diff --git a/backend/core/templates/index.html b/backend/core/templates/index.html
index 2166deb..f2dadf8 100644
--- a/backend/core/templates/index.html
+++ b/backend/core/templates/index.html
@@ -707,6 +707,76 @@
               While performing assessments at all three tiers is a best practice, it's important to note that a deep-dive analysis at Tiers 2 and 3 is advised for robust security but not explicitly mandated by the NIS2 Directive. Your primary responsibility is to ensure that risks to all essential and important services are identified and managed effectively, using the Tier 1 analysis as your foundation.
             </div>
           </div>
+          <!-- FAQ 8 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-8">
+              <span>How can my company show that we are compliant with NIS2?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-8" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              There is no official "NIS2 certification." Instead, you need to show that you meet the law's requirements. A good way to do this is by using an existing international framework, like ISO 27001 or the NIST Cybersecurity Framework. These standards are well established and cover about 80% of what NIS2 requires. You will still need to address the specific requirements of NIS2, like providing cybersecurity training for your management board. The most important thing is to prove you have a risk based approach to security.
+            </div>
+          </div>
+          <!-- FAQ 9 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-9">
+              <span>How will the authorities enforce these rules?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-9" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              Enforcement will happen in two ways. The first is reactive. If your company has a significant security incident, you must report it. The authorities will then investigate and ask for proof of your security measures. The second is proactive. Authorities will conduct audits and inspections. They will likely start with the most essential entities and then expand their checks over time. This approach is similar to how GDPR was rolled out, with fines starting small and increasing after a couple of years.
+            </div>
+          </div>
+          <!-- FAQ 10 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-10">
+              <span>If my company has an incident, what will authorities focus on?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-10" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              Based on our conversations with authorities, they will likely ask for proof of a few key security practices. They will want to see that you use multi factor authentication (MFA). They will also check your backup and recovery procedures. Finally, they will look at your process for patching and updating systems.
+            </div>
+          </div>
+          <!-- FAQ 11 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-11">
+              <span>What are the potential fines for not complying?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-11" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              The directive sets the maximum possible fines. For "essential" entities, fines can be up to 10 million euros or 2% of the company's total global turnover, whichever is higher. For "important" entities, it is up to 7 million euros or 1.4% of turnover, whichever is higher. Keep in mind these are maximums. Most countries will have a tiered system that starts with warnings before issuing large fines.
+            </div>
+          </div>
+          <!-- FAQ 12 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-12">
+              <span>What are the business benefits of complying with NIS2?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-12" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              Beyond avoiding fines, there are real business advantages. Being compliant can be a market differentiator that helps you win clients who care about security. For some industries, it’s becoming a "license to operate." For example, some governments will only buy from suppliers who can prove they are NIS2 compliant. Most importantly, these rules are based on good security practices that protect your business from data theft, financial loss, and reputational damage.
+            </div>
+          </div>
+          <!-- FAQ 13 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-13">
+              <span>My company has offices in several EU countries. Do we have to follow each country's specific law?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-13" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              Yes, each legal entity has to follow the local laws in the country where it operates. However, because all these national laws are based on the same EU directive, they are very similar. The best strategy is to create one central set of security policies at the headquarters that is strong enough to meet the requirements of all the different countries. This creates a consistent, high standard across your entire organization.
+            </div>
+          </div>
+          <!-- FAQ 14 -->
+          <div class="accordion-item bg-white rounded-lg shadow-md overflow-hidden">
+            <button type="button" class="accordion-trigger flex justify-between items-center w-full p-4 sm:p-6 text-left text-lg font-medium text-dark-text hover:bg-gray-50 focus:outline-none focus-visible:ring focus-visible:ring-accent focus-visible:ring-opacity-75" aria-expanded="false" aria-controls="faq-answer-14">
+              <span>How can I find out if my country has officially adopted the NIS2 law?</span>
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="accordion-chevron w-5 h-5 text-gray-400 transform transition-transform duration-200"><path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" /></svg>
+            </button>
+            <div id="faq-answer-14" class="accordion-content px-4 sm:px-6 border-t border-gray-200 text-gray-600 text-sm" role="region">
+              ENISA, the EU's cybersecurity agency, has a website that tracks the status of each country. These online trackers can sometimes be out of date, though. For the most current information, you can work with a cybersecurity or legal partner. You can also contact your country's national authority directly. They are there to help, not to be an adversary.
+            </div>
+          </div>
         </div>
       </div>
     </section>