diff --git a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
index 3bc8da548..b9433549d 100644
--- a/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
+++ b/cloudplatform/connectivity-ztis/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/ZeroTrustIdentityService.java
@@ -47,6 +47,7 @@ public class ZeroTrustIdentityService
 {
     static final ServiceIdentifier ZTIS_IDENTIFIER = ServiceIdentifier.of("zero-trust-identity");
     private static final String DEFAULT_SOCKET_PATH = "unix:///tmp/spire-agent/public/api.sock";
+    private static final String SOCKET_ENVIRONMENT_VARIABLE = "SPIFFE_ENDPOINT_SOCKET";
     private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(10);
     @Getter
     private static final ZeroTrustIdentityService instance = new ZeroTrustIdentityService();
@@ -105,17 +106,16 @@ X509Source initX509Source()
             return new FileSystemX509Source();
         }
 
+        final String socketPath = Option.of(System.getenv(SOCKET_ENVIRONMENT_VARIABLE)).getOrElse(DEFAULT_SOCKET_PATH);
+        log.info("Using socket path {} for ZTIS agent.", socketPath);
+
         final X509SourceOptions x509SourceOptions =
-            X509SourceOptions
-                .builder()
-                .spiffeSocketPath(DEFAULT_SOCKET_PATH)
-                .initTimeout(DEFAULT_SOCKET_TIMEOUT)
-                .build();
+            X509SourceOptions.builder().spiffeSocketPath(socketPath).initTimeout(DEFAULT_SOCKET_TIMEOUT).build();
         try {
             return DefaultX509Source.newSource(x509SourceOptions);
         }
         catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load the certificate from the default unix socket.", e);
+            throw new CloudPlatformException("Failed to load the certificate from the unix socket: " + socketPath, e);
         }
     }
 
diff --git a/release_notes.md b/release_notes.md
index e150016a6..20ffb075e 100644
--- a/release_notes.md
+++ b/release_notes.md
@@ -12,7 +12,7 @@
 
 ### ✨ New Functionality
 
-- 
+- Add support for using the Zero Trust Identity Service (ZTIS) on Kyma by detecting the [well-known environment variable `SPIFFE_ENDPOINT_SOCKET`](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_Endpoint.md#4-locating-the-endpoint).
 
 ### 📈 Improvements