I have registry lock. I just asked my national domain registry to lock the domain. All that was needed was a strong proof of identity. (not just a photo of an ID, but doing a physical verification in person somewhere, like on the post office or sending a notarized letter) It was free.
But this is a national domain, where I have a high trust in the registry itself (registry manager makes the Turris router, btw, and some key software like knot dns server, etc), and that's also the reason why all my important stuff is linked to this domain.
It also depend on the type of registry. .se for example allow registrars to set registry lock automatically but not unlock. Unlocking is a manual process and there is contractual conditions that the registrar must have verified the identity of the customer who is requesting the unlock, and the registrar must also sign to that fact. So far no registrar has failed yet to do so, thus the legal ramification of failing this has yet to be tested.