-row" style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Nome Fornitore <span class="required">*</span></label>
+                            <input type="text" class="form-input" id="form-name" value="${isEdit ? escapeHtml(supplier.name) : ''}" required placeholder="Nome dell'azienda">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Partita IVA</label>
+                            <input type="text" class="form-input" id="form-vat" value="${isEdit && supplier.vat_number ? escapeHtml(supplier.vat_number) : ''}" placeholder="IT01234567890">
+                        </div>
+                    </div>
+                    <div class="form-row" style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Referente</label>
+                            <input type="text" class="form-input" id="form-contact-name" value="${isEdit && supplier.contact_name ? escapeHtml(supplier.contact_name) : ''}" placeholder="Nome e cognome">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Email Contatto</label>
+                            <input type="email" class="form-input" id="form-contact-email" value="${isEdit && supplier.contact_email ? escapeHtml(supplier.contact_email) : ''}" placeholder="email@azienda.it">
+                        </div>
+                    </div>
+                    <div class="form-row" style="display:grid;grid-template-columns:2fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Tipo Servizio <span class="required">*</span></label>
+                            <input type="text" class="form-input" id="form-service-type" value="${isEdit && supplier.service_type ? escapeHtml(supplier.service_type) : ''}" required placeholder="es. Cloud Hosting, Sviluppo SW, Consulenza">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Criticita'</label>
+                            <select class="form-select" id="form-criticality">
+                                ${criticalityOptions}
+                            </select>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Descrizione Servizio</label>
+                        <textarea class="form-textarea" id="form-service-desc" rows="3" placeholder="Descrivi il servizio fornito...">${isEdit && supplier.service_description ? escapeHtml(supplier.service_description) : ''}</textarea>
+                    </div>
+                    <div class="form-row" style="display:grid;grid-template-columns:1fr 1fr;gap:16px;">
+                        <div class="form-group">
+                            <label class="form-label">Inizio Contratto</label>
+                            <input type="date" class="form-input" id="form-contract-start" value="${isEdit && supplier.contract_start_date ? supplier.contract_start_date.substring(0, 10) : ''}">
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label">Scadenza Contratto</label>
+                            <input type="date" class="form-input" id="form-contract-expiry" value="${isEdit && supplier.contract_expiry_date ? supplier.contract_expiry_date.substring(0, 10) : ''}">
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Note</label>
+                        <textarea class="form-textarea" id="form-notes" rows="3" placeholder="Note aggiuntive...">${isEdit && supplier.notes ? escapeHtml(supplier.notes) : ''}</textarea>
+                    </div>
+                </form>
+            `;
+
+            showModal(title, content, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="saveSupplier(${isEdit ? supplier.id : 'null'})">${isEdit ? 'Salva Modifiche' : 'Aggiungi Fornitore'}</button>
+                `
+            });
+        }
+
+        async function saveSupplier(id) {
+            const name = document.getElementById('form-name').value.trim();
+            const serviceType = document.getElementById('form-service-type').value.trim();
+
+            if (!name) {
+                showNotification('Il nome del fornitore e\' obbligatorio.', 'warning');
+                return;
+            }
+            if (!serviceType) {
+                showNotification('Il tipo di servizio e\' obbligatorio.', 'warning');
+                return;
+            }
+
+            const data = {
+                name: name,
+                vat_number: document.getElementById('form-vat').value.trim() || null,
+                contact_email: document.getElementById('form-contact-email').value.trim() || null,
+                contact_name: document.getElementById('form-contact-name').value.trim() || null,
+                service_type: serviceType,
+                service_description: document.getElementById('form-service-desc').value.trim() || null,
+                criticality: document.getElementById('form-criticality').value,
+                contract_start_date: document.getElementById('form-contract-start').value || null,
+                contract_expiry_date: document.getElementById('form-contract-expiry').value || null,
+                notes: document.getElementById('form-notes').value.trim() || null,
+            };
+
+            try {
+                let result;
+                if (id) {
