Does your HSM2 track/log security sensitive operations like exporting keys for backup, login to admin interface, etc.
Is login to admin interface protected just by a PIN/password code?
Cannot you do an admin login to NK HSM2 only after authentication by NK PRO2 or at least FIDO2 token? Would not it be more secure? Without such security measures I think NK HSM2 suits only for keeping my workstation private keys (provided I carry HSM2 token together with me all the time when I leave a computer place to prevent key export or reflash) but for keeping a server side keys (like /etc/ssh/ssh_host_ecdsa_key) I would prefer a NK PRO2 over HSM2 though it may look like a paradox at first glance.
I would prefer HSM2 would keep a nonvolatile log for at least the latest 10 operations done with some timestamps with milliseconds, at least tick time counters since last token power on and a shift equal to the latest earlier previous timestamp added after which the operation has been done. Also a random number can be added to each row to make that row unique and protected from a repeatable fake operation by someone else.
It would be nice if at least time stamps and types of actions done would be stored inside the anti tamper smart card somehow which would borrow a space from a few key slots. Textual descriptions for action type ids can be already stored in the USB firmware.
It would allow me to save a snapshot of the earlier HSM2 log to other places and later compare and verify that nobody except me logged into admin interface and tricked something without my knowledge.
It would be difficult to repeat all my actions synchronously to my earlier saved log with a precision by each millisecond.
Actually I think NK PRO2 may be more secure if it does not allow a silent export of the keys.