I really don't think regulating espionage between member states is within the scope of the EU's objectives. Presumably, the Belgian government could make a complaint to the British government through the usual diplomatic channels. Introducing any sort of international sanctions would be a bit of an overreaction.
Spying on other memberstates in the EU parliament (indirectly in this case) violates the neutrality of the body governing the EU. It's a pretty big deal imho, but we'll see what the eventual fall-out will be.
Here is a good article (in Dutch) about the whole thing:
One key bit is that this is not just GHCQ working in isolation, the NSA also had a hand in it:
"Ze maken gebruik van een Amerikaanse techniek (Quantum Insert), ontwikkeld door een speciale afdeling van de NSA, om computers te hacken. Als iemand online gaat, wordt zijn internetverkeer vliegensvlug omgeleid naar een netwerkcomputer (of server) die de Amerikaanse geheime dienst stiekem controleert."
Which roughly translates to "They use a special American technique (Quantum Insert), developed by a special department of the NSA, to hack computers. If someone goes online their internettraffic is redirected lightningfast to a network computer (or server) controlled by the American secret services."
Does GCHQ rely on NSA QI facilities, or can they run the attack on their own? The Intercept makes a weaker claim than the above about NSA direct involvement. Certainly, I believe NSA QI redirects traffic to NSA controlled servers, but I'd imagine when GCHQ is running the op they would prefer to redirect to their own servers.
Both GCHQ and NSA have separate QUANTUM rollouts, with slightly different capabilities. They can each more-or-less freely use the other (the NSA reaches GCHQ's directly over the gchq.nsa.ic.gov gateway, and there's a similar one on the other side).