+                    result = await api.updateSupplier(id, data);
+                } else {
+                    result = await api.createSupplier(data);
+                }
+
+                if (result.success) {
+                    closeModal();
+                    showNotification(id ? 'Fornitore aggiornato con successo.' : 'Fornitore aggiunto con successo.', 'success');
+                    loadSuppliers();
+                    if (currentView === 'detail' && id) {
+                        viewSupplier(id);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Assessment Modal ────────────────────────────────────
+        let assessmentAnswers = {};
+
+        function openAssessmentModal(supplierId) {
+            assessmentAnswers = {};
+
+            let questionsHtml = '';
+            ASSESSMENT_QUESTIONS.forEach((q, idx) => {
+                questionsHtml += `
+                    <div class="assessment-question">
+                        <div class="assessment-question-text">${idx + 1}. ${escapeHtml(q.text)}</div>
+                        <div class="assessment-options">
+                            <span class="assessment-option" data-q="${q.id}" data-val="yes" onclick="selectAnswer('${q.id}', 'yes', this)">Si'</span>
+                            <span class="assessment-option" data-q="${q.id}" data-val="partial" onclick="selectAnswer('${q.id}', 'partial', this)">Parziale</span>
+                            <span class="assessment-option" data-q="${q.id}" data-val="no" onclick="selectAnswer('${q.id}', 'no', this)">No</span>
+                        </div>
+                    </div>
+                `;
+            });
+
+            const content = `
+                <p style="margin-bottom:16px;font-size:0.9rem;color:var(--gray-600);">
+                    Rispondi alle domande per valutare il livello di sicurezza del fornitore.
+                    Il punteggio di rischio verra' calcolato automaticamente.
+                </p>
+                <div id="assessment-questions">
+                    ${questionsHtml}
+                </div>
+                <div class="assessment-score-preview" id="assessment-score-preview">
+                    <div class="score-label">Score Rischio Calcolato</div>
+                    <div class="score-val" id="assessment-live-score" style="color:var(--gray-300);">--</div>
+                </div>
+            `;
+
+            showModal('Valutazione Fornitore', content, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="submitAssessment(${supplierId})">Salva Valutazione</button>
+                `
+            });
+        }
+
+        function selectAnswer(questionId, value, el) {
+            // Remove selected from siblings
+            const parent = el.parentElement;
+            parent.querySelectorAll('.assessment-option').forEach(opt => {
+                opt.classList.remove('selected', 'selected-partial', 'selected-no');
+            });
+
+            // Add selected class
+            if (value === 'yes') {
+                el.classList.add('selected');
+            } else if (value === 'partial') {
+                el.classList.add('selected-partial');
+            } else {
+                el.classList.add('selected-no');
+            }
+
+            // Store answer
+            const question = ASSESSMENT_QUESTIONS.find(q => q.id === questionId);
+            assessmentAnswers[questionId] = {
+                id: questionId,
+                value: value,
+                weight: question ? question.weight : 1
+            };
+
+            // Update live score
+            updateLiveScore();
+        }
+
+        function updateLiveScore() {
+            const answers = Object.values(assessmentAnswers);
+            if (answers.length === 0) {
+                document.getElementById('assessment-live-score').textContent = '--';
+                document.getElementById('assessment-live-score').style.color = 'var(--gray-300)';
+                return;
+            }
+
+            let totalScore = 0;
+            let totalWeight = 0;
+
+            answers.forEach(a => {
+                const weight = a.weight || 1;
+                let val = 0;
+                if (a.value === 'yes') val = 100;
+                else if (a.value === 'partial') val = 50;
+                totalScore += val * weight;
+                totalWeight += 100 * weight;
+            });
+
+            const score = totalWeight > 0 ? Math.round(totalScore / totalWeight * 100) : 0;
+            const scoreEl = document.getElementById('assessment-live-score');
+            scoreEl.textContent = score + '/100';
+            scoreEl.style.color = getScoreColor(score);
+        }
+
+        async function submitAssessment(supplierId) {
+            const answers = Object.values(assessmentAnswers);
+            if (answers.length === 0) {
+                showNotification('Rispondi ad almeno una domanda prima di salvare.', 'warning');
+                return;
+            }
+
+            try {
+                const result = await api.assessSupplier(supplierId, {
