
Your Compiler Is Part Of Your Software Supply Chain
Executive Summary
The EU Cyber Resilience Act now requires manufacturers to know their software supply chain down to the component level, and your compiler is part of that chain, whether it is C, C++, Rust or Ada. Most teams still treat it as free infrastructure, which quietly transfers real risk onto your engineers: supply-chain gaps, unmonitored vulnerabilities, and certification work repeated every project. GNAT Pro from AdaCore moves that burden to a supported, accountable supplier. The key points:
- From risk to managed component: GNAT Pro turns an unmanaged compiler into a supported, evidenced part of your product, backed by a contractual counterparty.
- Cyber Resilience Act readiness: Built reproducibly and shipped with a complete SBOM for full supply-chain transparency.
- Vulnerability monitoring handled: AdaCore tracks and reports toolchain security issues, so your team doesn't have to.
- Managed risk: Known-problem reporting across versions, plus a commercial warranty and support obligations.
- Certification evidence you buy once: Qualification material for DO-178C, ISO 26262, EN 50128, and IEC 61508.
- Built for long lifecycles: Versions supported for years or decades.
- One accountable vendor: A coherent toolchain across C, C++, Ada, and Rust, with a single support contact.
Introduction
Most executives never think about which compiler their teams use. That is a serious blind spot in today's environment. The EU Cyber Resilience Act requires manufacturers to know their software supply chain down to the component level. Even beyond that regulation, who can support your team in case of problems or security incidents related to your compiler?
A free, community-maintained compiler answers none of these questions on its own; your team does, at your cost.
This is the business case for GNAT Pro from AdaCore: it converts the compiler from an unmanaged risk into a supplied, supported, and evidenced component of your product.
You Are Responsible for Quality
And the compiler is an important part of that quality. When you are asked, "What is in your product?" the honest answer includes the tools used to produce it. A miscompiled binary ships with your name, not the compiler community's. Customers may ask this question, and regulators will ask that question.
GNAT Pro is built in a fully reproducible, pristine build environment and ships with a complete, detailed Software Bill of Materials as well as attestation and certificates documenting the full traceability. More details are in this blog post. That means you know exactly what produced every binary you deliver. For organizations preparing for the Cyber Resilience Act, which imposes vulnerability-handling and supply-chain-transparency obligations on manufacturers, this is not a nice-to-have. It's documentation you would otherwise have to assemble yourself, for a toolchain you don't control.
The same logic applies to vulnerabilities. AdaCore monitors its toolchain for security issues and reports them to customers. With a community compiler, that monitoring job lands on your engineering team, or, more commonly, on no one.
You Can Manage Risk, If You Know Where It Resides
Every compiler has bugs. The difference between a managed risk and a latent one is whether you know which bugs affect your code. GNAT Pro includes known-problem reporting: AdaCore tracks defects across compiler versions and helps customers determine whether a known issue touches their codebase. That changes the conversation from "we hope the compiler is fine" to "we have assessed the known issues and here is the result", exactly the kind of statement safety assessors and customers want to hear.
Combine that with a commercial warranty and contractual support obligations, and you have something open source tools cannot provide by design: a counterparty. When something goes wrong shortly before a release, your team communicates directly with the engineers who built the compiler, not a mailing list, with a Service Level Agreement in place that defines exactly what you can expect.
Certification Evidence
If your products fall under functional safety standards such as DO-178C, ISO 26262, EN 50128, or IEC 61508, then your tools must be qualified or their outputs verified. Doing this in-house is expensive, slow, and must be repeated as toolchains evolve. This is not an activity that adds value to your product; it is a distraction to your team.
GNAT Pro has been used in projects certified under these standards, and AdaCore provides qualification material to support the certification process. That's months of effort and assessor risk converted into a procured artifact.
If you don't operate in regulated markets today, consider where your customers are heading. Certification evidence is increasingly a sales enabler, not just a compliance cost.
Long Lifecycles Are Where Free Tools Get Expensive
Open Source is a rapidly evolving space. New versions of compilers are released every year, and there is no ‘Long Term Support’ version. Embedded and industrial products live for 10–20 years. When the community compiler moves on, old versions stop receiving fixes. GNAT Pro versions can be supported for years, or decades, with targeted bug fixes and continued monitoring of known problems for the version you froze. You choose when to move; the toolchain doesn't force your hand mid-program.
The same applies to hardware. Porting and board support from the vendor means a processor change or RTOS migration is a scoped, supported activity rather than an open-ended internal project. GNAT Pro targets range from commercial RTOSes such as VxWorks and LynxOS-178 to embedded Linux and bare-metal.
Support Across Languages and Platforms
Many modern software systems are multilingual, and this trend will continue as projects gradually switch to memory-safe languages such as Ada SPARK or Rust. GNAT Pro provides support across C, C++, Ada, and Rust, with multi-language debugging, and a single support contact behind it all. The toolchain, compiler, linker, debugger, emulation, IDE integration, code coverage, and static analysis are provided by a single accountable vendor. That consolidation reduces integration friction, vendor management overhead, and finger-pointing when something breaks at a tool boundary.
Your Risk - Your Choice
GCC and Clang are great compilers. They generate efficient code, support the latest languages and features. The question to ask yourself is: who bears the toolchain risk for your long-lived, security-sensitive, or regulated program, your engineering team, or a supplier under contract?
If the answer today is "our team, implicitly, for free," consider three things: Do you have an SBOM for your toolchain? Who monitors the SBOM for vulnerabilities? How can you produce an SBOM if a customer or regulator asks for it? What would tool qualification cost you if a customer demanded it next quarter? And what additional value could your team deliver if they did not have to work on supporting the toolchain?
If those answers are uncomfortable, then it is time for action! Have a look at how AdaCore approaches Software Supply Chain evolution, and then reach out for a discussion.
Author
Mark Hermeling

Mark has over 25 years’ experience in software development tools for high-integrity, secure, embedded and real-time systems across automotive, aerospace, defence and industrial domains. As Head of Technical Marketing at AdaCore, he links technical capabilities to business value and is a regular author and speaker on on topics ranging from the software development lifecycle, DevSecOps to formal methods and software verification.





