diff --git a/pynitrokey/cli/nethsm.py b/pynitrokey/cli/nethsm.py
index a7d730b6..524121fb 100644
--- a/pynitrokey/cli/nethsm.py
+++ b/pynitrokey/cli/nethsm.py
@@ -21,7 +21,7 @@
 import click
 import nethsm as nethsm_sdk
 from click import Context
-from nethsm import Authentication, Base64, NetHSM
+from nethsm import Authentication, Base64, NetHSM, State
 from nethsm.backup import EncryptedBackup
 
 from pynitrokey.cli.exceptions import CliException
@@ -1416,6 +1416,13 @@ def restore(
             )
 
     with connect(ctx, require_auth=False) as nethsm:
+        state = nethsm.get_state()
+        if state == State.UNPROVISIONED:
+            require_auth = False
+        elif state == State.OPERATIONAL:
+            require_auth = True
+
+    with connect(ctx, require_auth=require_auth) as nethsm:
         with open(filename, "rb") as f:
             nethsm.restore(data, backup_passphrase, system_time)
         print(f"Backup restored on NetHSM {nethsm.host}")