+                    assessment_responses: answers
+                });
+
+                if (result.success) {
+                    closeModal();
+                    const score = result.data?.risk_score;
+                    showNotification(
+                        'Valutazione completata. Score: ' + (score != null ? score + '/100' : 'N/D'),
+                        'success'
+                    );
+                    loadSuppliers();
+                    if (currentView === 'detail') {
+                        viewSupplier(supplierId);
+                    }
+                } else {
+                    showNotification(result.message || 'Errore nel salvataggio della valutazione.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Init ────────────────────────────────────────────────
+        loadSuppliers();
+    </script>
+</body>
+</html>
diff --git a/public/training.html b/public/training.html
new file mode 100644
index 0000000..f4e4ec6
--- /dev/null
+++ b/public/training.html
@@ -0,0 +1,725 @@
+<!DOCTYPE html>
+<html lang="it">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Formazione - NIS2 Agile</title>
+    <link rel="stylesheet" href="/nis2/css/style.css">
+    <style>
+        /* ── Tab Navigation ─────────────────────────────────────── */
+        .tab-nav {
+            display: flex;
+            gap: 0;
+            border-bottom: 2px solid var(--gray-200);
+            margin-bottom: 24px;
+        }
+        .tab-nav button {
+            padding: 12px 24px;
+            background: none;
+            border: none;
+            border-bottom: 2px solid transparent;
+            margin-bottom: -2px;
+            color: var(--gray-500);
+            font-size: 0.9rem;
+            font-weight: 500;
+            cursor: pointer;
+            transition: all var(--transition-fast);
+        }
+        .tab-nav button:hover {
+            color: var(--gray-700);
+            background: var(--gray-50);
+        }
+        .tab-nav button.active {
+            color: var(--primary);
+            border-bottom-color: var(--primary);
+        }
+        .tab-panel { display: none; }
+        .tab-panel.active { display: block; }
+
+        /* ── Course Cards Grid ──────────────────────────────────── */
+        .courses-grid {
+            display: grid;
+            grid-template-columns: repeat(auto-fill, minmax(320px, 1fr));
+            gap: 20px;
+        }
+        .course-card {
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            box-shadow: var(--card-shadow);
+            padding: 20px;
+            transition: box-shadow var(--transition);
+            position: relative;
+            display: flex;
+            flex-direction: column;
+        }
+        .course-card:hover {
+            box-shadow: var(--card-shadow-hover);
+        }
+        .course-card-header {
+            display: flex;
+            justify-content: space-between;
+            align-items: flex-start;
+            margin-bottom: 12px;
+        }
+        .course-card-title {
+            font-size: 1rem;
+            font-weight: 600;
+            color: var(--gray-800);
+            margin: 0;
+        }
+        .course-card-desc {
+            font-size: 0.85rem;
+            color: var(--gray-500);
+            margin-bottom: 16px;
+            flex-grow: 1;
+            line-height: 1.5;
+        }
+        .course-card-meta {
+            display: flex;
+            flex-wrap: wrap;
+            gap: 8px;
+            align-items: center;
+            font-size: 0.8rem;
+        }
+        .course-meta-item {
+            display: inline-flex;
+            align-items: center;
+            gap: 4px;
+            color: var(--gray-500);
+            background: var(--gray-100);
+            padding: 4px 10px;
+            border-radius: 20px;
+        }
+        .course-meta-item svg { width: 14px; height: 14px; }
+        .badge-mandatory {
+            background: var(--danger-bg);
+            color: var(--danger);
+            font-weight: 600;
+            padding: 3px 10px;
+            border-radius: 20px;
+            font-size: 0.75rem;
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+        }
+
+        /* ── Assignments Table ──────────────────────────────────── */
+        .data-table {
+            width: 100%;
+            border-collapse: collapse;
+            background: var(--card-bg);
+            border-radius: var(--border-radius);
+            overflow: hidden;
+            box-shadow: var(--card-shadow);
+        }
+        .data-table thead {
+            background: var(--gray-50);
+        }
+        .data-table th {
+            text-align: left;
+            padding: 12px 16px;
+            font-size: 0.8rem;
+            font-weight: 600;
+            color: var(--gray-500);
+            text-transform: uppercase;
+            letter-spacing: 0.5px;
+            border-bottom: 1px solid var(--gray-200);
+        }
+        .data-table td {
+            padding: 12px 16px;
+            font-size: 0.875rem;
+            color: var(--gray-700);
+            border-bottom: 1px solid var(--gray-100);
+        }
+        .data-table tr:last-child td { border-bottom: none; }
+        .data-table tr:hover td { background: var(--gray-50); }
+
+        /* ── Status Badges ──────────────────────────────────────── */
+        .status-badge {
+            display: inline-flex;
+            align-items: center;
+            padding: 4px 12px;
+            border-radius: 20px;
+            font-size: 0.78rem;
+            font-weight: 500;
+            gap: 4px;
+        }
+        .status-badge.assigned { background: var(--gray-100); color: var(--gray-600); }
+        .status-badge.in_progress { background: var(--info-bg); color: var(--info); }
+        .status-badge.completed { background: var(--secondary-bg); color: var(--secondary); }
+        .status-badge.overdue { background: var(--danger-bg); color: var(--danger); }
+
+        /* ── Compliance Percentage Bar ──────────────────────────── */
+        .compliance-bar-container {
+            display: flex;
+            align-items: center;
+            gap: 10px;
+        }
+        .compliance-bar {
+            flex-grow: 1;
+            height: 8px;
+            background: var(--gray-200);
+            border-radius: 4px;
+            overflow: hidden;
+        }
+        .compliance-bar-fill {
+            height: 100%;
+            border-radius: 4px;
+            transition: width 0.3s ease;
+        }
+        .compliance-pct {
+            font-size: 0.85rem;
+            font-weight: 600;
+            min-width: 45px;
+            text-align: right;
+        }
+        .compliance-pct.high { color: var(--secondary); }
+        .compliance-pct.medium { color: var(--warning); }
+        .compliance-pct.low { color: var(--danger); }
+
+        /* ── Spinner/Loading ────────────────────────────────────── */
+        .loading-state {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .loading-state .spinner {
+            width: 32px;
+            height: 32px;
+            border: 3px solid var(--gray-200);
+            border-top-color: var(--primary);
+            border-radius: 50%;
+            animation: spin 0.8s linear infinite;
+            margin: 0 auto 12px;
+        }
+        @keyframes spin { to { transform: rotate(360deg); } }
+
+        /* ── Empty State ────────────────────────────────────────── */
+        .empty-state-box {
+            text-align: center;
+            padding: 48px 20px;
+            color: var(--gray-400);
+        }
+        .empty-state-box svg {
+            width: 48px;
+            height: 48px;
+            margin-bottom: 12px;
+            opacity: 0.5;
+        }
+        .empty-state-box h4 {
+            color: var(--gray-600);
+            margin-bottom: 4px;
+        }
+
+        /* ── Responsive ─────────────────────────────────────────── */
+        @media (max-width: 768px) {
+            .courses-grid { grid-template-columns: 1fr; }
+            .tab-nav button { padding: 10px 14px; font-size: 0.82rem; }
+            .data-table { font-size: 0.8rem; }
+        }
+    </style>
+</head>
+<body>
+    <div class="app-layout">
+        <aside class="sidebar" id="sidebar"></aside>
+
+        <main class="main-content">
+            <header class="content-header">
+                <h2>Formazione</h2>
+                <div class="content-header-actions">
+                    <span class="text-muted" style="font-size:0.8rem; margin-right:8px;">Art. 20 NIS2</span>
+                    <button class="btn btn-primary" onclick="showCreateCourseModal()">+ Nuovo Corso</button>
+                </div>
+            </header>
+
+            <div class="content-body">
+                <!-- Tab Navigation -->
+                <div class="tab-nav">
+                    <button class="active" onclick="switchTab('courses', this)">Corsi</button>
+                    <button onclick="switchTab('assignments', this)">Le Mie Assegnazioni</button>
+                    <button onclick="switchTab('compliance', this)">Compliance Formativa</button>
+                </div>
+
+                <!-- Tab: Corsi -->
+                <div class="tab-panel active" id="tab-courses">
+                    <div class="courses-grid" id="courses-grid">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento corsi...</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: Le Mie Assegnazioni -->
+                <div class="tab-panel" id="tab-assignments">
+                    <div id="assignments-container">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento assegnazioni...</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Tab: Compliance Formativa -->
+                <div class="tab-panel" id="tab-compliance">
+                    <div style="display:flex; justify-content:flex-end; margin-bottom:16px;">
+                        <button class="btn btn-primary" onclick="showAssignCourseModal()">Assegna Corso</button>
+                    </div>
+                    <div id="compliance-container">
+                        <div class="loading-state">
+                            <div class="spinner"></div>
+                            <p>Caricamento dati compliance...</p>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </main>
+    </div>
+
+    <script src="/nis2/js/api.js"></script>
+    <script src="/nis2/js/common.js"></script>
+    <script>
+        // ── Auth & Init ─────────────────────────────────────────
+        if (!checkAuth()) throw new Error('Not authenticated');
+        loadSidebar();
+
+        // ── Labels ──────────────────────────────────────────────
+        const roleLabels = {
+            all: 'Tutti',
+            board_member: 'Organi di Gestione',
+            compliance_manager: 'Compliance Manager',
+            employee: 'Dipendente',
+            technical: 'Tecnico'
+        };
+
+        const statusLabels = {
+            assigned: 'Assegnato',
+            in_progress: 'In Corso',
+            completed: 'Completato',
+            overdue: 'Scaduto'
+        };
+
+        // ── State ───────────────────────────────────────────────
+        let allCourses = [];
+        let allAssignments = [];
+        let allCompliance = [];
+
+        // ── Tab Switch ──────────────────────────────────────────
+        function switchTab(tabId, btn) {
+            document.querySelectorAll('.tab-nav button').forEach(b => b.classList.remove('active'));
+            document.querySelectorAll('.tab-panel').forEach(p => p.classList.remove('active'));
+            btn.classList.add('active');
+            document.getElementById('tab-' + tabId).classList.add('active');
+
+            if (tabId === 'courses' && allCourses.length === 0) loadCourses();
+            if (tabId === 'assignments') loadAssignments();
+            if (tabId === 'compliance') loadCompliance();
+        }
+
+        // ── Load Courses ────────────────────────────────────────
+        async function loadCourses() {
+            const container = document.getElementById('courses-grid');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento corsi...</p></div>';
+
+            try {
+                const result = await api.listCourses();
+                if (result.success && result.data) {
+                    allCourses = result.data;
+                    renderCourses(allCourses);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4><p>' + escapeHtml(result.message || '') + '</p></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4><p>Impossibile caricare i corsi.</p></div>';
+            }
+        }
+
+        function renderCourses(courses) {
+            const container = document.getElementById('courses-grid');
+
+            if (!courses || courses.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box" style="grid-column: 1/-1;">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M10.394 2.08a1 1 0 00-.788 0l-7 3a1 1 0 000 1.84L5.25 8.051a.999.999 0 01.356-.257l4-1.714a1 1 0 11.788 1.838L7.667 9.088l1.94.831a1 1 0 00.787 0l7-3a1 1 0 000-1.838l-7-3z"/></svg>
+                        <h4>Nessun corso disponibile</h4>
+                        <p>Crea il primo corso di formazione per iniziare.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = '';
+            courses.forEach(course => {
+                const mandatory = course.is_mandatory == 1;
+                html += `
+                    <div class="course-card">
+                        <div class="course-card-header">
+                            <h4 class="course-card-title">${escapeHtml(course.title)}</h4>
+                            ${mandatory ? '<span class="badge-mandatory">Obbligatorio</span>' : ''}
+                        </div>
+                        <p class="course-card-desc">${escapeHtml(course.description || 'Nessuna descrizione disponibile.')}</p>
+                        <div class="course-card-meta">
+                            ${course.duration_minutes ? `
+                                <span class="course-meta-item">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm1-12a1 1 0 10-2 0v4a1 1 0 00.293.707l2.828 2.829a1 1 0 101.415-1.415L11 9.586V6z" clip-rule="evenodd"/></svg>
+                                    ${course.duration_minutes} min
+                                </span>
+                            ` : ''}
+                            <span class="course-meta-item">
+                                <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                                ${roleLabels[course.target_role] || course.target_role || 'Tutti'}
+                            </span>
+                            ${course.nis2_article ? `
+                                <span class="course-meta-item">
+                                    <svg viewBox="0 0 20 20" fill="currentColor"><path fill-rule="evenodd" d="M4 4a2 2 0 012-2h4.586A2 2 0 0112 2.586L15.414 6A2 2 0 0116 7.414V16a2 2 0 01-2 2H6a2 2 0 01-2-2V4z" clip-rule="evenodd"/></svg>
+                                    Art. ${escapeHtml(course.nis2_article)}
+                                </span>
+                            ` : ''}
+                            ${course.passing_score ? `
+                                <span class="course-meta-item">
+                                    Soglia: ${course.passing_score}%
+                                </span>
+                            ` : ''}
+                        </div>
+                    </div>`;
+            });
+
+            container.innerHTML = html;
+        }
+
+        // ── Create Course Modal ─────────────────────────────────
+        function showCreateCourseModal() {
+            const roleOptions = Object.entries(roleLabels).map(([val, label]) =>
+                `<option value="${val}">${label}</option>`
+            ).join('');
+
+            showModal('Nuovo Corso di Formazione', `
+                <div class="form-group">
+                    <label class="form-label">Titolo *</label>
+                    <input type="text" class="form-input" id="course-title" placeholder="Es: Fondamenti Cybersecurity NIS2" required>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Descrizione</label>
+                    <textarea class="form-input" id="course-description" rows="3" placeholder="Descrizione del corso..."></textarea>
+                </div>
+                <div style="display:grid; grid-template-columns:1fr 1fr; gap:16px;">
+                    <div class="form-group">
+                        <label class="form-label">Ruolo Destinatario</label>
+                        <select class="form-select" id="course-target-role">${roleOptions}</select>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Durata (minuti)</label>
+                        <input type="number" class="form-input" id="course-duration" min="1" placeholder="60">
+                    </div>
+                </div>
+                <div style="display:grid; grid-template-columns:1fr 1fr; gap:16px;">
+                    <div class="form-group">
+                        <label class="form-label">Articolo NIS2</label>
+                        <input type="text" class="form-input" id="course-nis2-article" placeholder="Es: Art. 20">
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label">Punteggio Minimo (%)</label>
+                        <input type="number" class="form-input" id="course-passing-score" min="0" max="100" value="70">
+                    </div>
+                </div>
+                <div class="form-group" style="margin-top:8px;">
+                    <label style="display:flex; align-items:center; gap:8px; cursor:pointer;">
+                        <input type="checkbox" id="course-mandatory">
+                        <span class="form-label" style="margin:0;">Corso obbligatorio</span>
+                    </label>
+                </div>
+            `, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="createCourse()">Crea Corso</button>
+                `
+            });
+        }
+
+        async function createCourse() {
+            const title = document.getElementById('course-title').value.trim();
+            if (!title) {
+                showNotification('Il titolo e\' obbligatorio.', 'warning');
+                return;
+            }
+
+            const data = {
+                title: title,
+                description: document.getElementById('course-description').value.trim(),
+                target_role: document.getElementById('course-target-role').value,
+                is_mandatory: document.getElementById('course-mandatory').checked ? 1 : 0,
+                duration_minutes: parseInt(document.getElementById('course-duration').value) || null,
+                nis2_article: document.getElementById('course-nis2-article').value.trim() || null,
+                passing_score: parseInt(document.getElementById('course-passing-score').value) || 70,
+            };
+
+            closeModal();
+            showNotification('Creazione corso in corso...', 'info');
+
+            try {
+                const result = await api.post('/training/courses', data);
+                if (result.success) {
+                    showNotification('Corso creato con successo!', 'success');
+                    loadCourses();
+                } else {
+                    showNotification(result.message || 'Errore nella creazione del corso.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Load Assignments ────────────────────────────────────
+        async function loadAssignments() {
+            const container = document.getElementById('assignments-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento assegnazioni...</p></div>';
+
+            try {
+                const result = await api.getMyTraining();
+                if (result.success && result.data) {
+                    allAssignments = result.data;
+                    renderAssignments(allAssignments);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderAssignments(assignments) {
+            const container = document.getElementById('assignments-container');
+
+            if (!assignments || assignments.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 2a1 1 0 000 2h2a1 1 0 100-2H9z"/><path fill-rule="evenodd" d="M4 5a2 2 0 012-2 3 3 0 003 3h2a3 3 0 003-3 2 2 0 012 2v11a2 2 0 01-2 2H6a2 2 0 01-2-2V5z" clip-rule="evenodd"/></svg>
+                        <h4>Nessuna assegnazione</h4>
+                        <p>Non hai ancora corsi assegnati.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Corso</th>
+                            <th>Stato</th>
+                            <th>Scadenza</th>
+                            <th>Punteggio Quiz</th>
+                            <th>Azioni</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            assignments.forEach(a => {
+                const isOverdue = a.due_date && new Date(a.due_date) < new Date() && a.status !== 'completed';
+                const displayStatus = isOverdue ? 'overdue' : a.status;
+
+                let actionBtn = '';
+                if (displayStatus === 'assigned' || displayStatus === 'overdue') {
+                    actionBtn = `<button class="btn btn-primary btn-sm" onclick="updateAssignment(${a.id}, 'in_progress')">Inizia</button>`;
+                } else if (displayStatus === 'in_progress') {
+                    actionBtn = `<button class="btn btn-primary btn-sm" onclick="updateAssignment(${a.id}, 'completed')">Completa</button>`;
+                } else {
+                    actionBtn = `<span style="color:var(--secondary); font-weight:500; font-size:0.85rem;">Completato</span>`;
+                }
+
+                html += `
+                    <tr>
+                        <td>
+                            <div style="font-weight:500;">${escapeHtml(a.title || '')}</div>
+                            ${a.is_mandatory == 1 ? '<span style="font-size:0.75rem; color:var(--danger);">Obbligatorio</span>' : ''}
+                        </td>
+                        <td><span class="status-badge ${displayStatus}">${statusLabels[displayStatus] || displayStatus}</span></td>
+                        <td>${a.due_date ? formatDate(a.due_date) : '-'}</td>
+                        <td>${a.quiz_score != null ? a.quiz_score + '%' : '-'}</td>
+                        <td>${actionBtn}</td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        async function updateAssignment(id, status) {
+            try {
+                const result = await api.put(`/training/assignments/${id}`, { status: status });
+                if (result.success) {
+                    const msg = status === 'in_progress' ? 'Corso iniziato!' : 'Corso completato!';
+                    showNotification(msg, 'success');
+                    loadAssignments();
+                } else {
+                    showNotification(result.message || 'Errore nell\'aggiornamento.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Load Compliance Status ──────────────────────────────
+        async function loadCompliance() {
+            const container = document.getElementById('compliance-container');
+            container.innerHTML = '<div class="loading-state"><div class="spinner"></div><p>Caricamento dati compliance...</p></div>';
+
+            try {
+                const result = await api.getTrainingCompliance();
+                if (result.success && result.data) {
+                    allCompliance = result.data;
+                    renderCompliance(allCompliance);
+                } else {
+                    container.innerHTML = '<div class="empty-state-box"><h4>Errore nel caricamento</h4></div>';
+                }
+            } catch (e) {
+                container.innerHTML = '<div class="empty-state-box"><h4>Errore di connessione</h4></div>';
+            }
+        }
+
+        function renderCompliance(members) {
+            const container = document.getElementById('compliance-container');
+
+            if (!members || members.length === 0) {
+                container.innerHTML = `
+                    <div class="empty-state-box">
+                        <svg viewBox="0 0 20 20" fill="currentColor"><path d="M9 6a3 3 0 11-6 0 3 3 0 016 0zM17 6a3 3 0 11-6 0 3 3 0 016 0zM12.93 17c.046-.327.07-.66.07-1a6.97 6.97 0 00-1.5-4.33A5 5 0 0119 16v1h-6.07zM6 11a5 5 0 015 5v1H1v-1a5 5 0 015-5z"/></svg>
+                        <h4>Nessun membro trovato</h4>
+                        <p>Nessun membro dell\'organizzazione trovato.</p>
+                    </div>`;
+                return;
+            }
+
+            let html = `
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Nome</th>
+                            <th>Email</th>
+                            <th>Ruolo</th>
+                            <th>Corsi Completati</th>
+                            <th>% Compliance Obbligatoria</th>
+                        </tr>
+                    </thead>
+                    <tbody>`;
+
+            members.forEach(m => {
+                const assignments = m.assignments || [];
+                const completed = assignments.filter(a => a.status === 'completed').length;
+                const total = assignments.length;
+                const pct = m.mandatory_compliance != null ? m.mandatory_compliance : 100;
+                const pctClass = pct >= 80 ? 'high' : pct >= 50 ? 'medium' : 'low';
+                const barColor = pct >= 80 ? 'var(--secondary)' : pct >= 50 ? 'var(--warning)' : 'var(--danger)';
+
+                html += `
+                    <tr>
+                        <td style="font-weight:500;">${escapeHtml(m.full_name || '-')}</td>
+                        <td>${escapeHtml(m.email || '-')}</td>
+                        <td>${escapeHtml(m.role || '-')}</td>
+                        <td>${completed} / ${total}</td>
+                        <td>
+                            <div class="compliance-bar-container">
+                                <div class="compliance-bar">
+                                    <div class="compliance-bar-fill" style="width:${pct}%; background:${barColor};"></div>
+                                </div>
+                                <span class="compliance-pct ${pctClass}">${pct}%</span>
+                            </div>
+                        </td>
+                    </tr>`;
+            });
+
+            html += '</tbody></table>';
+            container.innerHTML = html;
+        }
+
+        // ── Assign Course Modal ─────────────────────────────────
+        async function showAssignCourseModal() {
+            // Load courses if not already loaded
+            if (allCourses.length === 0) {
+                try {
+                    const result = await api.listCourses();
+                    if (result.success && result.data) {
+                        allCourses = result.data;
+                    }
+                } catch (e) { /* ignore */ }
+            }
+
+            if (allCourses.length === 0) {
+                showNotification('Nessun corso disponibile. Crea prima un corso.', 'warning');
+                return;
+            }
+
+            const courseOptions = allCourses.map(c =>
+                `<option value="${c.id}">${escapeHtml(c.title)}</option>`
+            ).join('');
+
+            // Load members for selection
+            let membersHtml = '<p class="text-muted">Caricamento membri...</p>';
+            if (allCompliance.length > 0) {
+                membersHtml = allCompliance.map(m => `
+                    <label style="display:flex; align-items:center; gap:8px; padding:6px 0; cursor:pointer;">
+                        <input type="checkbox" class="assign-user-cb" value="${m.id}">
+                        <span>${escapeHtml(m.full_name || m.email)}</span>
+                        <span style="color:var(--gray-400); font-size:0.8rem;">(${escapeHtml(m.role || '')})</span>
+                    </label>
+                `).join('');
+            }
+
+            showModal('Assegna Corso', `
+                <div class="form-group">
+                    <label class="form-label">Corso</label>
+                    <select class="form-select" id="assign-course-id">${courseOptions}</select>
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Scadenza</label>
+                    <input type="date" class="form-input" id="assign-due-date">
+                </div>
+                <div class="form-group">
+                    <label class="form-label">Seleziona Utenti</label>
+                    <div style="max-height:200px; overflow-y:auto; border:1px solid var(--gray-200); border-radius:var(--border-radius-sm); padding:8px 12px;">
+                        ${membersHtml}
+                    </div>
+                </div>
+            `, {
+                size: 'lg',
+                footer: `
+                    <button class="btn btn-secondary" onclick="closeModal()">Annulla</button>
+                    <button class="btn btn-primary" onclick="doAssignCourse()">Assegna</button>
+                `
+            });
+        }
+
+        async function doAssignCourse() {
+            const courseId = document.getElementById('assign-course-id').value;
+            const dueDate = document.getElementById('assign-due-date').value || null;
+            const checkboxes = document.querySelectorAll('.assign-user-cb:checked');
+            const userIds = Array.from(checkboxes).map(cb => parseInt(cb.value));
+
+            if (userIds.length === 0) {
+                showNotification('Seleziona almeno un utente.', 'warning');
+                return;
+            }
+
+            closeModal();
+            showNotification('Assegnazione in corso...', 'info');
+
+            try {
+                const result = await api.post('/training/assign', {
+                    course_id: parseInt(courseId),
+                    user_ids: userIds,
+                    due_date: dueDate
+                });
+                if (result.success) {
+                    showNotification(result.message || 'Corso assegnato con successo!', 'success');
+                    loadCompliance();
+                } else {
+                    showNotification(result.message || 'Errore nell\'assegnazione.', 'error');
+                }
+            } catch (e) {
+                showNotification('Errore di connessione.', 'error');
+            }
+        }
+
+        // ── Initial Load ────────────────────────────────────────
+        loadCourses();
+    </script>
+</body>
+</html>